1. 26 5月, 2018 2 次提交
  2. 24 5月, 2018 1 次提交
    • A
      fix io_destroy()/aio_complete() race · 4faa9996
      Al Viro 提交于
      If io_destroy() gets to cancelling everything that can be cancelled and
      gets to kiocb_cancel() calling the function driver has left in ->ki_cancel,
      it becomes vulnerable to a race with IO completion.  At that point req
      is already taken off the list and aio_complete() does *NOT* spin until
      we (in free_ioctx_users()) releases ->ctx_lock.  As the result, it proceeds
      to kiocb_free(), freing req just it gets passed to ->ki_cancel().
      
      Fix is simple - remove from the list after the call of kiocb_cancel().  All
      instances of ->ki_cancel() already have to cope with the being called with
      iocb still on list - that's what happens in io_cancel(2).
      
      Cc: stable@kernel.org
      Fixes: 0460fef2 "aio: use cancellation list lazily"
      Signed-off-by: NAl Viro <viro@zeniv.linux.org.uk>
      4faa9996
  3. 22 5月, 2018 10 次提交
    • A
      aio: fix io_destroy(2) vs. lookup_ioctx() race · baf10564
      Al Viro 提交于
      kill_ioctx() used to have an explicit RCU delay between removing the
      reference from ->ioctx_table and percpu_ref_kill() dropping the refcount.
      At some point that delay had been removed, on the theory that
      percpu_ref_kill() itself contained an RCU delay.  Unfortunately, that was
      the wrong kind of RCU delay and it didn't care about rcu_read_lock() used
      by lookup_ioctx().  As the result, we could get ctx freed right under
      lookup_ioctx().  Tejun has fixed that in a6d7cff4 ("fs/aio: Add explicit
      RCU grace period when freeing kioctx"); however, that fix is not enough.
      
      Suppose io_destroy() from one thread races with e.g. io_setup() from another;
      CPU1 removes the reference from current->mm->ioctx_table[...] just as CPU2
      has picked it (under rcu_read_lock()).  Then CPU1 proceeds to drop the
      refcount, getting it to 0 and triggering a call of free_ioctx_users(),
      which proceeds to drop the secondary refcount and once that reaches zero
      calls free_ioctx_reqs().  That does
              INIT_RCU_WORK(&ctx->free_rwork, free_ioctx);
              queue_rcu_work(system_wq, &ctx->free_rwork);
      and schedules freeing the whole thing after RCU delay.
      
      In the meanwhile CPU2 has gotten around to percpu_ref_get(), bumping the
      refcount from 0 to 1 and returned the reference to io_setup().
      
      Tejun's fix (that queue_rcu_work() in there) guarantees that ctx won't get
      freed until after percpu_ref_get().  Sure, we'd increment the counter before
      ctx can be freed.  Now we are out of rcu_read_lock() and there's nothing to
      stop freeing of the whole thing.  Unfortunately, CPU2 assumes that since it
      has grabbed the reference, ctx is *NOT* going away until it gets around to
      dropping that reference.
      
      The fix is obvious - use percpu_ref_tryget_live() and treat failure as miss.
      It's not costlier than what we currently do in normal case, it's safe to
      call since freeing *is* delayed and it closes the race window - either
      lookup_ioctx() comes before percpu_ref_kill() (in which case ctx->users
      won't reach 0 until the caller of lookup_ioctx() drops it) or lookup_ioctx()
      fails, ctx->users is unaffected and caller of lookup_ioctx() doesn't see
      the object in question at all.
      
      Cc: stable@kernel.org
      Fixes: a6d7cff4 "fs/aio: Add explicit RCU grace period when freeing kioctx"
      Signed-off-by: NAl Viro <viro@zeniv.linux.org.uk>
      baf10564
    • A
      ext2: fix a block leak · 5aa1437d
      Al Viro 提交于
      open file, unlink it, then use ioctl(2) to make it immutable or
      append only.  Now close it and watch the blocks *not* freed...
      
      Immutable/append-only checks belong in ->setattr().
      Note: the bug is old and backport to anything prior to 737f2e93
      ("ext2: convert to use the new truncate convention") will need
      these checks lifted into ext2_setattr().
      
      Cc: stable@kernel.org
      Signed-off-by: NAl Viro <viro@zeniv.linux.org.uk>
      5aa1437d
    • A
      nfsd: vfs_mkdir() might succeed leaving dentry negative unhashed · 3819bb0d
      Al Viro 提交于
      That can (and does, on some filesystems) happen - ->mkdir() (and thus
      vfs_mkdir()) can legitimately leave its argument negative and just
      unhash it, counting upon the lookup to pick the object we'd created
      next time we try to look at that name.
      
      Some vfs_mkdir() callers forget about that possibility...
      Acked-by: NJ. Bruce Fields <bfields@redhat.com>
      Signed-off-by: NAl Viro <viro@zeniv.linux.org.uk>
      3819bb0d
    • A
      cachefiles: vfs_mkdir() might succeed leaving dentry negative unhashed · 9c3e9025
      Al Viro 提交于
      That can (and does, on some filesystems) happen - ->mkdir() (and thus
      vfs_mkdir()) can legitimately leave its argument negative and just
      unhash it, counting upon the lookup to pick the object we'd created
      next time we try to look at that name.
      
      Some vfs_mkdir() callers forget about that possibility...
      Signed-off-by: NAl Viro <viro@zeniv.linux.org.uk>
      9c3e9025
    • A
      unfuck sysfs_mount() · 7b745a4e
      Al Viro 提交于
      new_sb is left uninitialized in case of early failures in kernfs_mount_ns(),
      and while IS_ERR(root) is true in all such cases, using IS_ERR(root) || !new_sb
      is not a solution - IS_ERR(root) is true in some cases when new_sb is true.
      
      Make sure new_sb is initialized (and matches the reality) in all cases and
      fix the condition for dropping kobj reference - we want it done precisely
      in those situations where the reference has not been transferred into a new
      super_block instance.
      Signed-off-by: NAl Viro <viro@zeniv.linux.org.uk>
      7b745a4e
    • A
      kernfs: deal with kernfs_fill_super() failures · 82382ace
      Al Viro 提交于
      make sure that info->node is initialized early, so that kernfs_kill_sb()
      can list_del() it safely.
      Signed-off-by: NAl Viro <viro@zeniv.linux.org.uk>
      82382ace
    • J
      cramfs: Fix IS_ENABLED typo · 08a8f308
      Joe Perches 提交于
      There's an extra C here...
      
      Fixes: 99c18ce5 ("cramfs: direct memory access support")
      Acked-by: NNicolas Pitre <nico@linaro.org>
      Signed-off-by: NJoe Perches <joe@perches.com>
      Signed-off-by: NAl Viro <viro@zeniv.linux.org.uk>
      08a8f308
    • A
      befs_lookup(): use d_splice_alias() · f4e4d434
      Al Viro 提交于
      RTFS(Documentation/filesystems/nfs/Exporting) if you try to make
      something exportable.
      
      Fixes: ac632f5b "befs: add NFS export support"
      Signed-off-by: NAl Viro <viro@zeniv.linux.org.uk>
      f4e4d434
    • A
      affs_lookup: switch to d_splice_alias() · 87fbd639
      Al Viro 提交于
      Making something exportable takes more than providing ->s_export_ops.
      In particular, ->lookup() *MUST* use d_splice_alias() instead of
      d_add().
      
      Reading Documentation/filesystems/nfs/Exporting would've been a good idea;
      as it is, exporting AFFS is badly (and exploitably) broken.
      
      Partially-Fixes: ed4433d7 "fs/affs: make affs exportable"
      Acked-by: NDavid Sterba <dsterba@suse.com>
      Signed-off-by: NAl Viro <viro@zeniv.linux.org.uk>
      87fbd639
    • A
      affs_lookup(): close a race with affs_remove_link() · 30da870c
      Al Viro 提交于
      we unlock the directory hash too early - if we are looking at secondary
      link and primary (in another directory) gets removed just as we unlock,
      we could have the old primary moved in place of the secondary, leaving
      us to look into freed entry (and leaving our dentry with ->d_fsdata
      pointing to a freed entry).
      
      Cc: stable@vger.kernel.org # 2.4.4+
      Acked-by: NDavid Sterba <dsterba@suse.com>
      Signed-off-by: NAl Viro <viro@zeniv.linux.org.uk>
      30da870c
  4. 14 5月, 2018 1 次提交
    • A
      fix breakage caused by d_find_alias() semantics change · b127125d
      Al Viro 提交于
      "VFS: don't keep disconnected dentries on d_anon" had a non-trivial
      side-effect - d_unhashed() now returns true for those dentries,
      making d_find_alias() skip them altogether.  For most of its callers
      that's fine - we really want a connected alias there.  However,
      there is a codepath where we relied upon picking such aliases
      if nothing else could be found - selinux delayed initialization
      of contexts for inodes on already mounted filesystems used to
      rely upon that.
      
      Cc: stable@kernel.org # f1ee6162 "VFS: don't keep disconnected dentries on d_anon"
      Signed-off-by: NAl Viro <viro@zeniv.linux.org.uk>
      b127125d
  5. 12 5月, 2018 2 次提交
    • D
      fs: don't scan the inode cache before SB_BORN is set · 79f546a6
      Dave Chinner 提交于
      We recently had an oops reported on a 4.14 kernel in
      xfs_reclaim_inodes_count() where sb->s_fs_info pointed to garbage
      and so the m_perag_tree lookup walked into lala land.  It produces
      an oops down this path during the failed mount:
      
        radix_tree_gang_lookup_tag+0xc4/0x130
        xfs_perag_get_tag+0x37/0xf0
        xfs_reclaim_inodes_count+0x32/0x40
        xfs_fs_nr_cached_objects+0x11/0x20
        super_cache_count+0x35/0xc0
        shrink_slab.part.66+0xb1/0x370
        shrink_node+0x7e/0x1a0
        try_to_free_pages+0x199/0x470
        __alloc_pages_slowpath+0x3a1/0xd20
        __alloc_pages_nodemask+0x1c3/0x200
        cache_grow_begin+0x20b/0x2e0
        fallback_alloc+0x160/0x200
        kmem_cache_alloc+0x111/0x4e0
      
      The problem is that the superblock shrinker is running before the
      filesystem structures it depends on have been fully set up. i.e.
      the shrinker is registered in sget(), before ->fill_super() has been
      called, and the shrinker can call into the filesystem before
      fill_super() does it's setup work. Essentially we are exposed to
      both use-after-free and use-before-initialisation bugs here.
      
      To fix this, add a check for the SB_BORN flag in super_cache_count.
      In general, this flag is not set until ->fs_mount() completes
      successfully, so we know that it is set after the filesystem
      setup has completed. This matches the trylock_super() behaviour
      which will not let super_cache_scan() run if SB_BORN is not set, and
      hence will not allow the superblock shrinker from entering the
      filesystem while it is being set up or after it has failed setup
      and is being torn down.
      
      Cc: stable@kernel.org
      Signed-Off-By: NDave Chinner <dchinner@redhat.com>
      Signed-off-by: NAl Viro <viro@zeniv.linux.org.uk>
      79f546a6
    • A
      do d_instantiate/unlock_new_inode combinations safely · 1e2e547a
      Al Viro 提交于
      For anything NFS-exported we do _not_ want to unlock new inode
      before it has grown an alias; original set of fixes got the
      ordering right, but missed the nasty complication in case of
      lockdep being enabled - unlock_new_inode() does
      	lockdep_annotate_inode_mutex_key(inode)
      which can only be done before anyone gets a chance to touch
      ->i_mutex.  Unfortunately, flipping the order and doing
      unlock_new_inode() before d_instantiate() opens a window when
      mkdir can race with open-by-fhandle on a guessed fhandle, leading
      to multiple aliases for a directory inode and all the breakage
      that follows from that.
      
      	Correct solution: a new primitive (d_instantiate_new())
      combining these two in the right order - lockdep annotate, then
      d_instantiate(), then the rest of unlock_new_inode().  All
      combinations of d_instantiate() with unlock_new_inode() should
      be converted to that.
      
      Cc: stable@kernel.org	# 2.6.29 and later
      Tested-by: NMike Marshall <hubcap@omnibond.com>
      Reviewed-by: NAndreas Dilger <adilger@dilger.ca>
      Signed-off-by: NAl Viro <viro@zeniv.linux.org.uk>
      1e2e547a
  6. 03 5月, 2018 9 次提交
  7. 30 4月, 2018 4 次提交
    • L
      Linux v4.17-rc3 · 6da6c0db
      Linus Torvalds 提交于
      6da6c0db
    • L
      Merge branch 'x86-urgent-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip · c61a56ab
      Linus Torvalds 提交于
      Pull x86 fixes from Thomas Gleixner:
       "Another set of x86 related updates:
      
         - Fix the long broken x32 version of the IPC user space headers which
           was noticed by Arnd Bergman in course of his ongoing y2038 work.
           GLIBC seems to have non broken private copies of these headers so
           this went unnoticed.
      
         - Two microcode fixlets which address some more fallout from the
           recent modifications in that area:
      
            - Unconditionally save the microcode patch, which was only saved
              when CPU_HOTPLUG was enabled causing failures in the late
              loading mechanism
      
            - Make the later loader synchronization finally work under all
              circumstances. It was exiting early and causing timeout failures
              due to a missing synchronization point.
      
         - Do not use mwait_play_dead() on AMD systems to prevent excessive
           power consumption as the CPU cannot go into deep power states from
           there.
      
         - Address an annoying sparse warning due to lost type qualifiers of
           the vmemmap and vmalloc base address constants.
      
         - Prevent reserving crash kernel region on Xen PV as this leads to
           the wrong perception that crash kernels actually work there which
           is not the case. Xen PV has its own crash mechanism handled by the
           hypervisor.
      
         - Add missing TLB cpuid values to the table to make the printout on
           certain machines correct.
      
         - Enumerate the new CLDEMOTE instruction
      
         - Fix an incorrect SPDX identifier
      
         - Remove stale macros"
      
      * 'x86-urgent-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip:
        x86/ipc: Fix x32 version of shmid64_ds and msqid64_ds
        x86/setup: Do not reserve a crash kernel region if booted on Xen PV
        x86/cpu/intel: Add missing TLB cpuid values
        x86/smpboot: Don't use mwait_play_dead() on AMD systems
        x86/mm: Make vmemmap and vmalloc base address constants unsigned long
        x86/vector: Remove the unused macro FPU_IRQ
        x86/vector: Remove the macro VECTOR_OFFSET_START
        x86/cpufeatures: Enumerate cldemote instruction
        x86/microcode: Do not exit early from __reload_late()
        x86/microcode/intel: Save microcode patch unconditionally
        x86/jailhouse: Fix incorrect SPDX identifier
      c61a56ab
    • L
      Merge branch 'x86-pti-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip · 65f4d6d0
      Linus Torvalds 提交于
      Pull x86 pti fixes from Thomas Gleixner:
       "A set of updates for the x86/pti related code:
      
         - Preserve r8-r11 in int $0x80. r8-r11 need to be preserved, but the
           int$80 entry code removed that quite some time ago. Make it correct
           again.
      
         - A set of fixes for the Global Bit work which went into 4.17 and
           caused a bunch of interesting regressions:
      
            - Triggering a BUG in the page attribute code due to a missing
              check for early boot stage
      
            - Warnings in the page attribute code about holes in the kernel
              text mapping which are caused by the freeing of the init code.
              Handle such holes gracefully.
      
            - Reduce the amount of kernel memory which is set global to the
              actual text and do not incidentally overlap with data.
      
            - Disable the global bit when RANDSTRUCT is enabled as it
              partially defeats the hardening.
      
            - Make the page protection setup correct for vma->page_prot
              population again. The adjustment of the protections fell through
              the crack during the Global bit rework and triggers warnings on
              machines which do not support certain features, e.g. NX"
      
      * 'x86-pti-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip:
        x86/entry/64/compat: Preserve r8-r11 in int $0x80
        x86/pti: Filter at vma->vm_page_prot population
        x86/pti: Disallow global kernel text with RANDSTRUCT
        x86/pti: Reduce amount of kernel text allowed to be Global
        x86/pti: Fix boot warning from Global-bit setting
        x86/pti: Fix boot problems from Global-bit setting
      65f4d6d0
    • L
      Merge branch 'timers-urgent-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip · 810fb07a
      Linus Torvalds 提交于
      Pull timer fixes from Thomas Gleixner:
       "Two fixes from the timer departement:
      
         - Fix a long standing issue in the NOHZ tick code which causes RB
           tree corruption, delayed timers and other malfunctions. The cause
           for this is code which modifies the expiry time of an enqueued
           hrtimer.
      
         - Revert the CLOCK_MONOTONIC/CLOCK_BOOTTIME unification due to
           regression reports. Seems userspace _is_ relying on the documented
           behaviour despite our hope that it wont"
      
      * 'timers-urgent-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip:
        Revert: Unify CLOCK_MONOTONIC and CLOCK_BOOTTIME
        tick/sched: Do not mess with an enqueued hrtimer
      810fb07a
  8. 29 4月, 2018 8 次提交
    • L
      Merge branch 'perf-urgent-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip · 7d9e55fe
      Linus Torvalds 提交于
      Pull perf fixes from Thomas Gleixner:
       "The perf update contains the following bits:
      
        x86:
         - Prevent setting freeze_on_smi on PerfMon V1 CPUs to avoid #GP
      
        perf stat:
         - Keep the '/' event modifier separator in fallback, for example when
           fallbacking from 'cpu/cpu-cycles/' to user level only, where it
           should become 'cpu/cpu-cycles/u' and not 'cpu/cpu-cycles/:u' (Jiri
           Olsa)
      
         - Fix PMU events parsing rule, improving error reporting for invalid
           events (Jiri Olsa)
      
         - Disable write_backward and other event attributes for !group events
           in a group, fixing, for instance this group: '{cycles,msr/aperf/}:S'
           that has leader sampling (:S) and where just the 'cycles', the
           leader event, should have the write_backward attribute set, in this
           case it all fails because the PMU where 'msr/aperf/' lives doesn't
           accepts write_backward style sampling (Jiri Olsa)
      
         - Only fall back group read for leader (Kan Liang)
      
         - Fix core PMU alias list for x86 platform (Kan Liang)
      
         - Print out hint for mixed PMU group error (Kan Liang)
      
         - Fix duplicate PMU name for interval print (Kan Liang)
      
        Core:
         - Set main kernel end address properly when reading kernel and module
           maps (Namhyung Kim)
      
        perf mem:
         - Fix incorrect entries and add missing man options (Sangwon Hong)
      
        s/390:
         - Remove s390 specific strcmp_cpuid_cmp function (Thomas Richter)
      
         - Adapt 'perf test' case record+probe_libc_inet_pton.sh for s390
      
         - Fix s390 undefined record__auxtrace_init() return value in 'perf
           record' (Thomas Richter)"
      
      * 'perf-urgent-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip:
        perf/x86/intel: Don't enable freeze-on-smi for PerfMon V1
        perf stat: Fix duplicate PMU name for interval print
        perf evsel: Only fall back group read for leader
        perf stat: Print out hint for mixed PMU group error
        perf pmu: Fix core PMU alias list for X86 platform
        perf record: Fix s390 undefined record__auxtrace_init() return value
        perf mem: Document incorrect and missing options
        perf evsel: Disable write_backward for leader sampling group events
        perf pmu: Fix pmu events parsing rule
        perf stat: Keep the / modifier separator in fallback
        perf test: Adapt test case record+probe_libc_inet_pton.sh for s390
        perf list: Remove s390 specific strcmp_cpuid_cmp function
        perf machine: Set main kernel end address properly
      7d9e55fe
    • L
      Merge tag 'for_linus_stable' of git://git.kernel.org/pub/scm/linux/kernel/git/tytso/ext4 · cdface52
      Linus Torvalds 提交于
      Pull ext4 fixes from Ted Ts'o:
       "Fix misc bugs and a regression for ext4"
      
      * tag 'for_linus_stable' of git://git.kernel.org/pub/scm/linux/kernel/git/tytso/ext4:
        ext4: add MODULE_SOFTDEP to ensure crc32c is included in the initramfs
        ext4: fix bitmap position validation
        ext4: set h_journal if there is a failure starting a reserved handle
        ext4: prevent right-shifting extents beyond EXT_MAX_BLOCKS
      cdface52
    • A
      <linux/stringhash.h>: fix end_name_hash() for 64bit long · 19b9ad67
      Amir Goldstein 提交于
      The comment claims that this helper will try not to loose bits, but for
      64bit long it looses the high bits before hashing 64bit long into 32bit
      int.  Use the helper hash_long() to do the right thing for 64bit long.
      For 32bit long, there is no change.
      
      All the callers of end_name_hash() either assign the result to
      qstr->hash, which is u32 or return the result as an int value (e.g.
      full_name_hash()).  Change the helper return type to int to conform to
      its users.
      
      [ It took me a while to apply this, because my initial reaction to it
        was - incorrectly - that it could make for slower code.
      
        After having looked more at it, I take back all my complaints about
        the patch, Amir was right and I was mis-reading things or just being
        stupid.
      
        I also don't worry too much about the possible performance impact of
        this on 64-bit, since most architectures that actually care about
        performance end up not using this very much (the dcache code is the
        most performance-critical, but the word-at-a-time case uses its own
        hashing anyway).
      
        So this ends up being mostly used for filesystems that do their own
        degraded hashing (usually because they want a case-insensitive
        comparison function).
      
        A _tiny_ worry remains, in that not everybody uses DCACHE_WORD_ACCESS,
        and then this potentially makes things more expensive on 64-bit
        architectures with slow or lacking multipliers even for the normal
        case.
      
        That said, realistically the only such architecture I can think of is
        PA-RISC. Nobody really cares about performance on that, it's more of a
        "look ma, I've got warts^W an odd machine" platform.
      
        So the patch is fine, and all my initial worries were just misplaced
        from not looking at this properly.   - Linus ]
      Signed-off-by: NAmir Goldstein <amir73il@gmail.com>
      Signed-off-by: NLinus Torvalds <torvalds@linux-foundation.org>
      19b9ad67
    • D
      MAINTAINERS: add myself as maintainer of AFFS · bf8f5de1
      David Sterba 提交于
      The AFFS filesystem is still in use by m68k community (Link #2), but as
      there was no code activity and no maintainer, the filesystem appeared on
      the list of candidates for staging/removal (Link #1).
      
      I volunteer to act as a maintainer of AFFS to collect any fixes that
      might show up and to guard fs/affs/ against another spring cleaning.
      
      Link: https://lkml.kernel.org/r/20180425154602.GA8546@bombadil.infradead.org
      Link: https://lkml.kernel.org/r/1613268.lKBQxPXt8J@merkaba
      CC: Martin Steigerwald <martin@lichtvoll.de>
      CC: John Paul Adrian Glaubitz <glaubitz@physik.fu-berlin.de>
      Signed-off-by: NDavid Sterba <dsterba@suse.com>
      Signed-off-by: NLinus Torvalds <torvalds@linux-foundation.org>
      bf8f5de1
    • L
      Merge branch 'i2c/for-current' of git://git.kernel.org/pub/scm/linux/kernel/git/wsa/linux · a97d8efd
      Linus Torvalds 提交于
      Pull i2c fixes from Wolfram Sang:
      
       - two driver fixes
      
       - better parameter check for the core
      
       - Documentation updates
      
       - part of a tree-wide HAS_DMA cleanup
      
      * 'i2c/for-current' of git://git.kernel.org/pub/scm/linux/kernel/git/wsa/linux:
        i2c: sprd: Fix the i2c count issue
        i2c: sprd: Prevent i2c accesses after suspend is called
        i2c: dev: prevent ZERO_SIZE_PTR deref in i2cdev_ioctl_rdwr()
        Documentation/i2c: adopt kernel commenting style in examples
        Documentation/i2c: sync docs with current state of i2c-tools
        Documentation/i2c: whitespace cleanup
        i2c: Remove depends on HAS_DMA in case of platform dependency
      a97d8efd
    • L
      Merge branch 'linus' of git://git.kernel.org/pub/scm/linux/kernel/git/herbert/crypto-2.6 · 6e041ffc
      Linus Torvalds 提交于
      Pull crypto fixes from Herbert Xu:
      
       - crypto API regression that may cause sporadic alloc failures
      
       - double-free bug in drbg
      
      * 'linus' of git://git.kernel.org/pub/scm/linux/kernel/git/herbert/crypto-2.6:
        crypto: drbg - set freed buffers to NULL
        crypto: api - fix finding algorithm currently being tested
      6e041ffc
    • L
      Merge tag '4.17-rc2-smb3' of git://git.samba.org/sfrench/cifs-2.6 · cac26428
      Linus Torvalds 提交于
      Pull cifs fixes from Steve French:
       "A few security related fixes for SMB3, most importantly for SMB3.11
        encryption"
      
      * tag '4.17-rc2-smb3' of git://git.samba.org/sfrench/cifs-2.6:
        cifs: smbd: Avoid allocating iov on the stack
        cifs: smbd: Don't use RDMA read/write when signing is used
        SMB311: Fix reconnect
        SMB3: Fix 3.11 encryption to Windows and handle encrypted smb3 tcon
        CIFS: set *resp_buf_type to NO_BUFFER on error
      cac26428
    • L
      Merge tag 'powerpc-4.17-4' of git://git.kernel.org/pub/scm/linux/kernel/git/powerpc/linux · 0d95cfa9
      Linus Torvalds 提交于
      Pull powerpc fixes from Michael Ellerman:
       "A bunch of fixes, mostly for existing code and going to stable.
      
        Our memory hot-unplug path wasn't flushing the cache before removing
        memory. That is a problem now that we are doing memory hotplug on bare
        metal.
      
        Three fixes for the NPU code that supports devices connected via
        NVLink (ie. GPUs). The main one tweaks the TLB flush algorithm to
        avoid soft lockups for large flushes.
      
        A fix for our memory error handling where we would loop infinitely,
        returning back to the bad access and hard lockup the CPU.
      
        Fixes for the OPAL RTC driver, which wasn't handling some error cases
        correctly.
      
        A fix for a hardlockup in the powernv cpufreq driver.
      
        And finally two fixes to our smp_send_stop(), required due to a recent
        change to use it on shutdown.
      
        Thanks to: Alistair Popple, Balbir Singh, Laurentiu Tudor, Mahesh
        Salgaonkar, Mark Hairgrove, Nicholas Piggin, Rashmica Gupta, Shilpasri
        G Bhat"
      
      * tag 'powerpc-4.17-4' of git://git.kernel.org/pub/scm/linux/kernel/git/powerpc/linux:
        powerpc/kvm/booke: Fix altivec related build break
        powerpc: Fix deadlock with multiple calls to smp_send_stop
        cpufreq: powernv: Fix hardlockup due to synchronous smp_call in timer interrupt
        powerpc: Fix smp_send_stop NMI IPI handling
        rtc: opal: Fix OPAL RTC driver OPAL_BUSY loops
        powerpc/mce: Fix a bug where mce loops on memory UE.
        powerpc/powernv/npu: Do a PID GPU TLB flush when invalidating a large address range
        powerpc/powernv/npu: Prevent overwriting of pnv_npu2_init_contex() callback parameters
        powerpc/powernv/npu: Add lock to prevent race in concurrent context init/destroy
        powerpc/powernv/memtrace: Let the arch hotunplug code flush cache
        powerpc/mm: Flush cache on memory hot(un)plug
      0d95cfa9
  9. 28 4月, 2018 3 次提交
    • L
      rMerge tag 'for-linus' of git://git.kernel.org/pub/scm/virt/kvm/kvm · 46dc111d
      Linus Torvalds 提交于
      Pull KVM fixes from Radim Krčmář:
       "ARM:
         - PSCI selection API, a leftover from 4.16 (for stable)
         - Kick vcpu on active interrupt affinity change
         - Plug a VMID allocation race on oversubscribed systems
         - Silence debug messages
         - Update Christoffer's email address (linaro -> arm)
      
        x86:
         - Expose userspace-relevant bits of a newly added feature
         - Fix TLB flushing on VMX with VPID, but without EPT"
      
      * tag 'for-linus' of git://git.kernel.org/pub/scm/virt/kvm/kvm:
        x86/headers/UAPI: Move DISABLE_EXITS KVM capability bits to the UAPI
        kvm: apic: Flush TLB after APIC mode/address change if VPIDs are in use
        arm/arm64: KVM: Add PSCI version selection API
        KVM: arm/arm64: vgic: Kick new VCPU on interrupt migration
        arm64: KVM: Demote SVE and LORegion warnings to debug only
        MAINTAINERS: Update e-mail address for Christoffer Dall
        KVM: arm/arm64: Close VMID generation race
      46dc111d
    • L
      Merge tag 'arm64-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/arm64/linux · 19b522db
      Linus Torvalds 提交于
      Pull arm64 fixes from Will Deacon:
       "Nothing too bad, but the spectre updates to smatch identified a few
        places that may need sanitising so we've got those covered.
      
        Details:
      
         - Close some potential spectre-v1 vulnerabilities found by smatch
      
         - Add missing list sentinel for CPUs that don't require KPTI
      
         - Removal of unused 'addr' parameter for I/D cache coherency
      
         - Removal of redundant set_fs(KERNEL_DS) calls in ptrace
      
         - Fix single-stepping state machine handling in response to kernel
           traps
      
         - Clang support for 128-bit integers
      
         - Avoid instrumenting our out-of-line atomics in preparation for
           enabling LSE atomics by default in 4.18"
      
      * tag 'arm64-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/arm64/linux:
        arm64: avoid instrumenting atomic_ll_sc.o
        KVM: arm/arm64: vgic: fix possible spectre-v1 in vgic_mmio_read_apr()
        KVM: arm/arm64: vgic: fix possible spectre-v1 in vgic_get_irq()
        arm64: fix possible spectre-v1 in ptrace_hbp_get_event()
        arm64: support __int128 with clang
        arm64: only advance singlestep for user instruction traps
        arm64/kernel: rename module_emit_adrp_veneer->module_emit_veneer_for_adrp
        arm64: ptrace: remove addr_limit manipulation
        arm64: mm: drop addr parameter from sync icache and dcache
        arm64: add sentinel to kpti_safe_list
      19b522db
    • L
      Merge tag 'modules-for-v4.17-rc3' of git://git.kernel.org/pub/scm/linux/kernel/git/jeyu/linux · 7b87308e
      Linus Torvalds 提交于
      Pull modules fix from Jessica Yu:
       "Fix display of module section addresses in sysfs, which were getting
        hashed with %pK and breaking tools like perf"
      
      * tag 'modules-for-v4.17-rc3' of git://git.kernel.org/pub/scm/linux/kernel/git/jeyu/linux:
        module: Fix display of wrong module .text address
      7b87308e