Commit Graph

767484 Commits

Author SHA1 Message Date
Dave Chinner
e2f6ad4624 xfs: make xfs_writepage_map extent map centric
xfs_writepage_map() iterates over the bufferheads on a page to decide
what sort of IO to do and what actions to take.  However, when it comes
to reflink and deciding when it needs to execute a COW operation, we no
longer look at the bufferhead state but instead we ignore than and look
up internal state held in the COW fork extent list.

This means xfs_writepage_map() is somewhat confused. It does stuff, then
ignores it, then tries to handle the impedence mismatch by shovelling the
results inside the existing mapping code.  It works, but it's a bit of a
mess and it makes it hard to fix the cached map bug that the writepage
code currently has.

To unify the two different mechanisms, we first have to choose a direction.
That's already been set - we're de-emphasising bufferheads so they are no
longer a control structure as we need to do taht to allow for eventual
removal.  Hence we need to move away from looking at bufferhead state to
determine what operations we need to perform.

We can't completely get rid of bufferheads yet - they do contain some
state that is absolutely necessary, such as whether that part of the page
contains valid data or not (buffer_uptodate()).  Other state in the
bufferhead is redundant:

	BH_dirty - the page is dirty, so we can ignore this and just
		write it
	BH_delay - we have delalloc extent info in the DATA fork extent
		tree
	BH_unwritten - same as BH_delay
	BH_mapped - indicates we've already used it once for IO and it is
		mapped to a disk address. Needs to be ignored for COW
		blocks.

The BH_mapped flag is an interesting case - it's supposed to indicate that
it's already mapped to disk and so we can just use it "as is".  In theory,
we don't even have to do an extent lookup to find where to write it too,
but we have to do that anyway to determine we are actually writing over a
valid extent.  Hence it's not even serving the purpose of avoiding a an
extent lookup during writeback, and so we can pretty much ignore it.
Especially as we have to ignore it for COW operations...

Therefore, use the extent map as the source of information to tell us
what actions we need to take and what sort of IO we should perform.  The
first step is to have xfs_map_blocks() set the io type according to what
it looks up.  This means it can easily handle both normal overwrite and
COW cases.  The only thing we also need to add is the ability to return
hole mappings.

We need to return and cache hole mappings now for the case of multiple
blocks per page.  We no longer use the BH_mapped to indicate a block over
a hole, so we have to get that info from xfs_map_blocks().  We cache it so
that holes that span two pages don't need separate lookups.  This allows us
to avoid ever doing write IO over a hole, too.

Now that we have xfs_map_blocks() returning both a cached map and the type
of IO we need to perform, we can rewrite xfs_writepage_map() to drop all
the bufferhead control. It's also much simplified because it doesn't need
to explicitly handle COW operations.  Instead of iterating bufferheads, it
iterates blocks within the page and then looks up what per-block state is
required from the appropriate bufferhead.  It then validates the cached
map, and if it's not valid, we get a new map.  If we don't get a valid map
or it's over a hole, we skip the block.

At this point, we have to remap the bufferhead via xfs_map_at_offset().
As previously noted, we had to do this even if the buffer was already
mapped as the mapping would be stale for XFS_IO_DELALLOC, XFS_IO_UNWRITTEN
and XFS_IO_COW IO types.  With xfs_map_blocks() now controlling the type,
even XFS_IO_OVERWRITE types need remapping, as converted-but-not-yet-
written delalloc extents beyond EOF can be reported at XFS_IO_OVERWRITE.
Bufferheads that span such regions still need their BH_Delay flags cleared
and their block numbers calculated, so we now unconditionally map each
bufferhead before submission.

But wait! There's more - remember the old "treat unwritten extents as
holes on read" hack?  Yeah, that means we can have a dirty page with
unmapped, unwritten bufferheads that contain data!  What makes these so
special is that the unwritten "hole" bufferheads do not have a valid block
device pointer, so if we attempt to write them xfs_add_to_ioend() blows
up. So we make xfs_map_at_offset() do the "realtime or data device"
lookup from the inode and ignore what was or wasn't put into the
bufferhead when the buffer was instantiated.

The astute reader will have realised by now that this code treats
unwritten extents in multiple-blocks-per-page situations differently.
If we get any combination of unwritten blocks on a dirty page that contain
valid data in the page, we're going to convert them to real extents.  This
can actually be a win, because it means that pages with interleaving
unwritten and written blocks will get converted to a single written extent
with zeros replacing the interspersed unwritten blocks.  This is actually
good for reducing extent list and conversion overhead, and it means we
issue a contiguous IO instead of lots of little ones.  The downside is
that we use up a little extra IO bandwidth.  Neither of these seem like a
bad thing given that spinning disks are seek sensitive, and SSDs/pmem have
bandwidth to burn and the lower Io latency/CPU overhead of fewer, larger
IOs will result in better performance on them...

As a result of all this, the only state we actually care about from the
bufferhead is a single flag - BH_Uptodate. We still use the bufferhead to
pass some information to the bio via xfs_add_to_ioend(), but that is
trivial to separate and pass explicitly.  This means we really only need
1 bit of state per block per page from the buffered write path in the
writeback path.  Everything else we do with the bufferhead is purely to
make the buffered IO front end continue to work correctly. i.e we've
pretty much marginalised bufferheads in the writeback path completely.

Signed-off-By: Dave Chinner <dchinner@redhat.com>
[hch: forward port, refactor and split off bits into other commits]
Signed-off-by: Christoph Hellwig <hch@lst.de>
Reviewed-by: Brian Foster <bfoster@redhat.com>
Reviewed-by: Darrick J. Wong <darrick.wong@oracle.com>
Signed-off-by: Darrick J. Wong <darrick.wong@oracle.com>
2018-07-11 22:26:00 -07:00
Christoph Hellwig
6a4c950136 xfs: rename the offset variable in xfs_writepage_map
Calling it file_offset makes the usage more clear, especially with
a new poffset variable that will be added soon for the offset inside
the page.

Signed-off-by: Christoph Hellwig <hch@lst.de>
Reviewed-by: Brian Foster <bfoster@redhat.com>
Reviewed-by: Darrick J. Wong <darrick.wong@oracle.com>
Signed-off-by: Darrick J. Wong <darrick.wong@oracle.com>
2018-07-11 22:26:00 -07:00
Christoph Hellwig
5c665e5b5a xfs: remove xfs_map_cow
We can handle the existing cow mapping case as a special case directly
in xfs_writepage_map, and share code for allocating delalloc blocks
with regular I/O in xfs_map_blocks.  This means we need to always
call xfs_map_blocks for reflink inodes, but we can still skip most of
the work if it turns out that there is no COW mapping overlapping the
current block.

As a subtle detail we need to start caching holes in the wpc to deal
with the case of COW reservations between EOF.  But we'll need that
infrastructure later anyway, so this is no big deal.

Based on a patch from Dave Chinner.

Signed-off-by: Christoph Hellwig <hch@lst.de>
Reviewed-by: Brian Foster <bfoster@redhat.com>
Reviewed-by: Darrick J. Wong <darrick.wong@oracle.com>
Signed-off-by: Darrick J. Wong <darrick.wong@oracle.com>
2018-07-11 22:25:59 -07:00
Christoph Hellwig
fca8c80542 xfs: remove xfs_reflink_trim_irec_to_next_cow
We already have to check for overlapping COW extents everytime we
come back to a page in xfs_writepage_map / xfs_map_cow, so this
additional trim is not required.

Signed-off-by: Christoph Hellwig <hch@lst.de>
Reviewed-by: Brian Foster <bfoster@redhat.com>
Reviewed-by: Darrick J. Wong <darrick.wong@oracle.com>
Signed-off-by: Darrick J. Wong <darrick.wong@oracle.com>
2018-07-11 22:25:59 -07:00
Christoph Hellwig
a7b28f72ab xfs: don't use XFS_BMAPI_IGSTATE in xfs_map_blocks
We want to be able to use the extent state as a reliably indicator for
the type of I/O, and stop using the buffer head state.  For this we
need to stop using the XFS_BMAPI_IGSTATE so that we don't see merged
extents of different types.

Based on a patch from Dave Chinner.

Signed-off-by: Christoph Hellwig <hch@lst.de>
Reviewed-by: Brian Foster <bfoster@redhat.com>
Reviewed-by: Darrick J. Wong <darrick.wong@oracle.com>
Signed-off-by: Darrick J. Wong <darrick.wong@oracle.com>
2018-07-11 22:25:59 -07:00
Christoph Hellwig
c57371a16d xfs: don't clear imap_valid for a non-uptodate buffers
Finding a buffer that isn't uptodate doesn't invalidate the mapping for
any given block.  The last_sector check will already take care of starting
another ioend as soon as we find any non-update buffer, and if the current
mapping doesn't include the next uptodate buffer the xfs_imap_valid check
will take care of it.

Signed-off-by: Christoph Hellwig <hch@lst.de>
Reviewed-by: Brian Foster <bfoster@redhat.com>
Reviewed-by: Darrick J. Wong <darrick.wong@oracle.com>
Signed-off-by: Darrick J. Wong <darrick.wong@oracle.com>
2018-07-11 22:25:58 -07:00
Christoph Hellwig
91cdfd1761 xfs: do not set the page uptodate in xfs_writepage_map
We already track the page uptodate status based on the buffer uptodate
status, which is updated whenever reading or zeroing blocks.

This code has been there since commit a ptool commit in 2002, which
claims to:

    "merge" the 2.4 fsx fix for block size < page size to 2.5.  This needed
    major changes to actually fit.

and isn't present in other writepage implementations.

Signed-off-by: Christoph Hellwig <hch@lst.de>
Reviewed-by: Brian Foster <bfoster@redhat.com>
Reviewed-by: Darrick J. Wong <darrick.wong@oracle.com>
Signed-off-by: Darrick J. Wong <darrick.wong@oracle.com>
2018-07-11 22:25:58 -07:00
Christoph Hellwig
d438017757 xfs: move locking into xfs_bmap_punch_delalloc_range
Both callers want the same looking, so do it only once.

Signed-off-by: Christoph Hellwig <hch@lst.de>
Reviewed-by: Brian Foster <bfoster@redhat.com>
Reviewed-by: Darrick J. Wong <darrick.wong@oracle.com>
Signed-off-by: Darrick J. Wong <darrick.wong@oracle.com>
2018-07-11 22:25:57 -07:00
Christoph Hellwig
0362572138 xfs: simplify xfs_aops_discard_page
Instead of looking at the buffer heads to see if a block is delalloc just
call xfs_bmap_punch_delalloc_range on the whole page - this will leave
any non-delalloc block intact and handle the iteration for us.  As a side
effect one more place stops caring about buffer heads and we can remove the
xfs_check_page_type function entirely.

Signed-off-by: Christoph Hellwig <hch@lst.de>
Reviewed-by: Brian Foster <bfoster@redhat.com>
Reviewed-by: Darrick J. Wong <darrick.wong@oracle.com>
Signed-off-by: Darrick J. Wong <darrick.wong@oracle.com>
2018-07-11 22:25:57 -07:00
Christoph Hellwig
8b2e77c163 xfs: use iomap for blocksize == PAGE_SIZE readpage and readpages
For file systems with a block size that equals the page size we never do
partial reads, so we can use the buffer_head-less iomap versions of
readpage and readpages without conflicting with the buffer_head structures
create later in write_begin.

Signed-off-by: Christoph Hellwig <hch@lst.de>
Reviewed-by: Dave Chinner <dchinner@redhat.com>
Reviewed-by: Darrick J. Wong <darrick.wong@oracle.com>
Signed-off-by: Darrick J. Wong <darrick.wong@oracle.com>
2018-07-11 22:25:56 -07:00
Darrick J. Wong
c2efdfc100 Merge branch 'iomap-4.19-merge' into xfs-4.19-merge 2018-07-11 22:24:40 -07:00
Linus Torvalds
1e4b044d22 Linux 4.18-rc4 2018-07-08 16:34:02 -07:00
Linus Torvalds
ca04b3cca1 ARM: SoC fixes for 4.18-rc
A small collection of fixes, sort of the usual at this point, all for
 i.MX or OMAP:
  - Enable ULPI drivers on i.MX to avoid a hang
  - Pinctrl fix for touchscreen on i.MX51 ZII RDU1
  - Fixes for ethernet clock references on am3517
  - mmc0 write protect detection fix for am335x
  - kzalloc->kcalloc conversion in an OMAP driver
  - USB metastability fix for USB on dra7
  - Fix touchscreen wakeup on am437x
 -----BEGIN PGP SIGNATURE-----
 
 iQJDBAABCAAtFiEElf+HevZ4QCAJmMQ+jBrnPN6EHHcFAltCOpkPHG9sb2ZAbGl4
 b20ubmV0AAoJEIwa5zzehBx38LsP/1V0UGTgU3qz7vo2JkZxa9HAT+vroL1PDUmi
 +WCtndQA5kOGZkAEB8q5Ry6MH9P372JfJrkSy3v0B8e7gRXXH3Ojke9FQA2N5z60
 cKLaiWq3euZ/y5UWvfkd8WX29uBC63y9+AyJcFaacyWYvwwvC6TxMOCcSNBUG24l
 bCGkXgwF9UCPxUWD+ZDgDhrTCNWr6E9jf/guAJ8ozsR/XR1xTSVlWJOq2qY9x9h/
 QvZLa+fYXj55z/XBNWxqlzWu24xHU6yPAizdSOqHVmCe51QTub2ZVlx0qJuWUuvn
 POdVgmwbvKixfX8ivxvIeEb3yEPTOl5WI6xBt3Sf5PcaE+Oby91koFaqq2kOT/fs
 XCMBU9mRFQdryiFuvl8g5cqV26s6AyC+ACxfAhCr4BQoyBZgjITCrR4zfyf/YO1U
 e94VsDawdFG1QSRlbgpYCIeV4uQJJeCeZFKbQ/nZH9R2yBuGEOWry/dET6FkfmiE
 NbWBzIIdrjs1TS5BtCRAOM4KAMKhKcF7EZ67F6azeIt0WcO+w3hf0+8NAQdJqS59
 WjNWS6szmZgEblbJmCgk0CJPUGyLD8voVvQ9AWHTNEHM3CMD+2Mn8ZhYxVxhXCLz
 odQxPOuUk9l3eA4Y5t2DfDaCHA4JRNygsVLyPugzx5XcV2RA30daPhWO9IzKMTPO
 t58/SeW6
 =N/ik
 -----END PGP SIGNATURE-----

Merge tag 'armsoc-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/arm/arm-soc

Pull ARM SoC fixes from Olof Johansson:
 "A small collection of fixes, sort of the usual at this point, all for
  i.MX or OMAP:

   - Enable ULPI drivers on i.MX to avoid a hang

   - Pinctrl fix for touchscreen on i.MX51 ZII RDU1

   - Fixes for ethernet clock references on am3517

   - mmc0 write protect detection fix for am335x

   - kzalloc->kcalloc conversion in an OMAP driver

   - USB metastability fix for USB on dra7

   - Fix touchscreen wakeup on am437x"

* tag 'armsoc-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/arm/arm-soc:
  ARM: imx_v4_v5_defconfig: Select ULPI support
  ARM: imx_v6_v7_defconfig: Select ULPI support
  ARM: dts: omap3: Fix am3517 mdio and emac clock references
  ARM: dts: am335x-bone-common: Fix mmc0 Write Protect
  bus: ti-sysc: Use 2-factor allocator arguments
  ARM: dts: dra7: Disable metastability workaround for USB2
  ARM: dts: imx51-zii-rdu1: fix touchscreen pinctrl
  ARM: dts: am437x: make edt-ft5x06 a wakeup source
2018-07-08 14:12:46 -07:00
Linus Torvalds
23adbe6fb5 Merge branch 'x86-pti-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip
Pull x86/pti updates from Thomas Gleixner:
 "Two small fixes correcting the handling of SSB mitigations on AMD
  processors"

* 'x86-pti-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip:
  x86/bugs: Fix the AMD SSBD usage of the SPEC_CTRL MSR
  x86/bugs: Update when to check for the LS_CFG SSBD mitigation
2018-07-08 13:56:25 -07:00
Linus Torvalds
6f27a64092 Merge branch 'x86-urgent-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip
Pull x86 fixes from Thomas Gleixner:

 - Prevent an out-of-bounds access in mtrr_write()

 - Break a circular dependency in the new hyperv IPI acceleration code

 - Address the build breakage related to inline functions by enforcing
   gnu_inline and explicitly bringing native_save_fl() out of line,
   which also adds a set of _ARM_ARG macros which provide 32/64bit
   safety.

 - Initialize the shadow CR4 per cpu variable before using it.

* 'x86-urgent-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip:
  x86/mtrr: Don't copy out-of-bounds data in mtrr_write
  x86/hyper-v: Fix the circular dependency in IPI enlightenment
  x86/paravirt: Make native_save_fl() extern inline
  x86/asm: Add _ASM_ARG* constants for argument registers to <asm/asm.h>
  compiler-gcc.h: Add __attribute__((gnu_inline)) to all inline declarations
  x86/mm/32: Initialize the CR4 shadow before __flush_tlb_all()
2018-07-08 13:26:55 -07:00
Linus Torvalds
6fb2489d7f Merge branch 'sched-urgent-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip
Pull scheduler fixes from Thomas Gleixner:

 - The hopefully final fix for the reported race problems in
   kthread_parkme(). The previous attempt still left a hole and was
   partially wrong.

 - Plug a race in the remote tick mechanism which triggers a warning
   about updates not being done correctly. That's a false positive if
   the race condition is hit as the remote CPU is idle. Plug it by
   checking the condition again when holding run queue lock.

 - Fix a bug in the utilization estimation of a run queue which causes
   the estimation to be 0 when a run queue is throttled.

 - Advance the global expiration of the period timer when the timer is
   restarted after a idle period. Otherwise the expiry time is stale and
   the timer fires prematurely.

 - Cure the drift between the bandwidth timer and the runqueue
   accounting, which leads to bogus throttling of runqueues

 - Place the call to cpufreq_update_util() correctly so the function
   will observe the correct number of running RT tasks and not a stale
   one.

* 'sched-urgent-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip:
  kthread, sched/core: Fix kthread_parkme() (again...)
  sched/util_est: Fix util_est_dequeue() for throttled cfs_rq
  sched/fair: Advance global expiration when period timer is restarted
  sched/fair: Fix bandwidth timer clock drift condition
  sched/rt: Fix call to cpufreq_update_util()
  sched/nohz: Skip remote tick on idle task entirely
2018-07-08 12:41:23 -07:00
Linus Torvalds
f5c926b99e Merge branch 'core-urgent-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip
Pull objtool fix from Thomas Gleixner:
 "A single fix for objtool to address a bug in handling the cold
  subfunction detection for aliased functions which was added recently.
  The bug causes objtool to enter an infinite loop"

* 'core-urgent-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip:
  objtool: Support GCC 8 '-fnoreorder-functions'
2018-07-08 11:57:40 -07:00
Linus Torvalds
124b99fb80 Merge branch 'linus' of git://git.kernel.org/pub/scm/linux/kernel/git/herbert/crypto-2.6
Pull crypto fixes from Herbert Xu:

 - add missing RETs in x86 aegis/morus

 - fix build error in arm speck

* 'linus' of git://git.kernel.org/pub/scm/linux/kernel/git/herbert/crypto-2.6:
  crypto: x86 - Add missing RETs
  crypto: arm/speck - fix building in Thumb2 mode
2018-07-08 11:29:14 -07:00
Linus Torvalds
70a2dc6abc Bug fixes for ext4; most of which relate to vulnerabilities where a
maliciously crafted file system image can result in a kernel OOPS or
 hang.  At least one fix addresses an inline data bug could be
 triggered by userspace without the need of a crafted file system
 (although it does require that the inline data feature be enabled).
 -----BEGIN PGP SIGNATURE-----
 
 iQEzBAABCAAdFiEEK2m5VNv+CHkogTfJ8vlZVpUNgaMFAltBmcYACgkQ8vlZVpUN
 gaPDJgf/cEa9QuiYTbNOmcOMorK9LEk5XO8qsiJdUVNQtLsHZfl0QowbkF9/F/W5
 andTJzNpFvXeLADMTTjpsDnQ90i8LKD11Kol3dPJcMhJhELtQsjxUBguxpQBP86R
 dvHuCl2/AaqX7rr6Co80yYSinRCquqkzJNhdM5/MLNGziSpkQL3dPSs93rmV+YbU
 8DkUwmhDhoiToLBTLaldrAsAzKvor3uyjNPJ3qhxeE2kXrnuI1V4XfstBGjhVKFB
 /5aYWexDZkL5qiCo+lZnqdITqUnPx3uAkUdBn0dj7V+nDow+/R/8nApvlvJu6usF
 OfMoKr098/pmPAjE5aZ8QpBNVtLFpg==
 =njzR
 -----END PGP SIGNATURE-----

Merge tag 'ext4_for_linus_stable' of git://git.kernel.org/pub/scm/linux/kernel/git/tytso/ext4

Pull ext4 bugfixes from Ted Ts'o:
 "Bug fixes for ext4; most of which relate to vulnerabilities where a
  maliciously crafted file system image can result in a kernel OOPS or
  hang.

  At least one fix addresses an inline data bug could be triggered by
  userspace without the need of a crafted file system (although it does
  require that the inline data feature be enabled)"

* tag 'ext4_for_linus_stable' of git://git.kernel.org/pub/scm/linux/kernel/git/tytso/ext4:
  ext4: check superblock mapped prior to committing
  ext4: add more mount time checks of the superblock
  ext4: add more inode number paranoia checks
  ext4: avoid running out of journal credits when appending to an inline file
  jbd2: don't mark block as modified if the handle is out of credits
  ext4: never move the system.data xattr out of the inode body
  ext4: clear i_data in ext4_inode_info when removing inline data
  ext4: include the illegal physical block in the bad map ext4_error msg
  ext4: verify the depth of extent tree in ext4_find_extent()
  ext4: only look at the bg_flags field if it is valid
  ext4: make sure bitmaps and the inode table don't overlap with bg descriptors
  ext4: always check block group bounds in ext4_init_block_bitmap()
  ext4: always verify the magic number in xattr blocks
  ext4: add corruption check in ext4_xattr_set_entry()
  ext4: add warn_on_error mount option
2018-07-08 11:10:30 -07:00
Linus Torvalds
8979319f2d pci-v4.18-fixes-2
-----BEGIN PGP SIGNATURE-----
 
 iQJIBAABCgAyFiEEgMe7l+5h9hnxdsnuWYigwDrT+vwFAltBPacUHGJoZWxnYWFz
 QGdvb2dsZS5jb20ACgkQWYigwDrT+vwx+hAAvzTP6o3VOtgNK7lm3nOBuzfykgCv
 TFhXP2yeDItWDBLDpWX7wjs2657W3Sjrpw6FyVIYvsoMKKRuOYeZ6ChDieG5ZgTj
 oxav5U6TlDHoF0fNq0LWfv78lP6+++7/6yaer6j9xDksVqE4/zxlFcExxuszhZlC
 8ptJ54ORn92RdfRHCDptA4PFReNlQWNw3bpKpGxu8xj0TN/sYPN3ggHfnmiEyGMZ
 8/KLNOzGrhoqztaBPyRoG3GhU1hpicT+fWzg11Li8hP1solQDht+S3mnCC1IxqdI
 JSU7/jhti4nUV56qE7QzYzdsVbTFcItGn0WImklIFCt7htp4Rms0wN+QCmwhtjKM
 0WH02gRDip4CcYcPZGeGaeexWJFEScamFK1yxxDV7059KsoQKUN1Sm+R7y9xORYw
 nQAHPTO/nv02Xo+ADAYzV0aBPD7fEvFaWtdXAuLocVWVj3eiEqp8ftoYmuWym6T3
 gHWt9Dod8olj3t9bkR1MWZ121Ar5MsobgJSF30smEx8VMKv+4Xx8eXvq0FCuUQwT
 s/WLTPqK31Sqjii0xe1wO8g0yexCVaBpXJB/e9PpYf/+ICItG1DHLz0Ygw01QWVK
 Tv7HTAofdO42kChHjErB6GbzSuxDxSVCPN26bwkZu0eV91uKiLKA7wLUv8+qSXlZ
 lK98Eypy0Ti7pvA=
 =IOF/
 -----END PGP SIGNATURE-----

Merge tag 'pci-v4.18-fixes-2' of git://git.kernel.org/pub/scm/linux/kernel/git/helgaas/pci

Pull PCI fixes from Bjorn Helgaas:

 - Fix a use-after-free in the endpoint code (Dan Carpenter)

 - Stop defaulting CONFIG_PCIE_DW_PLAT_HOST to yes (Geert Uytterhoeven)

 - Fix an nfp regression caused by a change in how we limit the number
   of VFs we can enable (Jakub Kicinski)

 - Fix failure path cleanup issues in the new R-Car gen3 PHY support
   (Marek Vasut)

 - Fix leaks of OF nodes in faraday, xilinx-nwl, xilinx (Nicholas Mc
   Guire)

* tag 'pci-v4.18-fixes-2' of git://git.kernel.org/pub/scm/linux/kernel/git/helgaas/pci:
  nfp: stop limiting VFs to 0
  PCI/IOV: Reset total_VFs limit after detaching PF driver
  PCI: faraday: Add missing of_node_put()
  PCI: xilinx-nwl: Add missing of_node_put()
  PCI: xilinx: Add missing of_node_put()
  PCI: endpoint: Use after free in pci_epf_unregister_driver()
  PCI: controller: dwc: Do not let PCIE_DW_PLAT_HOST default to yes
  PCI: rcar: Clean up PHY init on failure
  PCI: rcar: Shut the PHY down in failpath
2018-07-08 10:55:21 -07:00
Linus Torvalds
b2d44d145d five smb3/cifs fixes for stable (including for some leaks and memory overwrites) and also a few fixes for recent regressions in packet signing
-----BEGIN PGP SIGNATURE-----
 
 iQGzBAABCgAdFiEE6fsu8pdIjtWE/DpLiiy9cAdyT1EFAltBFyMACgkQiiy9cAdy
 T1EwcAwAoflntkPJtDX1/Ch3fm4cwR/GHiOHJ3jXUUs5x1JVy2YMyIpojijcDB9q
 ifmc9ZEVdov5kJVJF4dz4HUhxDwPbZTgZdAwSaYUdbQepA0Nzu7k7ZaTfzWwzYTa
 AaGxNShfEWogBdhMjNPKHpIUfrnOEtosv6iLLN3iwkbypLH0f3z1Tye38+9wnDO/
 B0M64lf4gxMB7ZsjFoQIu9ZLZMlQgF9ISycPUUmahR6G9sTJaykfyTihTwOo8HUb
 zNA6hgW5lUxCpCc2eNwy2wFuLqwf3+t3JmWUgJoYqVCbscywtTScivZyNEO36/17
 4oFCExMuJ79TXBP9RyTFrYkNhsTTdAyfDOLWcsMVsAo+zHub1nqjm8ENlmGJ7ZAS
 ESdLY+E+59Hndb21Te1IVq7HZsmXKHU6UHxknXTaXFPlBIKeHbH7vtt5zUzq7lxW
 hDwPTmev+b7jOE/4+cR5WQItMxzZ+pW7Toc6f8gmN1IU2FJjEsTgNGy2n4Az5WyR
 pZAydSRd
 =x5ij
 -----END PGP SIGNATURE-----

Merge tag '4.18-rc3-smb3fixes' of git://git.samba.org/sfrench/cifs-2.6

Pull cifs fixes from Steve French:
 "Five smb3/cifs fixes for stable (including for some leaks and memory
  overwrites) and also a few fixes for recent regressions in packet
  signing.

  Additional testing at the recent SMB3 test event, and some good work
  by Paulo and others spotted the issues fixed here. In addition to my
  xfstest runs on these, Aurelien and Stefano did additional test runs
  to verify this set"

* tag '4.18-rc3-smb3fixes' of git://git.samba.org/sfrench/cifs-2.6:
  cifs: Fix stack out-of-bounds in smb{2,3}_create_lease_buf()
  cifs: Fix infinite loop when using hard mount option
  cifs: Fix slab-out-of-bounds in send_set_info() on SMB2 ACE setting
  cifs: Fix memory leak in smb2_set_ea()
  cifs: fix SMB1 breakage
  cifs: Fix validation of signed data in smb2
  cifs: Fix validation of signed data in smb3+
  cifs: Fix use after free of a mid_q_entry
2018-07-07 18:31:34 -07:00
Linus Torvalds
4f572efde4 Revert an incorrect dma-mapping commit for 4.18-rc
-----BEGIN PGP SIGNATURE-----
 
 iQI/BAABCgApFiEEgdbnc3r/njty3Iq9D55TZVIEUYMFAltBWfgLHGhjaEBsc3Qu
 ZGUACgkQD55TZVIEUYMpehAAooNYwofaWWXrn2Q2aKIfqvsmbdDFXYnb3qY0anIs
 Y+UWS063p1QHd1ZJsyDL83zhfDhOKybs+1sZsDtTaEXL4+my3iRlcb1yyNgEUq68
 AKH/Lf0MSHLsFL/w5EiZgVpN2KpCIJRwiMRJ4smzNpOpDzyhPKF7yqk2Qg2fv9Fx
 hHWI/WyZm8GATXYn6JrI+iXVthicpBiXYjmW8X0+jJHnPsJrieNw2QJDacp2Mjy0
 b1nRKUxamUXwlZI7AI5Wmen2Y1y+c9Sdya3cT+iHWKQwGkaY2Pv+nwnxw/SrJ2KJ
 sGzYc77gb+SploEalhFSuYaJqYa2iP545ykHBt5cNhcwtJQ8BPIn1Uemvfb4twMw
 OtNDKVphQ1yw/lmeESxF28u1VPZB2p14w7DSv4Kkg3rkd0IB+Cn/A40P4ZGICAsY
 7nxs1FqOTj5ivGWERdEGZOwp4CA1jRhNVMHpsleQl/OkJuK0Tb3Y/SX79XHslEQr
 UFt1MlQR/HuYrf97cqcgP2mtfH2LAU7WLbF9+6JgT05kbh8hB3lQo0iscjhv7etQ
 xzQkCPnyc3lwcAs4ftVGVP/PV7YdFFAa0dhrpKzcHYGEEtWh6GgsAtMXVqPRprki
 /bUVw6AR544WV2YfEPNc35lI8xrWgpqWCHYITSoNCXL9X3m2C8sgoonj9MiVNkLl
 daU=
 =8ZHD
 -----END PGP SIGNATURE-----

Merge tag 'dma-mapping-4.18-3' of git://git.infradead.org/users/hch/dma-mapping

Pull dma-mapping fix from Christoph Hellwig:
 "Revert an incorrect dma-mapping commit for 4.18-rc"

* tag 'dma-mapping-4.18-3' of git://git.infradead.org/users/hch/dma-mapping:
  Revert "iommu/intel-iommu: Enable CONFIG_DMA_DIRECT_OPS=y and clean up intel_{alloc,free}_coherent()"
2018-07-07 17:55:16 -07:00
Linus Torvalds
89ac2233d3 dmaengine fixes for v4.18-rc4
- Driver fixes for k3dma (off by one), pl330 (burst residue granularity)
    and omap-dma (incorrect residue_granularity)
  - Sinan's email update
 -----BEGIN PGP SIGNATURE-----
 
 iQIcBAABAgAGBQJbQK31AAoJEHwUBw8lI4NHdHgQAKPIWGpcochq1D05xXYTtFeW
 8OZ5KxJKj1/fEKbdDVGSvptGRfIOKH//xeb1nFn1vCJh/B/3v25hF9x47m+Dds/l
 nckkzKzn88Q4M5sbiQI+Rzgr4QRnPEjai55GsC90u7U6HmRSUBAnBELc8+gE7z/r
 6XAuUYpnJ6JLjcF9CX8UnG8PzE3Hw4Z94b2t5gaHi0tZnQTwMQ91pH7EGVRwga4+
 M+Cmds7Tvi8w1RTOS3OfD+E7H3PqKx3rZA6w3SK4NZqCSp4zA+jySVKi28QDIxHD
 kIX4i5eZwiClEVAxBNN40Md8sh6BRz5HkOKJy3WL2o1vSLCZJwm9DfJwo1EzKKI/
 FOyIF+clPctNXHwuSnpBes4X3zjPBVcl04Ii3oX1qdrWMT5XyyD8F/Y4NrT3rixQ
 CqqsF7WJHNPUI+ZE+Jxwns5NXWQunpLoaY2cyt2f6DfXZsEtizlUcYhaO1J1SuQn
 UnG/L94l8wX8oemlNYhBf/LvHNlOKzfKqtYVEEHy3c14ONZpeCLc/+TSKaoBWRke
 NJ57Pjecde5w2Z56ZhG/oFwRilXraG62O1JkJTAFeDDLXx1UCl5nOCkCQqGxdMWM
 mDxLVUKzIjJ8DbWJcq3DlLDWVMt2Dbqy7LA7/AagHBnIS1uuv9mXiUQT7CiVDzzG
 8Ekz5Jas6etHn3++K5Mt
 =pPiU
 -----END PGP SIGNATURE-----

Merge tag 'dmaengine-fix-4.18-rc4' of git://git.infradead.org/users/vkoul/slave-dma

Pull dmaengine fixes from Vinod Koul:
 "We have few odd driver fixes and one email update change for you this
  time:

   - Driver fixes for k3dma (off by one), pl330 (burst residue
     granularity) and omap-dma (incorrect residue_granularity)

   - Sinan's email update"

* tag 'dmaengine-fix-4.18-rc4' of git://git.infradead.org/users/vkoul/slave-dma:
  dmaengine: k3dma: Off by one in k3_of_dma_simple_xlate()
  dmaengine: pl330: report BURST residue granularity
  MAINTAINERS: Update email-id of Sinan Kaya
  dmaengine: ti: omap-dma: Fix OMAP1510 incorrect residue_granularity
2018-07-07 17:29:08 -07:00
Linus Torvalds
ea9561cfc9 A couple of small fixes, one to the BMC side of things that fixes
an interrupt issue, and one oops fix if init fails in a certain
 way on the client driver.
 
 -corey
 -----BEGIN PGP SIGNATURE-----
 Version: GnuPG v1
 
 iQIcBAABAgAGBQJbP9SSAAoJEGHzjJCRm/+BSPIP/3R9/zKTfv11OIHWCWaKtZzc
 bb+W5IRddVSNiFHtCJPNuk09ZSRL5q60fNOtYiQvjVWhykzZPqd3ExqkQxFkyIKj
 cirN5iJvE/h28nxL/XOrzErqAFzFqJNY8fG32GeoWlwM4ahDz6vTjQOPwi0PKCbx
 xyiCqxquuFBtW1qgBcGKVxJAMd9w29UGOEY5q7ifzsNIVHk/jABDKdWrpGKWzxHk
 daRRv4lXFyYoKpXk+MDuVZItQMsVwX+91jWOHDCUPohBFYLXcMCf/XSaAlQg84UG
 ugYxT5T04r5WwPzg1WPnq/tYQDtUy4RziVG3CGkFVcTzoOdZpOg+CCRbUdcBWesQ
 PesXOtkRVua7Ccov3eNuCQND1SzqYvQDC2ynoMuC8FImaJ1E7rwuPvb9qGYmUKwt
 M29kfXYIB4WSqMo1DA+Ivf/THnHmaPQGP5mr1sq4xsirtJu1YJrV+ScQXPqO7139
 Kou/mTV6VxwbT+VFID5+sno8ao89g+NG+GgGwYLaBGmUPAuW8wA+OZ9jSTaVWCOb
 tFg8J4AttQ9QVcohXBGV8MClSWUdKtH3L/9x593PR3gT0uiRBmYXAMnFkcLQU8iH
 s/6evtJF8ykMTapiSQCDh8RLDogieHYQVgjSPvYC0KekpK88EysF4zT0mdoc/qOT
 fZYqzB5VJrOVh0ZEok33
 =lLfC
 -----END PGP SIGNATURE-----

Merge tag 'for-linus-4.18-2' of git://github.com/cminyard/linux-ipmi

Pull IPMI fixes from Corey Minyard:
 "A couple of small fixes: one to the BMC side of things that fixes an
  interrupt issue, and one oops fix if init fails in a certain way on
  the client driver"

* tag 'for-linus-4.18-2' of git://github.com/cminyard/linux-ipmi:
  ipmi: kcs_bmc: fix IRQ exception if the channel is not open
  ipmi: Cleanup oops on initialization failure
2018-07-07 17:15:38 -07:00
Linus Torvalds
43b6b6eca8 arm64 LDFLAGS clean-up:
- use aarch64elf instead of aarch64linux
 - move endianness options to LDFLAGS instead from LD
 - remove no-op '-p' linker flag
 -----BEGIN PGP SIGNATURE-----
 
 iQIzBAABCAAdFiEE5RElWfyWxS+3PLO2a9axLQDIXvEFAltAjncACgkQa9axLQDI
 XvFcOxAAqrNYMBnFJBbJEFhDmbLP7YMllM5zsTFjxolJYITCW66A/CZ6wSZdJgRe
 5Z5T0xKV6FLkYDxGpNioOcr2vFXuI8czE0uP1PjR2UxM49vCwVW7ytQKygOXnll4
 b80gq4cztiihhQGIIOaOv0x/z+V8ytMs5+YTPjJgmI23b1wKTM2+gk3kdXuJhuUO
 QdVcy5FXU9Ql7PNFa/SRNoja25V9ZXbKc8Itfvwg7H4pVJKgW6lmdJcomGCJWTTf
 2fyV7Nfd5svfAb+K2Wgf4GQEyuBNtpL68ePRhlwnBBd+uLmNAcSfHnPpPFQhQxZS
 rLkpYlk+5KJaQUwi7uXt1TQ4NZV++LIoFvOpdH+mgwLGVuJCDMN02VYthPItGcm+
 znT30CFOWcn4X7f07VRP3Xztg5/JOvYNcrZl4pL11l4y6BKFFqu2BY5QIS8gTYB7
 fequLd7J7QSf5hVzeo2rPkaKvrKfSgeaEfsUjN0vWW5DYvCdmgDzA/+aGyrEQb86
 hbFcUxTSUBYRz4OAPzc94UrhTKorpeP6OZiXiSe98SR+FbRlW2cvWSJMYkZ518EX
 nlFC/+YDlVCgXb8YMW6IvtEcdWdGyMxgaovm3tIfMZO5CfS7RvY6A8r80VDrUH1k
 DB3chrVsCtk0YujrZ69jQL7Jgf39ChkdIN+gTop5znHWCJlbZHE=
 =QXXd
 -----END PGP SIGNATURE-----

Merge tag 'arm64-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/arm64/linux

Pull arm64 LDFLAGS clean-up from Catalin Marinas:

 - use aarch64elf instead of aarch64linux

 - move endianness options to LDFLAGS instead from LD

 - remove no-op '-p' linker flag

* tag 'arm64-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/arm64/linux:
  arm64: remove no-op -p linker flag
  arm64: add endianness option to LDFLAGS instead of LD
  arm64: Use aarch64elf and aarch64elfb emulation mode variants
2018-07-07 10:51:25 -07:00
Jann Horn
15279df6f2 x86/mtrr: Don't copy out-of-bounds data in mtrr_write
Don't access the provided buffer out of bounds - this can cause a kernel
out-of-bounds read when invoked through sys_splice() or other things that
use kernel_write()/__kernel_write().

Fixes: 7f8ec5a4f0 ("x86/mtrr: Convert to use strncpy_from_user() helper")
Signed-off-by: Jann Horn <jannh@google.com>
Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
Cc: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
Cc: "H. Peter Anvin" <hpa@zytor.com>
Cc: stable@vger.kernel.org
Link: https://lkml.kernel.org/r/20180706215003.156702-1-jannh@google.com
2018-07-07 18:58:41 +02:00
Linus Torvalds
624434af25 SCSI fixes on 20180706
This is two minor bug fixes (aacraid, target) and a fix for a
 potential exploit in the way sg handles teardown.
 
 Signed-off-by: James E.J. Bottomley <jejb@linux.vnet.ibm.com>
 -----BEGIN PGP SIGNATURE-----
 
 iJwEABMIAEQWIQTnYEDbdso9F2cI+arnQslM7pishQUCWz/hBSYcamFtZXMuYm90
 dG9tbGV5QGhhbnNlbnBhcnRuZXJzaGlwLmNvbQAKCRDnQslM7pishUkIAP9JKGYO
 rcoNxusKsTi6tMEeUFzX1Mu0IkUr9ApcsCJMyAEAyRL5+b77PoZG8NgQBBo99iFE
 8DMbxsNbBMbTzDqbfzk=
 =ttS3
 -----END PGP SIGNATURE-----

Merge tag 'scsi-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/jejb/scsi

Pull SCSI fixes from James Bottomley:
 "This is two minor bug fixes (aacraid, target) and a fix for a
  potential exploit in the way sg handles teardown"

* tag 'scsi-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/jejb/scsi:
  scsi: sg: mitigate read/write abuse
  scsi: aacraid: Fix PD performance regression over incorrect qd being set
  scsi: target: Fix truncated PR-in ReadKeys response
2018-07-06 19:45:47 -07:00
Linus Torvalds
29119529d8 for-linus-20180706
-----BEGIN PGP SIGNATURE-----
 
 iQJEBAABCAAuFiEEwPw5LcreJtl1+l5K99NY+ylx4KYFAltAFSMQHGF4Ym9lQGtl
 cm5lbC5kawAKCRD301j7KXHgpleLD/4qr8zm9EvQbdg3KFyvePehlAuEKkEp1jrk
 wf6LQ9Uc+bNbnXCvxk+U3tXiPDmFOMakZBAyjDFLxL6ArfSEqymJMg1JxXUYwq3l
 tESQNNHjZBZaRpv5YuRLwDPpEivGlA80AE+2tkNTXDaGxRHahZnqV6/eUk1YAtbw
 N1ADOS+EquS/p2DH07QhLqKNWecz6SSr9R+oVU6if1ivC3T0uZbTmKMtUspZEwv/
 2AZr6my0DSk15FdFAGpDaDjPMO26VlWaOrQPXH30/63KysWR2NNuasKVGjcmGSjC
 9/aJREC1BE/hcDSNmu8MhFaL2JFy2F3l7VJzdXlYFbpP0OC6hqdlXPl+CKP43w2L
 iO2N4g+2DbXOf6Si7NtArZMQfY/PQipbcj7Y8o9sq0P6VNO9+csGHzwa8tCQSEi9
 CtinHYV8L7YyopZYRvgRaX1ND3S7ClFRFX9kkAmTA5iOHHJtaKUexKOHu+Pvn5zi
 3/O2y6U7F34CkM5C92+nvTTTPx6bTgs8U9c+V3Eut9InroQAU/SwvH/NsT67fFsu
 FcTWKfQ0HGgcsAxOAN2/vEztgZvu6kwhu3KkkQmt2Qy7B9dtBf44pTdv0b+RsPPq
 Ow/PtFaHK7lwxsGlrqXLdmvqlmJs8DXcc2TQw/JX8lPIc04Hs3ZpxMyt6wSDJToL
 OCZ2cY/bRg==
 =pge/
 -----END PGP SIGNATURE-----

Merge tag 'for-linus-20180706' of git://git.kernel.dk/linux-block

Pull block fixes from Jens Axboe:
 "Two minor fixes for this series:

   - add LOOP_SET_BLOCK_SIZE as compat ioctl (Evan Green)

   - drbd use-after-free fix (Lars Ellenberg)"

* tag 'for-linus-20180706' of git://git.kernel.dk/linux-block:
  loop: Add LOOP_SET_BLOCK_SIZE in compat ioctl
  drbd: fix access after free
2018-07-06 19:13:42 -07:00
Linus Torvalds
c2b58149d2 The usual collection of driver fixlets:
- Build cleanup/fix for the sunxi makefile that tried to save size
    but failed and prevented dead code elimination from working
 
  - Two Davinci clk driver fixes for a typo causing build failures
    in different configurations and an error check that checks
    the wrong variable.
 
  - Undo the DT ABI breaking imx6ul binding header shuffle that got
    merged this cycle.
 -----BEGIN PGP SIGNATURE-----
 
 iQJFBAABCAAvFiEE9L57QeeUxqYDyoaDrQKIl8bklSUFAls/q0ERHHNib3lkQGtl
 cm5lbC5vcmcACgkQrQKIl8bklSW3cA//W6ifpX36cjFATeR3A46V5If0ZXL61aog
 cXkh5wCofB3OFdBdJifHFmdDIKjc/7Ix0T3x9rfbMXABsaE2xS6R1ikF4mGl1Osm
 TQXmMJHN8cLM58XLf2A0fVjH3UV7KJ+F4s9N2giDi+PVjFTZDI4uL2KGopHUnUx0
 BppDhf8XH6cKDWepNzQ/uPukQSburZn/pvwjhPQmgVl2pJaUpGXsPAJ4vqTQKrqJ
 IS2iI+wgwHbcIHYtbtabSt18q9jaVQkshy5C0l6fYvXs35on9DnLNGv7hLYK/42i
 HSRr6P1F2HMVir/dyDmWVigqiC3mqEVRedaq6zfRka2FAvX+4NiYTsvXyZYV52Uc
 p68ywqDFdaUWkz5vIS5YyvKb+ynZqvKU9qUMTXigg4pk3xf21eyPOCz5emvcdQ6W
 Tm4muE3xOCMrfPKjDgymkVm6+S8JyeJFjh7lPZxK5NIXSEswlB0y9SOlkn6ycra1
 y3PaKSs/DLmKBuoCteJxuuujqaJM/qbTwYtwDht7tH0vIkrw5Q9YqOe7MqqdGVyl
 hhyqDs7ZtSw4Co5Mu4DDhmqgjwvwQVT3vpzoZyukakEBoQyWomCVFp28I6Ng+iX6
 6RzOEIdNFaNuDOg0kxzENblVPWRmcgv76yYF7JcfrRMhjeDmpYV2xlAEmjHRNp6p
 iZohOeq/X48=
 =pNsb
 -----END PGP SIGNATURE-----

Merge tag 'clk-fixes-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/clk/linux

Pull clk fixes from Stephen Boyd:
 "The usual collection of driver fixlets:

   - build cleanup/fix for the sunxi makefile that tried to save size
     but failed and prevented dead code elimination from working

   - two Davinci clk driver fixes for a typo causing build failures in
     different configurations and an error check that checks the wrong
     variable.

   - undo the DT ABI breaking imx6ul binding header shuffle that got
     merged this cycle"

* tag 'clk-fixes-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/clk/linux:
  dt-bindings: clock: imx6ul: Do not change the clock definition order
  clk: davinci: fix a typo (which leads to build failures)
  clk: davinci: cfgchip: testing the wrong variable
  clk: sunxi-ng: replace lib-y with obj-y
2018-07-06 12:32:17 -07:00
Linus Torvalds
1bb155702d VFIO fixes for v4.18
- Make vfio-pci IGD extensions optional via Kconfig (Alex Williamson)
 
  - Remove unused and soon to be removed map_atomic callback from mbochs
    sample driver, add unmap callback to avoid dmabuf leaks (Gerd Hoffmann)
 
  - Fix usage of get_user_pages_longterm() (Jason Gunthorpe)
 
  - Fix sample mbochs driver vm_operations_struct.fault return type
    (Souptick Joarder)
 -----BEGIN PGP SIGNATURE-----
 Version: GnuPG v2.0.14 (GNU/Linux)
 
 iQIcBAABAgAGBQJbP5NzAAoJECObm247sIsibX8QAJnJ+p88yIhozwmzIyZdy/rN
 zHNo+jSKlyGYmm1GWg77h+UfmVzLPI1eQZUsVt1L582J1M1/cpjiiPLPq/HGMQlw
 kG+9sMxqcux92En5D6nJF8wF/DXSWLxRSv0YTgjLTzhx6d473VYHKBZA/VJa0wBD
 /lj7Mdhbs5FrAwIfZCTyodRvkE21rE63pcS4KnNayjiIIlbiBKV8n+RZ0ayl8Qqp
 oycEMOLo2yF5New2/AK/RAWeCFfiyAgXaFjAor1jD3kiA/PUNs+HpUnbUqjWyj36
 ogI81gZqe1XVrEKaAcESalpldQP3lggxC1QmwhSdOzAjKNRA4qMnvuRr3XyFxXM5
 PsBdqmdmavRTX23rTAViAhlrwwukWaICAU8p2UxVobS3IEEzaG+DHhxOmeeoYF1v
 5fjlf0D1jOaKnYmdEhsLKDEbJ5NCj2qjkkQNA3/MHoyjdmz1ZuonK9oap/OBrPkK
 IB1gSuKUNwsCNyN18c6RBnWagprAEbMR6i35SVEf0VIgM6UI2Ld4aUTDczqObU/L
 T1vgkbp8DkAX8O7TZ29eMm/ieyUZ01pgYuxjnK1MYLR1byuOwI1WpYjQfo1JPtmJ
 TJH5YbGUqznJUZXrkB6CuUCXX3MkG2KU9CZVJU0MwGYuRUvJz5Tk4+ODbpoqDHby
 v1cQJdVywzi8BkacW1DZ
 =shTo
 -----END PGP SIGNATURE-----

Merge tag 'vfio-v4.18-rc4' of git://github.com/awilliam/linux-vfio

Pull VFIO fixes from Alex Williamson:

 - Make vfio-pci IGD extensions optional via Kconfig (Alex Williamson)

 - Remove unused and soon to be removed map_atomic callback from mbochs
   sample driver, add unmap callback to avoid dmabuf leaks (Gerd
   Hoffmann)

 - Fix usage of get_user_pages_longterm() (Jason Gunthorpe)

 - Fix sample mbochs driver vm_operations_struct.fault return type
   (Souptick Joarder)

* tag 'vfio-v4.18-rc4' of git://github.com/awilliam/linux-vfio:
  sample/vfio-mdev: Change return type to vm_fault_t
  vfio: Use get_user_pages_longterm correctly
  sample/mdev/mbochs: add mbochs_kunmap_dmabuf
  sample/mdev/mbochs: remove mbochs_kmap_atomic_dmabuf
  vfio/pci: Make IGD support a configurable option
2018-07-06 12:23:53 -07:00
Linus Torvalds
b4d0562137 Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/s390/linux
Pull s390 fixes from Martin Schwidefsky:
 "A few more changes for v4.18:

   - wire up the two new system calls io_pgetevents and rseq

   - fix a register corruption in the expolines code for machines
     without EXRL

   - drastically reduce the memory utilization of the dasd driver

   - fix reference counting for KVM page table pages"

* 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/s390/linux:
  s390: wire up rseq system call
  s390: wire up io_pgetevents system call
  s390/mm: fix refcount usage for 4K pgste
  s390/dasd: reduce the default queue depth and nr of hardware queues
  s390: Correct register corruption in critical section cleanup
2018-07-06 09:14:34 -07:00
K. Y. Srinivasan
1268ed0c47 x86/hyper-v: Fix the circular dependency in IPI enlightenment
The IPI hypercalls depend on being able to map the Linux notion of CPU ID
to the hypervisor's notion of the CPU ID. The array hv_vp_index[] provides
this mapping. Code for populating this array depends on the IPI functionality.
Break this circular dependency.

[ tglx: Use a proper define instead of '-1' with a u32 variable as pointed
  	out by Vitaly ]

Fixes: 68bb7bfb79 ("X86/Hyper-V: Enable IPI enlightenments")
Signed-off-by: K. Y. Srinivasan <kys@microsoft.com>
Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
Tested-by: Michael Kelley <mikelley@microsoft.com>
Cc: gregkh@linuxfoundation.org
Cc: devel@linuxdriverproject.org
Cc: olaf@aepfle.de
Cc: apw@canonical.com
Cc: jasowang@redhat.com
Cc: hpa@zytor.com
Cc: sthemmin@microsoft.com
Cc: Michael.H.Kelley@microsoft.com
Cc: vkuznets@redhat.com
Link: https://lkml.kernel.org/r/20180703230155.15160-1-kys@linuxonhyperv.com
2018-07-06 12:32:59 +02:00
Linus Torvalds
c42c12a905 amdgpu, i915, exynos, udl, sii8620 and core fixes
-----BEGIN PGP SIGNATURE-----
 
 iQIcBAABAgAGBQJbPsIxAAoJEAx081l5xIa+assP/3i3tpzxASSaONcMoIzNFSv7
 8IXTKIaQpoIidhlh4M4i4xhvDoSLzZnB9Y/ITw9a2piceyTB0Oa1VmxDeYp9PqR1
 jM5Vuqt+WUSoxYAvwdqxbeMuTHY3C2Ff3POcW/siG/Bl0HIV+ajdvPIsh/Gy0/b9
 Q1G0YzZgH7D/VHaUipdjDtsFY+f2YSgM3p618P2A/lDP8WRW66y4CUNDdPPQ+UjU
 hLFyumOvywVHtvuDToeQezHrvbAbeYunt9nGx8RzPgL9X6m5+uX68y+HSxhcxR5T
 rzb5ozeFLT6R+7VKbY9XgXHTxuMQDEeEQQge6iWMDyBGIhfixW3BoH462spkfaCB
 6YceH3y2SsfSOPGax1wmUCQVUAFvPuUYPZv1D356f8AEEtpRTkrqkMd4QuAF9L7M
 Yvx7fhbWjIw3G0m4Sj6HYyBjRDzBSz1QiIq9W05+4EghGQAJ/2TcsXx7BApZz9VH
 01UawXxsurG6Z7JuIXiG7CdSCYklqi3RMnBlDG9TLLfLqzwpwpPjdQ4m7KZQk2dN
 8FoQKMfjzZsuDFVXtCCNEOf9khImiE31335rLvDAIYPqEDmhJb1Xu6r6UWCMgQgx
 iEqCJ4SSWjR6wpwcWB4cZ+7Lb8QlmZ3JgqtaoJ3a23C5lIN4lgyrtrHHsGLb4+j2
 q0vL5pN3uqSCIOeBOpzk
 =v25Z
 -----END PGP SIGNATURE-----

Merge tag 'drm-fixes-2018-07-06' of git://anongit.freedesktop.org/drm/drm

Pull drm fixes from Dave Airlie:
 "This is the drm fixes for rc4.

  It's a bit larger than I'd like but the exynos cleanups are pretty
  mechanical, and I'd rather have them in sooner rather than later so we
  can avoid too much conflicts around them. The non-mechanincal exynos
  changes are mostly fixes for new feature recently introduced.

  Apart from the exynos updates, we have:

  i915:
   - GVT and GGTT mapping fixes

  amdgpu:
   - fix HDMI2.0 4K@60 Hz regression
   - Hotplug fixes for dual-GPU laptops to make power management better
   - misc vega12 bios fixes, a race fix and some typos.

  sii8620 bridge:
   - small fixes around mode setting

  core:
   - use kvzalloc to allocate blob property memory"

* tag 'drm-fixes-2018-07-06' of git://anongit.freedesktop.org/drm/drm: (34 commits)
  drm/amd/display: add a check for display depth validity
  drm/amd/display: adding ycbcr420 pixel encoding for hdmi
  drm/udl: fix display corruption of the last line
  drm/bridge/sii8620: Fix link mode selection
  drm/bridge/sii8620: Fix display of packed pixel modes
  drm/bridge/sii8620: Send AVI infoframe in all MHL versions
  drm/amdgpu: fix user fence write race condition
  drm/i915: Try GGTT mmapping whole object as partial
  drm/amdgpu/pm: fix display count in non-DC path
  drm/amdgpu: fix swapped emit_ib_size in vce3
  drm: Use kvzalloc for allocating blob property memory
  drm/i915/gvt: changed DDI mode emulation type
  drm/i915/gvt: fix a bug of partially write ggtt enties
  drm/exynos: Replace drm_dev_unref with drm_dev_put
  drm/exynos: Replace drm_gem_object_unreference_unlocked with put function
  drm/exynos: Replace drm_framebuffer_{un/reference} with put,get functions
  drm/exynos: ipp: use correct enum type
  drm/exynos: decon5433: Fix WINCONx reset value
  drm/exynos: decon5433: Fix per-plane global alpha for XRGB modes
  drm/exynos: fimc: Use real buffer width for configuring the hardware
  ...
2018-07-05 19:43:29 -07:00
Linus Torvalds
97f4e14229 While cleaning out my INBOX, I found a few patches that were lost
in the noise. These are minor bug fixes and clean ups. Those include:
 
  - Avoiding a string overflow
  - Code that didn't match the comment (but should)
  - A small code optimization (use of a conditional)
  - Quieting printf warnings
  - Nuking unused code
  - Fixing function graph interrupt annotation
 -----BEGIN PGP SIGNATURE-----
 
 iIoEABYIADIWIQRRSw7ePDh/lE+zeZMp5XQQmuv6qgUCWz7ARhQccm9zdGVkdEBn
 b29kbWlzLm9yZwAKCRAp5XQQmuv6qmMqAQDTS7uvFLRR603WXyOazX6Y7FeiYFWp
 MUUZjnbG9u0bawEAulW53AM0OL3EAAaZKtPi8VtsT+uktR1GIynXrp+yoww=
 =yQDv
 -----END PGP SIGNATURE-----

Merge tag 'trace-v4.18-rc3' of git://git.kernel.org/pub/scm/linux/kernel/git/rostedt/linux-trace

Pull tracing fixes and cleanups from Steven Rostedt:
 "While cleaning out my INBOX, I found a few patches that were lost in
  the noise. These are minor bug fixes and clean ups. Those include:

   - avoid a string overflow

   - code that didn't match the comment (but should)

   - a small code optimization (use of a conditional)

   - quiet printf warnings

   - nuke unused code

   - fix function graph interrupt annotation"

* tag 'trace-v4.18-rc3' of git://git.kernel.org/pub/scm/linux/kernel/git/rostedt/linux-trace:
  tracing: Fix missing return symbol in function_graph output
  ftrace: Nuke clear_ftrace_function
  tracing: Use __printf markup to silence compiler
  tracing: Optimize trace_buffer_iter() logic
  tracing: Make create_filter() code match the comments
  tracing: Avoid string overflow
2018-07-05 19:29:07 -07:00
Dave Airlie
c78d1f9d95 Fixups
- Fix several problems to IPPv2 merged to mainline recentely.
   . An align problem of width size that IPP driver incorrectly
     calculated the real buffer size.
   . Horizontal and vertical flip problem.
   . Per-plane global alpha for XRGB modes.
   . Incorrect variant of the YUV modes.
 - Fix plane overlapping problem.
   . The stange order of overlapping planes on XRGB modes
     by setting global alpha value to maximum value.
 
 Cleanup
 - Rename a enum type, drm_ipp_size_id, to one specific to Exynos,
   drm_exynos_ipp_limit_type.
 - Replace {un/reference} with {put,get} functions.
   . it replaces several reference/unreference functions with Linux
     kernel nameing standard.
 -----BEGIN PGP SIGNATURE-----
 Version: GnuPG v1
 
 iQIcBAABAgAGBQJbOcEtAAoJEFc4NIkMQxK4fOIQALMX/zww/9iqbLmQCE0q1Idi
 VmEV/os/Is0yxYXndluKbSVrRlf4bi54ETATOVoxuIlBxPwbJn3q7CdXbOUsc123
 1n5PThLW9g7L9/oIPRgYXDn80rSdoy9AvR04f24AbP95xkCwLosxKOpMkFia9irH
 jaYXDuP0hxHXeMCt8B18OUM0JhY9rad7yPJgRINeFfRAWe1+qPoR68HeztVLCi4G
 f6VBkgoKDGH8ngQIEtkC0p6ouN/z8kcVtcA5Ob9KIld9hnztU84I7sidP4StkPUS
 kvbICe2ro7xPbEIRDn7AzjYAmPJHJEHxKrvbDlOoRGhRuqHHK8HyRhIiOsFYPZgW
 liGVXUvEaV7WjaSL6eAtzSxaLsPC9Z7lj0Ry/x/P+aZrREceaOkOI23C0g13zmPs
 MCVVnt0asJDPxI2o1epy1AQoAnaVVshuJhpRQYBvYhiNcL7JLyooczGuROFVkQ2q
 Chg9wgM8R5LEh6vnt7ZZHmD3bSsIY0OUzoQvoF1WP1EIItusYw5DQNL4CrbQY1rb
 oooz8UP+rGiPKnfZcNruBrT13EQdOE7dz26W+cHRjmZmDDU/8QDnaSnLqD3xr6Yv
 2vTyaB8pWWZttih01tADkDqA+rmRnd3ffyA1Zjwzv7Tey6pW8uqiSwoZrAZuj7ek
 aq0SJRXt6dvoY6nDFy5R
 =+7bq
 -----END PGP SIGNATURE-----

Merge tag 'exynos-drm-fixes-for-v4.18-rc4' of git://git.kernel.org/pub/scm/linux/kernel/git/daeinki/drm-exynos into drm-fixes

Fixups
- Fix several problems to IPPv2 merged to mainline recentely.
  . An align problem of width size that IPP driver incorrectly
    calculated the real buffer size.
  . Horizontal and vertical flip problem.
  . Per-plane global alpha for XRGB modes.
  . Incorrect variant of the YUV modes.
- Fix plane overlapping problem.
  . The stange order of overlapping planes on XRGB modes
    by setting global alpha value to maximum value.

Cleanup
- Rename a enum type, drm_ipp_size_id, to one specific to Exynos,
  drm_exynos_ipp_limit_type.
- Replace {un/reference} with {put,get} functions.
  . it replaces several reference/unreference functions with Linux
    kernel nameing standard.

Signed-off-by: Dave Airlie <airlied@redhat.com>

Link: https://patchwork.freedesktop.org/patch/msgid/1530512041-21392-1-git-send-email-inki.dae@samsung.com
2018-07-06 10:47:02 +10:00
Dave Airlie
c8440a70bd Merge branch 'drm-fixes-4.18' of git://people.freedesktop.org/~agd5f/linux into drm-fixes
- Fix an HDMI 2.0 4k@60 regression
- Hotplug fixes for PX/HG laptops
- Fixes for vbios changes in vega12
- Fix a race in the user fence code
- Fix a couple of misc typos

Signed-off-by: Dave Airlie <airlied@redhat.com>
Link: https://patchwork.freedesktop.org/patch/msgid/20180705155206.2752-1-alexander.deucher@amd.com
2018-07-06 10:44:43 +10:00
Dave Airlie
0581a5cb06 A couple of GVT fixes, and a GGTT mmapping fix.
-----BEGIN PGP SIGNATURE-----
 
 iQIzBAABCAAdFiEEFWWmW3ewYy4RJOWc05gHnSar7m8FAls+DhEACgkQ05gHnSar
 7m/QRA/8CmWdYgRLWT9gc2OB8uWVWsKyMeO5Uvoy/3lnWPlmFO4J6wvOptVSxlfh
 yR89jIoxdb4204P5vjuI3dHD5WQFCiQzDTP438oIhFxc6KXr2osDMoy1laIpG31v
 XrV7dXk3lGOdkP+l6es0L4xo2IHpR9NLNtb61HNHmJFbsAPONG55wUW0VNDx17DY
 DyhyZtnI8Y+WZ8it95dn1E11MgKrQIpHKeWqAhJor2XaS6vHJkfzJFuNQh2V1dKm
 n9IbE1YexaYxC6ky7CEbDuSBu23NVsqZ0+QUHoq2qGj7s2i5PBzahCPZ+9TltypF
 fTCjtpXEhO3E2LCSUm/JEmZbl8zgKEzDBSRW/XMU2ryQby+AVTvtHIaFn9G1B8Ax
 dv0QCisNWmvA9m+jq2NfblffoD5aY0ME1eb6wKYf5XDIq8uysXHgSXP/3riaNcBb
 z4j/Bvf+qaBwxuOrbeZvwsjR8sgBxZR8sazUtUF1baiUODbya4dmWSiuQrBrDPtS
 5ZPw/glQhKcyFhAIN014Tn4opgbWnlMOgRaJOqb5EQ4tEcr6sCsiQBqgOE+A5eMR
 TWl27CsKkBvAthgemvLudlEdYkOe2OKwmUCuHhdYQAFL/nV4QzfP+7hpo17M8BIt
 hMYqmxf9pfHXILUkgDgv98q95ZaDkic5Aaa9nUQZVJ7iUQGpeZ0=
 =Euzf
 -----END PGP SIGNATURE-----

Merge tag 'drm-intel-fixes-2018-07-05' of git://anongit.freedesktop.org/drm/drm-intel into drm-fixes

A couple of GVT fixes, and a GGTT mmapping fix.

Signed-off-by: Dave Airlie <airlied@redhat.com>

Link: https://patchwork.freedesktop.org/patch/msgid/8736wxq35t.fsf@intel.com
2018-07-06 10:44:09 +10:00
Dave Airlie
b7716735bb Fixes for v4.18-rc4:
- A few small fixes for the sii8620 bridge.
 - Allocate blob property memory using kvzalloc instead of kmalloc.
 -----BEGIN PGP SIGNATURE-----
 
 iQIzBAABCgAdFiEEuXvWqAysSYEJGuVH/lWMcqZwE8MFAls+Gq4ACgkQ/lWMcqZw
 E8PrGxAAiDFICLETi/mmVNleRvmhYKiJIOIgyk6KlVg2EwGuYvJfU3WHmzdrV8rA
 6WPPiVoPI4KKYARBqS1nQCDByWx0ZJ+AXrJLpkzfctCKJGnBQKRjsykwD1jmoeY9
 EgXJbjLUbIpFzo4aeNUEuezXuFWQFuzRA+5EySiK5njE3wqowoRkX2m4yDRDayFH
 HgQzhIAl3iEQqx2lgmVo1Pn/yiPMev2kXFr6TIdGs8u2ompKSpFNTYdunjmfh45X
 m77lVx9OkynETnoIqo5sy+YGW+Hzc0II/Re+HBmqbSPc3TJOErzHJikMUd2NnLsi
 GAP5LnGuQAFiN7FqCiNxAyl+OtbDdw7MEWxCr2ec41vNOyLGbBN7Aqb7a68pAH8M
 MJcOnbinYpZns6FVsR8ZP5HW9jWvow4NWBKx2R7n2g2ysMed4N2EKEHznxPhvGVu
 f1b0PoBodZ/SdOuVsli4sHrn5iOxhYZF2S/ynhgsxjSeQ4gXpUMXgs9US5be7L0C
 DVxUIMYk5Nyhg2LCz/eHQnyT/hLj4VjvbYFsDgSWCJAO/u3QRuVPGDKLnDI6MOXH
 3+8z/3zkviz0dTKilY6v5EfnpFmGXmGNIj/DlnmpHstfJ8rwm2haaeauQZ00Uj1R
 namWJIwjxbRG539UhGPXYGW3+UTyHpzBhlrk9GXTawQ2iPfh2EU=
 =bfQR
 -----END PGP SIGNATURE-----

Merge tag 'drm-misc-fixes-2018-07-05' of git://anongit.freedesktop.org/drm/drm-misc into drm-fixes

Fixes for v4.18-rc4:
- A few small fixes for the sii8620 bridge.
- Allocate blob property memory using kvzalloc instead of kmalloc.

Signed-off-by: Dave Airlie <airlied@redhat.com>

Link: https://patchwork.freedesktop.org/patch/msgid/4267636e-bb7c-8f69-eeff-12e045b3e7e1@linux.intel.com
2018-07-06 10:41:29 +10:00
Olof Johansson
f0463f3619 Fixes for omap for v4.18-rc cycle
Few dts fixes for regressions for various SoCs and
 devices for touchscreen wake, dra7 USB quirk, pinmux
 for beaglebone mmc, and emac clock.
 
 Also included is a change for ti-sysc to use kcalloc
 that Kees wanted to get into v4.18 as that's the last
 one he wanted to fix for improved defense against
 allocation overflows.
 -----BEGIN PGP SIGNATURE-----
 
 iQJFBAABCAAvFiEEkgNvrZJU/QSQYIcQG9Q+yVyrpXMFAls92woRHHRvbnlAYXRv
 bWlkZS5jb20ACgkQG9Q+yVyrpXNM/g//ZB5+qrF+798I0EGpL92ZX1nq/8ZudpRl
 A/E4o/mYJ6ltKMhIT96yYTBmd1Vz6FB54UK/5WZtHAKl14WyTIcncj7g0Cd+dMlj
 KvXnZIdyUdK1WIrPzDzGSPWxuVbq8n2dkqee51QApNK7eYsUyDt/xmmUr+SX426u
 C4Yit4ff7GY16qQuRgcwuISuAE6rP7o4iPak0nNnB+8v6ghjXSsteC9VVzaE7ATa
 cW2+cR7nlzYkoTcWkBjv99htcm5/wT5VF+ugeVtgUswyRalLV9FOeTvwEtghCnIc
 Eo8zHGwLy2lvDI9QlboBEnmwLHtw0uUrdLLAS2tBJ4053ojCxJcNq5h4f6pcFjHC
 OjjKp/7TDI7xXHjWTuj4D4zLHbEzDag9kNmAk0eN3LfH3iQK6uTc1vLQT28sC2nC
 gvEodrvXqD0v4IQF8EVZ9n2feVc3lRj2b2FuXfcdNHXITrFSiL+P4lyYPmMPkMOn
 VevqLJ0xxUiRWr0GFeBQkBjZzDs7x9Rpk4qhXcsOBnB261aePvpMM8k875TmcU9s
 k+a1JQn3s7SuAoUvPa1AltEkmYRzPyPHszJC312izW9yMpMZUI0nS0gVZSKuL5Gg
 sFEmc1WevyoUhctebvR778wRl/41PMLGmMSTX5HVzcZpbEFxFJTLBH9AbaV3pblj
 V6UGlXvOS7s=
 =H1MU
 -----END PGP SIGNATURE-----

Merge tag 'omap-for-v4.18/fixes-signed' of git://git.kernel.org/pub/scm/linux/kernel/git/tmlind/linux-omap into fixes

Fixes for omap for v4.18-rc cycle

Few dts fixes for regressions for various SoCs and
devices for touchscreen wake, dra7 USB quirk, pinmux
for beaglebone mmc, and emac clock.

Also included is a change for ti-sysc to use kcalloc
that Kees wanted to get into v4.18 as that's the last
one he wanted to fix for improved defense against
allocation overflows.

* tag 'omap-for-v4.18/fixes-signed' of git://git.kernel.org/pub/scm/linux/kernel/git/tmlind/linux-omap:
  ARM: dts: omap3: Fix am3517 mdio and emac clock references
  ARM: dts: am335x-bone-common: Fix mmc0 Write Protect
  bus: ti-sysc: Use 2-factor allocator arguments
  ARM: dts: dra7: Disable metastability workaround for USB2
  ARM: dts: am437x: make edt-ft5x06 a wakeup source

Signed-off-by: Olof Johansson <olof@lixom.net>
2018-07-05 14:59:20 -07:00
Linus Torvalds
0fa3ecd878 Fix up non-directory creation in SGID directories
sgid directories have special semantics, making newly created files in
the directory belong to the group of the directory, and newly created
subdirectories will also become sgid.  This is historically used for
group-shared directories.

But group directories writable by non-group members should not imply
that such non-group members can magically join the group, so make sure
to clear the sgid bit on non-directories for non-members (but remember
that sgid without group execute means "mandatory locking", just to
confuse things even more).

Reported-by: Jann Horn <jannh@google.com>
Cc: Andy Lutomirski <luto@kernel.org>
Cc: Al Viro <viro@zeniv.linux.org.uk>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
2018-07-05 12:36:36 -07:00
Christoph Hellwig
7ec916f82c Revert "iommu/intel-iommu: Enable CONFIG_DMA_DIRECT_OPS=y and clean up intel_{alloc,free}_coherent()"
This commit may cause a less than required dma mask to be used for
some allocations, which apparently leads to module load failures for
iwlwifi sometimes.

This reverts commit d657c5c73c.

Signed-off-by: Christoph Hellwig <hch@lst.de>
Reported-by: Fabio Coatti <fabio.coatti@gmail.com>
Tested-by: Fabio Coatti <fabio.coatti@gmail.com>
2018-07-05 13:32:06 -06:00
Stefano Brivio
729c0c9dd5 cifs: Fix stack out-of-bounds in smb{2,3}_create_lease_buf()
smb{2,3}_create_lease_buf() store a lease key in the lease
context for later usage on a lease break.

In most paths, the key is currently sourced from data that
happens to be on the stack near local variables for oplock in
SMB2_open() callers, e.g. from open_shroot(), whereas
smb2_open_file() properly allocates space on its stack for it.

The address of those local variables holding the oplock is then
passed to create_lease_buf handlers via SMB2_open(), and 16
bytes near oplock are used. This causes a stack out-of-bounds
access as reported by KASAN on SMB2.1 and SMB3 mounts (first
out-of-bounds access is shown here):

[  111.528823] BUG: KASAN: stack-out-of-bounds in smb3_create_lease_buf+0x399/0x3b0 [cifs]
[  111.530815] Read of size 8 at addr ffff88010829f249 by task mount.cifs/985
[  111.532838] CPU: 3 PID: 985 Comm: mount.cifs Not tainted 4.18.0-rc3+ #91
[  111.534656] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.10.2-1 04/01/2014
[  111.536838] Call Trace:
[  111.537528]  dump_stack+0xc2/0x16b
[  111.540890]  print_address_description+0x6a/0x270
[  111.542185]  kasan_report+0x258/0x380
[  111.544701]  smb3_create_lease_buf+0x399/0x3b0 [cifs]
[  111.546134]  SMB2_open+0x1ef8/0x4b70 [cifs]
[  111.575883]  open_shroot+0x339/0x550 [cifs]
[  111.591969]  smb3_qfs_tcon+0x32c/0x1e60 [cifs]
[  111.617405]  cifs_mount+0x4f3/0x2fc0 [cifs]
[  111.674332]  cifs_smb3_do_mount+0x263/0xf10 [cifs]
[  111.677915]  mount_fs+0x55/0x2b0
[  111.679504]  vfs_kern_mount.part.22+0xaa/0x430
[  111.684511]  do_mount+0xc40/0x2660
[  111.698301]  ksys_mount+0x80/0xd0
[  111.701541]  do_syscall_64+0x14e/0x4b0
[  111.711807]  entry_SYSCALL_64_after_hwframe+0x44/0xa9
[  111.713665] RIP: 0033:0x7f372385b5fa
[  111.715311] Code: 48 8b 0d 99 78 2c 00 f7 d8 64 89 01 48 83 c8 ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 49 89 ca b8 a5 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d 66 78 2c 00 f7 d8 64 89 01 48
[  111.720330] RSP: 002b:00007ffff27049d8 EFLAGS: 00000206 ORIG_RAX: 00000000000000a5
[  111.722601] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007f372385b5fa
[  111.724842] RDX: 000055c2ecdc73b2 RSI: 000055c2ecdc73f9 RDI: 00007ffff270580f
[  111.727083] RBP: 00007ffff2705804 R08: 000055c2ee976060 R09: 0000000000001000
[  111.729319] R10: 0000000000000000 R11: 0000000000000206 R12: 00007f3723f4d000
[  111.731615] R13: 000055c2ee976060 R14: 00007f3723f4f90f R15: 0000000000000000

[  111.735448] The buggy address belongs to the page:
[  111.737420] page:ffffea000420a7c0 count:0 mapcount:0 mapping:0000000000000000 index:0x0
[  111.739890] flags: 0x17ffffc0000000()
[  111.741750] raw: 0017ffffc0000000 0000000000000000 dead000000000200 0000000000000000
[  111.744216] raw: 0000000000000000 0000000000000000 00000000ffffffff 0000000000000000
[  111.746679] page dumped because: kasan: bad access detected

[  111.750482] Memory state around the buggy address:
[  111.752562]  ffff88010829f100: 00 f2 f2 f2 f2 f2 f2 f2 00 00 00 00 00 00 00 00
[  111.754991]  ffff88010829f180: 00 00 f2 f2 00 00 00 00 00 00 00 00 00 00 00 00
[  111.757401] >ffff88010829f200: 00 00 00 00 00 f1 f1 f1 f1 01 f2 f2 f2 f2 f2 f2
[  111.759801]                                               ^
[  111.762034]  ffff88010829f280: f2 02 f2 f2 f2 f2 f2 f2 f2 00 00 00 00 00 00 00
[  111.764486]  ffff88010829f300: f2 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[  111.766913] ==================================================================

Lease keys are however already generated and stored in fid data
on open and create paths: pass them down to the lease context
creation handlers and use them.

Suggested-by: Aurélien Aptel <aaptel@suse.com>
Reviewed-by: Aurelien Aptel <aaptel@suse.com>
Fixes: b8c32dbb0d ("CIFS: Request SMB2.1 leases")
Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
Signed-off-by: Steve French <stfrench@microsoft.com>
2018-07-05 13:48:25 -05:00
Paulo Alcantara
7ffbe65578 cifs: Fix infinite loop when using hard mount option
For every request we send, whether it is SMB1 or SMB2+, we attempt to
reconnect tcon (cifs_reconnect_tcon or smb2_reconnect) before carrying
out the request.

So, while server->tcpStatus != CifsNeedReconnect, we wait for the
reconnection to succeed on wait_event_interruptible_timeout(). If it
returns, that means that either the condition was evaluated to true, or
timeout elapsed, or it was interrupted by a signal.

Since we're not handling the case where the process woke up due to a
received signal (-ERESTARTSYS), the next call to
wait_event_interruptible_timeout() will _always_ fail and we end up
looping forever inside either cifs_reconnect_tcon() or smb2_reconnect().

Here's an example of how to trigger that:

$ mount.cifs //foo/share /mnt/test -o
username=foo,password=foo,vers=1.0,hard

(break connection to server before executing bellow cmd)
$ stat -f /mnt/test & sleep 140
[1] 2511

$ ps -aux -q 2511
USER       PID %CPU %MEM    VSZ   RSS TTY      STAT START   TIME COMMAND
root      2511  0.0  0.0  12892  1008 pts/0    S    12:24   0:00 stat -f
/mnt/test

$ kill -9 2511

(wait for a while; process is stuck in the kernel)
$ ps -aux -q 2511
USER       PID %CPU %MEM    VSZ   RSS TTY      STAT START   TIME COMMAND
root      2511 83.2  0.0  12892  1008 pts/0    R    12:24  30:01 stat -f
/mnt/test

By using 'hard' mount point means that cifs.ko will keep retrying
indefinitely, however we must allow the process to be killed otherwise
it would hang the system.

Signed-off-by: Paulo Alcantara <palcantara@suse.de>
Cc: stable@vger.kernel.org
Reviewed-by: Aurelien Aptel <aaptel@suse.com>
Signed-off-by: Steve French <stfrench@microsoft.com>
2018-07-05 13:48:25 -05:00
Stefano Brivio
f46ecbd97f cifs: Fix slab-out-of-bounds in send_set_info() on SMB2 ACE setting
A "small" CIFS buffer is not big enough in general to hold a
setacl request for SMB2, and we end up overflowing the buffer in
send_set_info(). For instance:

 # mount.cifs //127.0.0.1/test /mnt/test -o username=test,password=test,nounix,cifsacl
 # touch /mnt/test/acltest
 # getcifsacl /mnt/test/acltest
 REVISION:0x1
 CONTROL:0x9004
 OWNER:S-1-5-21-2926364953-924364008-418108241-1000
 GROUP:S-1-22-2-1001
 ACL:S-1-5-21-2926364953-924364008-418108241-1000:ALLOWED/0x0/0x1e01ff
 ACL:S-1-22-2-1001:ALLOWED/0x0/R
 ACL:S-1-22-2-1001:ALLOWED/0x0/R
 ACL:S-1-5-21-2926364953-924364008-418108241-1000:ALLOWED/0x0/0x1e01ff
 ACL:S-1-1-0:ALLOWED/0x0/R
 # setcifsacl -a "ACL:S-1-22-2-1004:ALLOWED/0x0/R" /mnt/test/acltest

this setacl will cause the following KASAN splat:

[  330.777927] BUG: KASAN: slab-out-of-bounds in send_set_info+0x4dd/0xc20 [cifs]
[  330.779696] Write of size 696 at addr ffff88010d5e2860 by task setcifsacl/1012

[  330.781882] CPU: 1 PID: 1012 Comm: setcifsacl Not tainted 4.18.0-rc2+ #2
[  330.783140] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.10.2-1 04/01/2014
[  330.784395] Call Trace:
[  330.784789]  dump_stack+0xc2/0x16b
[  330.786777]  print_address_description+0x6a/0x270
[  330.787520]  kasan_report+0x258/0x380
[  330.788845]  memcpy+0x34/0x50
[  330.789369]  send_set_info+0x4dd/0xc20 [cifs]
[  330.799511]  SMB2_set_acl+0x76/0xa0 [cifs]
[  330.801395]  set_smb2_acl+0x7ac/0xf30 [cifs]
[  330.830888]  cifs_xattr_set+0x963/0xe40 [cifs]
[  330.840367]  __vfs_setxattr+0x84/0xb0
[  330.842060]  __vfs_setxattr_noperm+0xe6/0x370
[  330.843848]  vfs_setxattr+0xc2/0xd0
[  330.845519]  setxattr+0x258/0x320
[  330.859211]  path_setxattr+0x15b/0x1b0
[  330.864392]  __x64_sys_setxattr+0xc0/0x160
[  330.866133]  do_syscall_64+0x14e/0x4b0
[  330.876631]  entry_SYSCALL_64_after_hwframe+0x44/0xa9
[  330.878503] RIP: 0033:0x7ff2e507db0a
[  330.880151] Code: 48 8b 0d 89 93 2c 00 f7 d8 64 89 01 48 83 c8 ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 49 89 ca b8 bc 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d 56 93 2c 00 f7 d8 64 89 01 48
[  330.885358] RSP: 002b:00007ffdc4903c18 EFLAGS: 00000246 ORIG_RAX: 00000000000000bc
[  330.887733] RAX: ffffffffffffffda RBX: 000055d1170de140 RCX: 00007ff2e507db0a
[  330.890067] RDX: 000055d1170de7d0 RSI: 000055d115b39184 RDI: 00007ffdc4904818
[  330.892410] RBP: 0000000000000001 R08: 0000000000000000 R09: 000055d1170de7e4
[  330.894785] R10: 00000000000002b8 R11: 0000000000000246 R12: 0000000000000007
[  330.897148] R13: 000055d1170de0c0 R14: 0000000000000008 R15: 000055d1170de550

[  330.901057] Allocated by task 1012:
[  330.902888]  kasan_kmalloc+0xa0/0xd0
[  330.904714]  kmem_cache_alloc+0xc8/0x1d0
[  330.906615]  mempool_alloc+0x11e/0x380
[  330.908496]  cifs_small_buf_get+0x35/0x60 [cifs]
[  330.910510]  smb2_plain_req_init+0x4a/0xd60 [cifs]
[  330.912551]  send_set_info+0x198/0xc20 [cifs]
[  330.914535]  SMB2_set_acl+0x76/0xa0 [cifs]
[  330.916465]  set_smb2_acl+0x7ac/0xf30 [cifs]
[  330.918453]  cifs_xattr_set+0x963/0xe40 [cifs]
[  330.920426]  __vfs_setxattr+0x84/0xb0
[  330.922284]  __vfs_setxattr_noperm+0xe6/0x370
[  330.924213]  vfs_setxattr+0xc2/0xd0
[  330.926008]  setxattr+0x258/0x320
[  330.927762]  path_setxattr+0x15b/0x1b0
[  330.929592]  __x64_sys_setxattr+0xc0/0x160
[  330.931459]  do_syscall_64+0x14e/0x4b0
[  330.933314]  entry_SYSCALL_64_after_hwframe+0x44/0xa9

[  330.936843] Freed by task 0:
[  330.938588] (stack is not available)

[  330.941886] The buggy address belongs to the object at ffff88010d5e2800
 which belongs to the cache cifs_small_rq of size 448
[  330.946362] The buggy address is located 96 bytes inside of
 448-byte region [ffff88010d5e2800, ffff88010d5e29c0)
[  330.950722] The buggy address belongs to the page:
[  330.952789] page:ffffea0004357880 count:1 mapcount:0 mapping:ffff880108fdca80 index:0x0 compound_mapcount: 0
[  330.955665] flags: 0x17ffffc0008100(slab|head)
[  330.957760] raw: 0017ffffc0008100 dead000000000100 dead000000000200 ffff880108fdca80
[  330.960356] raw: 0000000000000000 0000000080100010 00000001ffffffff 0000000000000000
[  330.963005] page dumped because: kasan: bad access detected

[  330.967039] Memory state around the buggy address:
[  330.969255]  ffff88010d5e2880: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[  330.971833]  ffff88010d5e2900: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[  330.974397] >ffff88010d5e2980: 00 00 00 00 00 00 00 00 fc fc fc fc fc fc fc fc
[  330.976956]                                            ^
[  330.979226]  ffff88010d5e2a00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[  330.981755]  ffff88010d5e2a80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[  330.984225] ==================================================================

Fix this by allocating a regular CIFS buffer in
smb2_plain_req_init() if the request command is SMB2_SET_INFO.

Reported-by: Jianhong Yin <jiyin@redhat.com>
Fixes: 366ed846df ("cifs: Use smb 2 - 3 and cifsacl mount options setacl function")
CC: Stable <stable@vger.kernel.org>
Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
Reviewed-and-tested-by: Aurelien Aptel <aaptel@suse.com>
Signed-off-by: Steve French <stfrench@microsoft.com>
2018-07-05 13:48:25 -05:00
Paulo Alcantara
6aa0c114ec cifs: Fix memory leak in smb2_set_ea()
This patch fixes a memory leak when doing a setxattr(2) in SMB2+.

Signed-off-by: Paulo Alcantara <palcantara@suse.de>
Cc: stable@vger.kernel.org
Signed-off-by: Steve French <stfrench@microsoft.com>
Reviewed-by: Aurelien Aptel <aaptel@suse.com>
2018-07-05 13:48:24 -05:00
Ronnie Sahlberg
81f39f951b cifs: fix SMB1 breakage
SMB1 mounting broke in commit 35e2cc1ba7
("cifs: Use correct packet length in SMB2_TRANSFORM header")
Fix it and also rename smb2_rqst_len to smb_rqst_len
to make it less unobvious that the function is also called from
CIFS/SMB1

Good job by Paulo reviewing and cleaning up Ronnie's original patch.

Signed-off-by: Ronnie Sahlberg <lsahlber@redhat.com>
Reviewed-by: Paulo Alcantara <palcantara@suse.de>
Signed-off-by: Steve French <stfrench@microsoft.com>
2018-07-05 13:48:24 -05:00
Paulo Alcantara
8de8c4608f cifs: Fix validation of signed data in smb2
Fixes: c713c8770f ("cifs: push rfc1002 generation down the stack")

We failed to validate signed data returned by the server because
__cifs_calc_signature() now expects to sign the actual data in iov but
we were also passing down the rfc1002 length.

Fix smb3_calc_signature() to calculate signature of rfc1002 length prior
to passing only the actual data iov[1-N] to __cifs_calc_signature(). In
addition, there are a few cases where no rfc1002 length is passed so we
make sure there's one (iov_len == 4).

Signed-off-by: Paulo Alcantara <palcantara@suse.de>
Reviewed-by: Ronnie Sahlberg <lsahlber@redhat.com>
Signed-off-by: Steve French <stfrench@microsoft.com>
2018-07-05 13:48:24 -05:00
Paulo Alcantara
27c32b49c3 cifs: Fix validation of signed data in smb3+
Fixes: c713c8770f ("cifs: push rfc1002 generation down the stack")

We failed to validate signed data returned by the server because
__cifs_calc_signature() now expects to sign the actual data in iov but
we were also passing down the rfc1002 length.

Fix smb3_calc_signature() to calculate signature of rfc1002 length prior
to passing only the actual data iov[1-N] to __cifs_calc_signature(). In
addition, there are a few cases where no rfc1002 length is passed so we
make sure there's one (iov_len == 4).

Signed-off-by: Paulo Alcantara <palcantara@suse.de>
Reviewed-by: Ronnie Sahlberg <lsahlber@redhat.com>
Signed-off-by: Steve French <stfrench@microsoft.com>
2018-07-05 13:48:24 -05:00
Lars Persson
696e420bb2 cifs: Fix use after free of a mid_q_entry
With protocol version 2.0 mounts we have seen crashes with corrupt mid
entries. Either the server->pending_mid_q list becomes corrupt with a
cyclic reference in one element or a mid object fetched by the
demultiplexer thread becomes overwritten during use.

Code review identified a race between the demultiplexer thread and the
request issuing thread. The demultiplexer thread seems to be written
with the assumption that it is the sole user of the mid object until
it calls the mid callback which either wakes the issuer task or
deletes the mid.

This assumption is not true because the issuer task can be woken up
earlier by a signal. If the demultiplexer thread has proceeded as far
as setting the mid_state to MID_RESPONSE_RECEIVED then the issuer
thread will happily end up calling cifs_delete_mid while the
demultiplexer thread still is using the mid object.

Inserting a delay in the cifs demultiplexer thread widens the race
window and makes reproduction of the race very easy:

		if (server->large_buf)
			buf = server->bigbuf;

+		usleep_range(500, 4000);

		server->lstrp = jiffies;

To resolve this I think the proper solution involves putting a
reference count on the mid object. This patch makes sure that the
demultiplexer thread holds a reference until it has finished
processing the transaction.

Cc: stable@vger.kernel.org
Signed-off-by: Lars Persson <larper@axis.com>
Acked-by: Paulo Alcantara <palcantara@suse.de>
Reviewed-by: Ronnie Sahlberg <lsahlber@redhat.com>
Reviewed-by: Pavel Shilovsky <pshilov@microsoft.com>
Signed-off-by: Steve French <stfrench@microsoft.com>
2018-07-05 13:48:24 -05:00
Linus Torvalds
d02d21ea00 autofs: rename 'autofs' module back to 'autofs4'
It turns out that systemd has a bug: it wants to load the autofs module
early because of some initialization ordering with udev, and it doesn't
do that correctly.  Everywhere else it does the proper "look up module
name" that does the proper alias resolution, but in that early code, it
just uses a hardcoded "autofs4" for the module name.

The result of that is that as of commit a2225d931f ("autofs: remove
left-over autofs4 stubs"), you get

    systemd[1]: Failed to insert module 'autofs4': No such file or directory

in the system logs, and a lack of module loading.  All this despite the
fact that we had very clearly marked 'autofs4' as an alias for this
module.

What's so ridiculous about this is that literally everything else does
the module alias handling correctly, including really old versions of
systemd (that just used 'modprobe' to do this), and even all the other
systemd module loading code.

Only that special systemd early module load code is broken, hardcoding
the module names for not just 'autofs4', but also "ipv6", "unix",
"ip_tables" and "virtio_rng".  Very annoying.

Instead of creating an _additional_ separate compatibility 'autofs4'
module, just rely on the fact that everybody else gets this right, and
just call the module 'autofs4' for compatibility reasons, with 'autofs'
as the alias name.

That will allow the systemd people to fix their bugs, adding the proper
alias handling, and maybe even fix the name of the module to be just
"autofs" (so that they can _test_ the alias handling).  And eventually,
we can revert this silly compatibility hack.

See also

    https://github.com/systemd/systemd/issues/9501
    https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=902946

for the systemd bug reports upstream and in the Debian bug tracker
respectively.

Fixes: a2225d931f ("autofs: remove left-over autofs4 stubs")
Reported-by: Ben Hutchings <ben@decadent.org.uk>
Reported-by: Michael Biebl <biebl@debian.org>
Cc: Ian Kent <raven@themaw.net>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
2018-07-05 11:35:04 -07:00