Граф коммитов

841895 Коммитов

Автор SHA1 Сообщение Дата
Denis Efremov 5635f897ed floppy: fix out-of-bounds read in next_valid_format
This fixes a global out-of-bounds read access in the next_valid_format
function of the floppy driver.

The values from autodetect field of the struct floppy_drive_params are
used as indices for the floppy_type array in the next_valid_format
function 'floppy_type[DP->autodetect[probed_format]].sect'.

To trigger the bug, one could use a value out of range and set the drive
parameters with the FDSETDRVPRM ioctl.  A floppy disk is not required to
be inserted.

CAP_SYS_ADMIN is required to call FDSETDRVPRM.

The patch adds the check for values of the autodetect field to be in the
'0 <= x < ARRAY_SIZE(floppy_type)' range of the floppy_type array indices.

The bug was found by syzkaller.

Signed-off-by: Denis Efremov <efremov@ispras.ru>
Tested-by: Willy Tarreau <w@1wt.eu>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
2019-07-17 14:45:49 -07:00
Denis Efremov f3554aeb99 floppy: fix div-by-zero in setup_format_params
This fixes a divide by zero error in the setup_format_params function of
the floppy driver.

Two consecutive ioctls can trigger the bug: The first one should set the
drive geometry with such .sect and .rate values for the F_SECT_PER_TRACK
to become zero.  Next, the floppy format operation should be called.

A floppy disk is not required to be inserted.  An unprivileged user
could trigger the bug if the device is accessible.

The patch checks F_SECT_PER_TRACK for a non-zero value in the
set_geometry function.  The proper check should involve a reasonable
upper limit for the .sect and .rate fields, but it could change the
UAPI.

The patch also checks F_SECT_PER_TRACK in the setup_format_params, and
cancels the formatting operation in case of zero.

The bug was found by syzkaller.

Signed-off-by: Denis Efremov <efremov@ispras.ru>
Tested-by: Willy Tarreau <w@1wt.eu>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
2019-07-17 14:45:49 -07:00
Linus Torvalds 0ecfebd2b5 Linux 5.2 2019-07-07 15:41:56 -07:00
Linus Torvalds 46713c3d2f for-linus-20190706
-----BEGIN PGP SIGNATURE-----
 
 iQJEBAABCAAuFiEEwPw5LcreJtl1+l5K99NY+ylx4KYFAl0gx2YQHGF4Ym9lQGtl
 cm5lbC5kawAKCRD301j7KXHgpjHcD/wJWR2TOKv0+9U7YaaPdTM6Vyq3WDVXgKOZ
 gqjJhW2cbz94ZeTYF5iZmO9Dt4Pvv0Tt3WuJ1fSLvltbqdtLNM0pbNoP9DrtS5JB
 J7aJRucj0XODY6FZ7nIW7xtIJSaLO3hP+1spOGGNq/5N+o+IOnKho9mXjDOZDnan
 AiXAL0q95O887vKvi8iUEwRE6LiaGfMyfjD8tppxJMiusz+o2XTijD8Yt5UNjR8Q
 CRL894aRc4MwF+tP/kO2qxQNgvKVp910oL+BOKaDM2fFSGIRbUii1l9233cPMEtT
 njsm8okUK13KcdVdZvVw5EYumDLZ2WUndjorCQ47YdmKU9GyuhosSzu/rt/0edLp
 GKmpKKuivMpPFwQb34MCK6oRH+PE4WrTglqccgSDPSmTdXgfF3OtEzwh+9XJ5FU3
 WeBL803tGfcXCsr98BwiE/nDe+rHpcBIH5Oy0Dkh5TAdEiLLpE04J2zPXqdgUsvR
 9nSu6yOS33B0d/jF1Y3s0c0fmkdO9z0/nMbWHLXv8abxtHTrpteUof1HQqZokKFo
 xACIZRGOanPDMr9j23Iug2uMAFYfrZSdG8bT+NJ/klprXd0TzcQ2576//7PBVapj
 lolH0BazMay9yiItnbai5z83/BcvuJU3hyVOiTg2PJcOppFHhfVkYfhExxH1nJoB
 4NoFSj9xUg==
 =2Amr
 -----END PGP SIGNATURE-----

Merge tag 'for-linus-20190706' of git://git.kernel.dk/linux-block

Pull block fix from Jens Axboe:
 "Just a single fix for a patch from Greg KH, which reportedly break
  block debugfs locations for certain setups. Trivial enough that I
  think we should include it now, rather than wait and release 5.2 with
  it, since it's a regression in this series"

* tag 'for-linus-20190706' of git://git.kernel.dk/linux-block:
  blk-mq: fix up placement of debugfs directory of queue files
2019-07-06 11:48:39 -07:00
Linus Torvalds bcc0e65f47 A few more MIPS fixes:
- Fix a silly typo in virt_addr_valid which led to completely bogus
   behavior (that happened to stop tripping up hardened usercopy despite
   being broken).
 
 - Fix UART parity setup on AR933x systems.
 
 - A build fix for non-Linux build machines.
 
 - Have the 'all' make target build DTBs, primarily to fit in with the
   behavior of scripts/package/builddeb.
 
 - Handle an execution hazard in TLB exceptions that use KScratch
   registers, which could inadvertently clobber the $1 register on some
   generally higher-end out-of-order CPUs.
 
 - A MAINTAINERS update to fix the path to the NAND driver for Ingenic
   systems.
 -----BEGIN PGP SIGNATURE-----
 
 iIsEABYIADMWIQRgLjeFAZEXQzy86/s+p5+stXUA3QUCXSDJfhUccGF1bC5idXJ0
 b25AbWlwcy5jb20ACgkQPqefrLV1AN35ygEA30KckazfjbtmW0EqD+C19sgtbSS3
 eCAiweHHwLJoyUUBAJ/HzlZ8ap2X9ilZuFdzKEf1igj5WsLIyrkl6kkauUEA
 =DRYO
 -----END PGP SIGNATURE-----

Merge tag 'mips_fixes_5.2_2' of git://git.kernel.org/pub/scm/linux/kernel/git/mips/linux

Pull MIPS fixes from Paul Burton:
 "A few more MIPS fixes:

   - Fix a silly typo in virt_addr_valid which led to completely bogus
     behavior (that happened to stop tripping up hardened usercopy
     despite being broken).

   - Fix UART parity setup on AR933x systems.

   - A build fix for non-Linux build machines.

   - Have the 'all' make target build DTBs, primarily to fit in with the
     behavior of scripts/package/builddeb.

   - Handle an execution hazard in TLB exceptions that use KScratch
     registers, which could inadvertently clobber the $1 register on
     some generally higher-end out-of-order CPUs.

   - A MAINTAINERS update to fix the path to the NAND driver for Ingenic
     systems"

* tag 'mips_fixes_5.2_2' of git://git.kernel.org/pub/scm/linux/kernel/git/mips/linux:
  MAINTAINERS: Correct path to moved files
  MIPS: Add missing EHB in mtc0 -> mfc0 sequence.
  MIPS: have "plain" make calls build dtbs for selected platforms
  MIPS: fix build on non-linux hosts
  MIPS: ath79: fix ar933x uart parity mode
  MIPS: Fix bounds check virt_addr_valid
2019-07-06 10:32:12 -07:00
Linus Torvalds 2692982b08 dmaengine fixes for v5.2
The fixes for 5.2 are:
  - bam_dma fix for completed descriptor count
  - fix for imx-sdma remove BD_INTR for channel0 and use-after-free on
    probe error path
  - endian bug fix in jz4780 IRQ handler
 -----BEGIN PGP SIGNATURE-----
 
 iQIcBAABAgAGBQJdIKs7AAoJEHwUBw8lI4NHlJMP/2b3q9I2E6tXXmI2vXrZPueP
 i0nSNbo18ACwXhF60v7E0jMs/TIYp18+Pu2TqsAv8rghl/GCJZwm65tMI9nEmlgi
 Jne8nIaXEHomQwuXOt4wqgIruX3gvBXiDxorUmPl1hU7dRuMQHSfYkDGRrp0ucKl
 I1ntgJUs51AiKTkLa6GrEXevpp1o34G+j0fZg/vu9vF4uiWmB1v0hxJSznEnkS4k
 NnQJ8+sSXmlqwUC/wnHKXKFsZu4MwRSYE+yWb2fCg8/PdZNGCxD+cMrudFskc1wo
 V1WfEufFbxV5z3YaO9a5Z+u9aTSWNW0xjFkPqCEbfduwyeSgrVjXlO9GRFMSAAMw
 aAXw1/KFl/asI/h4JsY7iIlg4xv7lKjcT3N0pE+/0SUvUvkENAYsU9MCbWEj+O5n
 MyH2URZJX1bqf1qcREB4+dPUlLbWgBU/U9lpFt2B2tO75T7zvij9jx1UfiH9SzOl
 FfylulXChYaFgDQY0UnfmveaUqd/Z/z+z5/ml1Dct0QxSWQREkBbNn3nTsV46Gn2
 bvdaN3Fqiy8WZF3IK9SzsILuXMNmAMUyKoFCEdun/s/7ItK1y59hMZv1NloSrE7U
 m8Liz2OEdetDTHK1anCuaD8UaPua/9buYaSwVgeN3w6SoJ7usmjk2ol0aRwU8qK1
 zPnVoLqy8FG6SXFzciCl
 =xnkJ
 -----END PGP SIGNATURE-----

Merge tag 'dmaengine-fix-5.2' of git://git.infradead.org/users/vkoul/slave-dma

Pull dmaengine fixes from Vinod Koul:

 - bam_dma fix for completed descriptor count

 - fix for imx-sdma remove BD_INTR for channel0 and use-after-free on
   probe error path

 - endian bug fix in jz4780 IRQ handler

* tag 'dmaengine-fix-5.2' of git://git.infradead.org/users/vkoul/slave-dma:
  dmaengine: qcom: bam_dma: Fix completed descriptors count
  dmaengine: imx-sdma: remove BD_INTR for channel0
  dmaengine: imx-sdma: fix use-after-free on probe error path
  dmaengine: jz4780: Fix an endian bug in IRQ handler
2019-07-06 10:06:37 -07:00
Linus Torvalds 4f8b49092c SCSI fixes on 20190705
Two iscsi fixes.  One for an oops in the client which can be triggered
 by the server authentication protocol and the other in the target code
 which causes data corruption.
 
 Signed-off-by: James E.J. Bottomley <jejb@linux.ibm.com>
 -----BEGIN PGP SIGNATURE-----
 
 iJwEABMIAEQWIQTnYEDbdso9F2cI+arnQslM7pishQUCXR/L4iYcamFtZXMuYm90
 dG9tbGV5QGhhbnNlbnBhcnRuZXJzaGlwLmNvbQAKCRDnQslM7pisheVbAQDCQ05x
 L/SX0WyiX3dW0pp0kojnzPmfYj7NTBN7QlRwmQD/ZKEk/zc/P26q0lfdswhi8VJG
 mCaBruZwasyCZvktVEo=
 =eq7T
 -----END PGP SIGNATURE-----

Merge tag 'scsi-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/jejb/scsi

Pull SCSI fixes from James Bottomley:
 "Two iscsi fixes.

  One for an oops in the client which can be triggered by the server
  authentication protocol and the other in the target code which causes
  data corruption"

* tag 'scsi-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/jejb/scsi:
  scsi: iscsi: set auth_protocol back to NULL if CHAP_A value is not supported
  scsi: target/iblock: Fix overrun in WRITE SAME emulation
2019-07-06 09:56:20 -07:00
Linus Torvalds ceacbc0e14 Merge branch 'fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs
Pull vfs fixlet from Al Viro:
 "Fix bogus default y in Kconfig (VALIDATE_FS_PARSER)

  That thing should not be turned on by default, especially since it's
  not quiet in case it finds no problems. Geert has sent the obvious fix
  quite a few times, but it fell through the cracks"

* 'fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs:
  fs: VALIDATE_FS_PARSER should default to n
2019-07-06 09:53:08 -07:00
Greg Kroah-Hartman 7e41c3c9b6 blk-mq: fix up placement of debugfs directory of queue files
When the blk-mq debugfs file creation logic was "cleaned up" it was
cleaned up too much, causing the queue file to not be created in the
correct location.  Turns out the check for the directory being present
is needed as if that has not happened yet, the files should not be
created, and the function will be called later on in the initialization
code so that the files can be created in the correct location.

Fixes: 6cfc0081b0 ("blk-mq: no need to check return value of debugfs_create functions")
Reported-by: Stephen Rothwell <sfr@canb.auug.org.au>
Cc: linux-block@vger.kernel.org
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Jens Axboe <axboe@kernel.dk>
2019-07-06 10:07:38 -06:00
Linus Torvalds 69bf4b6b54 Revert "mm: page cache: store only head pages in i_pages"
This reverts commit 5fd4ca2d84.

Mikhail Gavrilov reports that it causes the VM_BUG_ON_PAGE() in
__delete_from_swap_cache() to trigger:

   page:ffffd6d34dff0000 refcount:1 mapcount:1 mapping:ffff97812323a689 index:0xfecec363
   anon
   flags: 0x17fffe00080034(uptodate|lru|active|swapbacked)
   raw: 0017fffe00080034 ffffd6d34c67c508 ffffd6d3504b8d48 ffff97812323a689
   raw: 00000000fecec363 0000000000000000 0000000100000000 ffff978433ace000
   page dumped because: VM_BUG_ON_PAGE(entry != page)
   page->mem_cgroup:ffff978433ace000
   ------------[ cut here ]------------
   kernel BUG at mm/swap_state.c:170!
   invalid opcode: 0000 [#1] SMP NOPTI
   CPU: 1 PID: 221 Comm: kswapd0 Not tainted 5.2.0-0.rc2.git0.1.fc31.x86_64 #1
   Hardware name: System manufacturer System Product Name/ROG STRIX X470-I GAMING, BIOS 2202 04/11/2019
   RIP: 0010:__delete_from_swap_cache+0x20d/0x240
   Code: 30 65 48 33 04 25 28 00 00 00 75 4a 48 83 c4 38 5b 5d 41 5c 41 5d 41 5e 41 5f c3 48 c7 c6 2f dc 0f 8a 48 89 c7 e8 93 1b fd ff <0f> 0b 48 c7 c6 a8 74 0f 8a e8 85 1b fd ff 0f 0b 48 c7 c6 a8 7d 0f
   RSP: 0018:ffffa982036e7980 EFLAGS: 00010046
   RAX: 0000000000000021 RBX: 0000000000000040 RCX: 0000000000000006
   RDX: 0000000000000000 RSI: 0000000000000086 RDI: ffff97843d657900
   RBP: 0000000000000001 R08: ffffa982036e7835 R09: 0000000000000535
   R10: ffff97845e21a46c R11: ffffa982036e7835 R12: ffff978426387120
   R13: 0000000000000000 R14: ffffd6d34dff0040 R15: ffffd6d34dff0000
   FS:  0000000000000000(0000) GS:ffff97843d640000(0000) knlGS:0000000000000000
   CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
   CR2: 00002cba88ef5000 CR3: 000000078a97c000 CR4: 00000000003406e0
   Call Trace:
    delete_from_swap_cache+0x46/0xa0
    try_to_free_swap+0xbc/0x110
    swap_writepage+0x13/0x70
    pageout.isra.0+0x13c/0x350
    shrink_page_list+0xc14/0xdf0
    shrink_inactive_list+0x1e5/0x3c0
    shrink_node_memcg+0x202/0x760
    shrink_node+0xe0/0x470
    balance_pgdat+0x2d1/0x510
    kswapd+0x220/0x420
    kthread+0xfb/0x130
    ret_from_fork+0x22/0x40

and it's not immediately obvious why it happens.  It's too late in the
rc cycle to do anything but revert for now.

Link: https://lore.kernel.org/lkml/CABXGCsN9mYmBD-4GaaeW_NrDu+FDXLzr_6x+XNxfmFV6QkYCDg@mail.gmail.com/
Reported-and-bisected-by: Mikhail Gavrilov <mikhail.v.gavrilov@gmail.com>
Suggested-by: Jan Kara <jack@suse.cz>
Cc: Michal Hocko <mhocko@kernel.org>
Cc: Vlastimil Babka <vbabka@suse.cz>
Cc: Matthew Wilcox <willy@infradead.org>
Cc: Kirill Shutemov <kirill@shutemov.name>
Cc: William Kucharski <william.kucharski@oracle.com>
Cc: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
2019-07-05 19:55:18 -07:00
Linus Torvalds 9fdb86c8cf x86 bugfix patches and one compilation fix for ARM.
-----BEGIN PGP SIGNATURE-----
 Version: GnuPG v2.0.22 (GNU/Linux)
 
 iQEcBAABAgAGBQJdH7H6AAoJEL/70l94x66D3XcH/0If8IAHn746Y+2QoasbmW0m
 lACzkzNZYzKWUgzJ9+r4eNe0tq7wUzU546Jl2GgOjIcQGnRCPAJMGodGTEq5AGo2
 XWGHXkKLa9w3bSCRi9Ov7d1CGO9oDk6PtkTP4xT0oVyEtsgPdKWdEz2dDe8BnK7T
 BynVcz3JZOm+vE4N1GusjkdN6hbVFBdTZNSvN9uE3iNoUBUoe98Ctv2HiSca9tDF
 oPJpSWLSThC/cRXn1EX7uXiUTZ2bTaS+mCdwmR6QS5VBEHR+ssWzHq4ru/U0p/vO
 7L9AZoyCTqW5pOMuYZFnfntnbu54RUnfc7A0jyqzM2SFeBt8h9hpsVXoWmtnL5k=
 =qzdP
 -----END PGP SIGNATURE-----

Merge tag 'for-linus' of git://git.kernel.org/pub/scm/virt/kvm/kvm

Pull kvm fixes from Paolo Bonzini:
 "x86 bugfix patches and one compilation fix for ARM"

* tag 'for-linus' of git://git.kernel.org/pub/scm/virt/kvm/kvm:
  KVM: arm64/sve: Fix vq_present() macro to yield a bool
  KVM: LAPIC: Fix pending interrupt in IRR blocked by software disable LAPIC
  KVM: nVMX: Change KVM_STATE_NESTED_EVMCS to signal vmcs12 is copied from eVMCS
  KVM: nVMX: Allow restore nested-state to enable eVMCS when vCPU in SMM
  KVM: x86: degrade WARN to pr_warn_ratelimited
2019-07-05 19:13:24 -07:00
Linus Torvalds 0e63665a1b - Fix the memory organization structure of a Macronix SPI-NAND chip.
- Fix a build dependency wrongly described.
 - Fix the sunxi NAND driver for A23/A33 SoCs by 1/ reverting the
   faulty commit introducing broken DMA support and 2/ applying another
   commit bringing working DMA support.
 -----BEGIN PGP SIGNATURE-----
 
 iQEzBAABCgAdFiEE9HuaYnbmDhq/XIDIJWrqGEe9VoQFAl0fv4EACgkQJWrqGEe9
 VoQpzwgAoh+L1QH9KKBm/g7/4k8D+O1TmSEE50e5xmg8y0cQsqOwwa/Z+Jaeo4vm
 CsCRTsbOe7aivUX1EBbnL2Ye4nksZJGiujnIE12dhRy94oGE6NERsfMs8a2/Ksic
 F4is5CwR1lWAVq3mvj5WhofW+Fxh/0+NK38g/iCY87H0e2mIuateuaGhnfpfrD8y
 uJJHjpQHRkWaehXoL1GnytBVRLiX/vKhZyICiev1qQb6Kk5JTw/xuoFqkXT1wNOj
 pr/IKpS76+j+WfN7gwPvAMdkr7/LrWxhz0XdH0+/r77JY5udo6ht+KxMoLgeGYoc
 8VDa9Y2q+7NQcRAJ1StMgsMJG4vcCA==
 =U0/M
 -----END PGP SIGNATURE-----

Merge tag 'mtd/fixes-for-5.2-final' of git://git.kernel.org/pub/scm/linux/kernel/git/mtd/linux

Pull mtf fixes from Miquel Raynal:

 - Fix the memory organization structure of a Macronix SPI-NAND chip.

 - Fix a build dependency wrongly described.

 - Fix the sunxi NAND driver for A23/A33 SoCs by (a) reverting the
   faulty commit introducing broken DMA support and (b) applying another
   commit bringing working DMA support.

* tag 'mtd/fixes-for-5.2-final' of git://git.kernel.org/pub/scm/linux/kernel/git/mtd/linux:
  mtd: rawnand: sunxi: Add A23/A33 DMA support with extra MBUS configuration
  Revert "mtd: rawnand: sunxi: Add A23/A33 DMA support"
  mtd: rawnand: ingenic: Fix ingenic_ecc dependency
  mtd: spinand: Fix max_bad_eraseblocks_per_lun info in memorg
2019-07-05 19:07:57 -07:00
Linus Torvalds 881ed91f7d Merge branch 'i2c/for-current' of git://git.kernel.org/pub/scm/linux/kernel/git/wsa/linux
Pull i2c fixlet from Wolfram Sang:
 "I2C has a MAINTAINERS update which will be benfitial for developers,
  so let's add it right away"

* 'i2c/for-current' of git://git.kernel.org/pub/scm/linux/kernel/git/wsa/linux:
  i2c: tegra: Add Dmitry as a reviewer
2019-07-05 19:04:57 -07:00
Linus Torvalds a8f46b5afe Two more quick bugfixes for nfsd, fixing a regression causing mount
failures on high-memory machines and fixing the DRC over RDMA.
 -----BEGIN PGP SIGNATURE-----
 
 iQJJBAABCAAzFiEEYtFWavXG9hZotryuJ5vNeUKO4b4FAl0fiP4VHGJmaWVsZHNA
 ZmllbGRzZXMub3JnAAoJECebzXlCjuG++dwP/RkuKV6sjmopr5/SNK334UDGbpAk
 h+VWAJSrnrLDqk2Ezwz4cO8XrPxMEiQQdKtiyIM51oshq9EN0u0gdOS7ycdz9mAm
 qm1WgekRH3vNiNYU+im2r7CXXrBUYeggi1clbOoJnEwsKxV0qFG74OxO8fB5gNMP
 Jeq46nofwSAjxLQBwTkHJhs0cV7rmJhq6mVWJ4lzD6JTzMH7FqO0zoJJHfyP5xb+
 SXSheqWK4eTKhvPJR0JwyiUBUXYzNZyDoNlyRCSVylfxha3cTxF0GeG1Pm2uS+sm
 V8QOnqud+4cF5Qa2zAZ2T/w7dgsfouAODQOi/gzDwE0EM+FojbOnk0CJwL7wuzB3
 flkmWOMER0RV92z7gWqh5JDQFoHeVkldZfFTrYfVWIcPV+pGLiRayzt+dlSbpaYj
 09jMlBLHXxHwCqPT5u8GFKveMNluYyIoKc3s38eojX2u3eg9HNsXoCfmbC2RGaZ4
 iT2E5isl7donclTHDKEU7RkWnaboSQoB+oodMWH8TN7p9FfgpsaObWTebrsbvvBN
 DMrdc+nJ+x78krI9XKpSQOmPpJH9siaIFn6nVq5oLNjytaH+UrrArvkLMKhuSW6L
 8u5fU3SvL0Eriuz7EtgZwosy+VPvFpXgQVMdJ+z/cm32mOeFgcz4BNEMaQuFJVaN
 fbY6fM46Xngo0A3x
 =f2gw
 -----END PGP SIGNATURE-----

Merge tag 'nfsd-5.2-2' of git://linux-nfs.org/~bfields/linux

Pull nfsd fixes from Bruce Fields:
 "Two more quick bugfixes for nfsd: fixing a regression causing mount
  failures on high-memory machines and fixing the DRC over RDMA"

* tag 'nfsd-5.2-2' of git://linux-nfs.org/~bfields/linux:
  nfsd: Fix overflow causing non-working mounts on 1 TB machines
  svcrdma: Ignore source port when computing DRC hash
2019-07-05 19:00:37 -07:00
Miquel Raynal c7a87ceb17 mtd: rawnand: sunxi: Add A23/A33 DMA support with extra MBUS configuration
Allwinner NAND controllers can make use of DMA to enhance the I/O
throughput thanks to ECC pipelining. DMA handling with A23/A33 NAND IP
is a bit different than with the older SoCs, hence the introduction of
a new compatible to handle:
* the differences between register offsets,
* the burst length change from 4 to minimum 8,
* manage SRAM accesses through MBUS with extra configuration.

Fixes: c49836f05a ("mtd: rawnand: sunxi: Add A23/A33 DMA support")
Signed-off-by: Miquel Raynal <miquel.raynal@bootlin.com>
2019-07-05 22:30:58 +02:00
Miquel Raynal 4f032640bf Revert "mtd: rawnand: sunxi: Add A23/A33 DMA support"
This reverts commit c49836f05a.

The commit is wrong and its approach actually does not work. Let's
revert it in order to add the feature with a clean patch.

Fixes: c49836f05a ("mtd: rawnand: sunxi: Add A23/A33 DMA support")
Signed-off-by: Miquel Raynal <miquel.raynal@bootlin.com>
2019-07-05 22:30:58 +02:00
Dmitry Osipenko f3a3ea28ed i2c: tegra: Add Dmitry as a reviewer
I'm contributing to Tegra's upstream development in general and happened
to review the Tegra's I2C patches for awhile because I'm actively using
upstream kernel on all of my Tegra-powered devices and initially some of
the submitted patches were getting my attention since they were causing
problems. Recently Wolfram Sang asked whether I'm interested in becoming
a reviewer for the driver and I don't mind at all.

Signed-off-by: Dmitry Osipenko <digetx@gmail.com>
[wsa: ack was expressed by Thierry Reding in a mail thread]
Signed-off-by: Wolfram Sang <wsa@the-dreams.de>
2019-07-05 20:46:56 +02:00
Geert Uytterhoeven 75f2d86b20 fs: VALIDATE_FS_PARSER should default to n
CONFIG_VALIDATE_FS_PARSER is a debugging tool to check that the parser
tables are vaguely sane.  It was set to default to 'Y' for the moment to
catch errors in upcoming fs conversion development.

Make sure it is not enabled by default in the final release of v5.1.

Fixes: 31d921c7fb ("vfs: Add configuration parser helpers")
Signed-off-by: Geert Uytterhoeven <geert@linux-m68k.org>
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
2019-07-05 11:22:11 -04:00
Zhang Lei e644fa18e2 KVM: arm64/sve: Fix vq_present() macro to yield a bool
The original implementation of vq_present() relied on aggressive
inlining in order for the compiler to know that the code is
correct, due to some const-casting issues.  This was causing sparse
and clang to complain, while GCC compiled cleanly.

Commit 0c529ff789 addressed this problem, but since vq_present()
is no longer a function, there is now no implicit casting of the
returned value to the return type (bool).

In set_sve_vls(), this uncast bit value is compared against a bool,
and so may spuriously compare as unequal when both are nonzero.  As
a result, KVM may reject valid SVE vector length configurations as
invalid, and vice versa.

Fix it by forcing the returned value to a bool.

Signed-off-by: Zhang Lei <zhang.lei@jp.fujitsu.com>
Fixes: 0c529ff789 ("KVM: arm64: Implement vq_present() as a macro")
Signed-off-by: Dave Martin <Dave.Martin@arm.com> [commit message rewrite]
Cc: Viresh Kumar <viresh.kumar@linaro.org>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
2019-07-05 12:07:51 +02:00
Sricharan R f603422544 dmaengine: qcom: bam_dma: Fix completed descriptors count
One space is left unused in circular FIFO to differentiate
'full' and 'empty' cases. So take that in to account while
counting for the descriptors completed.

Fixes the issue reported here,
	https://lkml.org/lkml/2019/6/18/669

Cc: stable@vger.kernel.org
Reported-by: Srinivas Kandagatla <srinivas.kandagatla@linaro.org>
Signed-off-by: Sricharan R <sricharan@codeaurora.org>
Tested-by: Srinivas Kandagatla <srinivas.kandagatla@linaro.org>
Signed-off-by: Vinod Koul <vkoul@kernel.org>
2019-07-05 13:18:27 +05:30
Robin Gong 3f93a4f297 dmaengine: imx-sdma: remove BD_INTR for channel0
It is possible for an irq triggered by channel0 to be received later
after clks are disabled once firmware loaded during sdma probe. If
that happens then clearing them by writing to SDMA_H_INTR won't work
and the kernel will hang processing infinite interrupts. Actually,
don't need interrupt triggered on channel0 since it's pollling
SDMA_H_STATSTOP to know channel0 done rather than interrupt in
current code, just clear BD_INTR to disable channel0 interrupt to
avoid the above case.
This issue was brought by commit 1d069bfa3c ("dmaengine: imx-sdma:
ack channel 0 IRQ in the interrupt handler") which didn't take care
the above case.

Fixes: 1d069bfa3c ("dmaengine: imx-sdma: ack channel 0 IRQ in the interrupt handler")
Cc: stable@vger.kernel.org #5.0+
Signed-off-by: Robin Gong <yibin.gong@nxp.com>
Reported-by: Sven Van Asbroeck <thesven73@gmail.com>
Tested-by: Sven Van Asbroeck <thesven73@gmail.com>
Reviewed-by: Michael Olbrich <m.olbrich@pengutronix.de>
Signed-off-by: Vinod Koul <vkoul@kernel.org>
2019-07-05 13:15:37 +05:30
Sven Van Asbroeck 2b8066c3de dmaengine: imx-sdma: fix use-after-free on probe error path
If probe() fails anywhere beyond the point where
sdma_get_firmware() is called, then a kernel oops may occur.

Problematic sequence of events:
1. probe() calls sdma_get_firmware(), which schedules the
   firmware callback to run when firmware becomes available,
   using the sdma instance structure as the context
2. probe() encounters an error, which deallocates the
   sdma instance structure
3. firmware becomes available, firmware callback is
   called with deallocated sdma instance structure
4. use after free - kernel oops !

Solution: only attempt to load firmware when we're certain
that probe() will succeed. This guarantees that the firmware
callback's context will remain valid.

Note that the remove() path is unaffected by this issue: the
firmware loader will increment the driver module's use count,
ensuring that the module cannot be unloaded while the
firmware callback is pending or running.

Signed-off-by: Sven Van Asbroeck <TheSven73@gmail.com>
Reviewed-by: Robin Gong <yibin.gong@nxp.com>
[vkoul: fixed braces for if condition]
Signed-off-by: Vinod Koul <vkoul@kernel.org>
2019-07-05 12:58:54 +05:30
Dan Carpenter 4c89cc73d1 dmaengine: jz4780: Fix an endian bug in IRQ handler
The "pending" variable was a u32 but we cast it to an unsigned long
pointer when we do the for_each_set_bit() loop.  The problem is that on
big endian 64bit systems that results in an out of bounds read.

Fixes: 4e4106f5e9 ("dmaengine: jz4780: Fix transfers being ACKed too soon")
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
Signed-off-by: Vinod Koul <vkoul@kernel.org>
2019-07-05 12:45:56 +05:30
Linus Torvalds 3f9c4dc633 drm imx, i915, amdgpu, panfrost, virtio, etnaviv fixes
-----BEGIN PGP SIGNATURE-----
 
 iQIcBAABAgAGBQJdHthAAAoJEAx081l5xIa+m4wQAJAFm0YimQFznAzVHat2fpCc
 61cT27GjT1Zbg3LlO2euIKbJ328VWMndxWqXbM6+BXFh3Cd5uOw39az3q5ihLs8t
 U1/dWt4UKHirGkbSB+qHan6C6rXPVOGjcuwL7cQxnwB+p7RV+dud36/Eq71sQ7yc
 vqaiSuEIBkElOQ8TDR92nK/ty1bzmFoky6/UWkVPxq560Yo8B6TlhS+guzdwDE3F
 DaS2y8Yi0FLowwrWMXpzzjVrxjcb+TzcM7p0iSToZsfXRapBkHa4PUskfbLZA6j8
 GSye5wc65WKbX4FxuFEj4koeBMUu5IBP7MrlR1tfouATBhUe5cibW7/MFAoDEQuh
 /5icw+/1gp1rqjApaA3vHrPzbiBOBOZGhHQqDCtHZXTkbulp1sFLVJdbX02SYK+d
 kj5tQFxMDdOeGwmZDVNhF13id5go2vmY4vYY+APhiNbQT3ibsh+fejBe5zUVa8U0
 iTmeTE7L+SB/5jS9Lcp3S8ZfUwcOTONn2cRcOuPO+38lzx3WE6HaYrR2FUbe7OVU
 CBFQD1Cl+jDjUJ0W1JPwTrvIbK0aUYhkIzT3pmBMlA6N62SKmuQH+Z1nPJY0THsi
 RNkTMHgPd7m01zUjOMCjpucbygdKDtPGTLcxd3djZediJhpjwgapy1NySzfotEcp
 ZkhRs/3ddNFvxibRpz41
 =Ipfl
 -----END PGP SIGNATURE-----

Merge tag 'drm-fixes-2019-07-05-1' of git://anongit.freedesktop.org/drm/drm

Pull drm fixes from Dave Airlie:
 "I skipped last week because there wasn't much worth doing, this week
  got a few more fixes in.

  amdgpu:
   - default register value change
   - runpm regression fix
   - fan control fix

  i915:
   - fix Ironlake regression

  panfrost:
   - fix a double free

  virtio:
   - fix a locking bug

  imx:
   - crtc disable fixes"

* tag 'drm-fixes-2019-07-05-1' of git://anongit.freedesktop.org/drm/drm:
  drm/imx: only send event on crtc disable if kept disabled
  drm/imx: notify drm core before sending event during crtc disable
  drm/i915/ringbuffer: EMIT_INVALIDATE *before* switch context
  drm/amdgpu/gfx9: use reset default for PA_SC_FIFO_SIZE
  drm/amdgpu: Don't skip display settings in hwmgr_resume()
  drm/amd/powerplay: use hardware fan control if no powerplay fan table
  drm/panfrost: Fix a double-free error
  drm/etnaviv: add missing failure path to destroy suballoc
  drm/virtio: move drm_connector_update_edid_property() call
2019-07-05 14:10:30 +09:00
Dave Airlie a0b2cf792a drm/imx: fix stale vblank timestamp after a modeset
This series fixes stale vblank timestamps in the first event sent after
 a crtc was disabled. The core now is notified via drm_crtc_vblank_off
 before sending the last pending event in atomic_disable. If the crtc is
 reenabled right away during to a modeset, the event is not sent at all,
 as the next vblank will take care of it.
 -----BEGIN PGP SIGNATURE-----
 
 iI0EABYIADUWIQRRO6F6WdpH1R0vGibVhaclGDdiwAUCXR3UqxcccC56YWJlbEBw
 ZW5ndXRyb25peC5kZQAKCRDVhaclGDdiwFogAQCE6HPaBbBOHJBT5hU4ysJG1Qge
 GuS/OKB2ZUDyrf3a1wEAy1qa+49x68a2coFksD571VDf+Pm85mRk+NrKl1oFFQo=
 =Bs9J
 -----END PGP SIGNATURE-----

Merge tag 'imx-drm-fixes-2019-07-04' of git://git.pengutronix.de/git/pza/linux into drm-fixes

drm/imx: fix stale vblank timestamp after a modeset

This series fixes stale vblank timestamps in the first event sent after
a crtc was disabled. The core now is notified via drm_crtc_vblank_off
before sending the last pending event in atomic_disable. If the crtc is
reenabled right away during to a modeset, the event is not sent at all,
as the next vblank will take care of it.

Signed-off-by: Dave Airlie <airlied@redhat.com>

From: Philipp Zabel <p.zabel@pengutronix.de>
Link: https://patchwork.freedesktop.org/patch/msgid/1562237119.6641.16.camel@pengutronix.de
2019-07-05 14:51:03 +10:00
Linus Torvalds ee39d46dca Merge branch 'linus' of git://git.kernel.org/pub/scm/linux/kernel/git/herbert/crypto-2.6
Pull crypto fixes from Herbert Xu:
 "This fixes two memory leaks and a list corruption bug"

* 'linus' of git://git.kernel.org/pub/scm/linux/kernel/git/herbert/crypto-2.6:
  crypto: user - prevent operating on larval algorithms
  crypto: cryptd - Fix skcipher instance memory leak
  lib/mpi: Fix karactx leak in mpi_powm
2019-07-05 13:31:19 +09:00
Linus Torvalds a5fff14a0c Merge branch 'akpm' (patches from Andrew)
Merge more fixes from Andrew Morton:
 "5 fixes"

* emailed patches from Andrew Morton <akpm@linux-foundation.org>:
  swap_readpage(): avoid blk_wake_io_task() if !synchronous
  devres: allow const resource arguments
  mm/vmscan.c: prevent useless kswapd loops
  fs/userfaultfd.c: disable irqs for fault_pending and event locks
  mm/page_alloc.c: fix regression with deferred struct page init
2019-07-05 11:39:56 +09:00
Linus Torvalds ecbe5086ad ARM: SoC fixes
Likely our final small batch of fixes for 5.2:
 
  - Some fixes for USB on davinci, regressions were due to the recent
    conversion of the OCHI driver to use GPIO regulators
 
  - A fixup of kconfig dependencies for a TI irq controller
 
  - A switch of armada-38x to avoid dropped characters on uart, caused by
    switch of base inherited platform description earlier this year
 -----BEGIN PGP SIGNATURE-----
 
 iQJDBAABCAAtFiEElf+HevZ4QCAJmMQ+jBrnPN6EHHcFAl0eQuQPHG9sb2ZAbGl4
 b20ubmV0AAoJEIwa5zzehBx3hI8P/25Kx4vAcgzmZezixE3fT7TTE8ks7EpOmNRS
 P4DWheWehRlctaLjehWhsdOLcMyhMqa5WF3PgCw5j31c6zPLoe8ZiC8nizjVMKxu
 5vzMbN3R4MN5iFN8w9qzOYP2wHqZsnLoM/Epig9xei4kWvohq89QVW0R6lWg4xv0
 i40AyhLapbSCmLXJNd0N47jgjFek23aqAVbXyhq/GTlCDHAELF9gKZ+Zif3frPzH
 ZBCNB3pAiazOmMKp3BzKyM8Qbl/KQLEfWTXV3luGiHDJgO94guVvzrKYxsxTfJxd
 fsqrvqLp7S2pvHVcvF2PVeORl+5xAeP0nabuHwFHLi+E6VIzL9NS1h/h7Qoy5eAC
 Dj7aM+smsqAwId5s+oIhHtVrsfLK8AQ4TE53mUVTN2iikuJc04xYj72tIwB1LL2X
 99vYn+bRoitkYfff3XpuvJzOptAYKOvMsWmbCQ6ChckXXvqs6kKmsVvwAesqg/7j
 tsXy5iDVMuZiAvWcNstAiQtJggKC7tegWFBnqDLtKd7z1x3KivsErBJdR5x8f5vZ
 uxGOt8sS1fRChc03V0qFsrHAMc/0FBz4OdXYy0E83y3X7SYHbkoxOu6ZIioCBSWF
 9RFiKr55FNa6DrNBok6/tsqN9sBkcqwEk9kRZRmdC4zIRzIyg+SR09PEea3Nf66+
 KNmOEGs/
 =2Hcr
 -----END PGP SIGNATURE-----

Merge tag 'armsoc-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/soc/soc

Pull ARM SoC fixes from Olof Johansson:
 "Likely our final small batch of fixes for 5.2:

   - Some fixes for USB on davinci, regressions were due to the recent
     conversion of the OCHI driver to use GPIO regulators

   - A fixup of kconfig dependencies for a TI irq controller

   - A switch of armada-38x to avoid dropped characters on uart, caused
     by switch of base inherited platform description earlier this year"

* tag 'armsoc-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/soc/soc:
  ARM: davinci: da830-evm: fix GPIO lookup for OHCI
  ARM: davinci: omapl138-hawk: add missing regulator constraints for OHCI
  ARM: davinci: da830-evm: add missing regulator constraints for OHCI
  soc: ti: fix irq-ti-sci link error
  ARM: dts: armada-xp-98dx3236: Switch to armada-38x-uart serial node
2019-07-05 11:35:45 +09:00
Linus Torvalds cde357c392 dax fix v5.2-rc8
- Fix xarray entry association for mixed mappings
 -----BEGIN PGP SIGNATURE-----
 
 iQIcBAABAgAGBQJdHpMDAAoJEB7SkWpmfYgCJ0wP/2fgMgoh1YBv4DU4gsNs328G
 pyTX3i6d+KoEmfvlcoOzU3lNtjf2S81H3QIkfTJG75uE9/3jNKOh+tPunj3/wIOv
 iHbpBZVK5OpE2f9FFNM785cTt7hBqBtR38N/PdKGFPSMzN9vX794rmvS8Ri0bHd4
 9zmSvdnrkdu0U4BGmBRZdUOCUIdDrtQClKJBRtG5Ksb194zf7lt/jm4k9WFMqfYA
 89mR/KHQhmhDnjyBynQa0TRtShlf/DsxtWiPyLT9FzD1RZt9+tFVLANRQEmFFAp2
 eb+b+LT35AdEEwErv7RkCCGSGKA7KXy7+hyETsoPMBXG08Q77nogG+zb/j0wCwvK
 SsQpo1aqmIeJRBQOXbYeqhn6VR9YuVMFlgaSfOcn/noQDHUIeKis2pnOMeKX36MN
 xHTQm9hSgG+0Des5UoAd4eNH5fDmwuUJK4o4kVGG3pKPuTzyW1gLyo7ItewleE7c
 7rOhLMU55mqUizxsBfEOO6qiJED64iQ2K3mve5I22YetaYCfdrNnU8x5iS9FEcir
 CATYHilKevowwVZg2a7Iy5FquYsQghMhZe4iF5gzjF+zEpj0Wi8S0nVsCtX8Js3S
 p/f3TFmc2i4ZCFPbOAAdYOuagU6pFbuSFQyjtljo5sjD3JKBXitgEaAepFXMtVSA
 EXEQYBgj5CoQ8ClF/eiA
 =NNXl
 -----END PGP SIGNATURE-----

Merge tag 'dax-fix-5.2-rc8' of git://git.kernel.org/pub/scm/linux/kernel/git/nvdimm/nvdimm

Pull dax fix from Dan Williams:
 "A single dax fix that has been soaking awaiting other fixes under
  discussion to join it. As it is getting late in the cycle lets proceed
  with this fix and save follow-on changes for post-v5.3-rc1.

   - Fix xarray entry association for mixed mappings"

* tag 'dax-fix-5.2-rc8' of git://git.kernel.org/pub/scm/linux/kernel/git/nvdimm/nvdimm:
  dax: Fix xarray entry association for mixed mappings
2019-07-05 11:32:11 +09:00
Linus Torvalds 2cd7cdc7e4 Merge branch 'fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs
Pull do_move_mount() fix from Al Viro:
 "Regression fix"

* 'fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs:
  vfs: move_mount: reject moving kernel internal mounts
2019-07-05 11:21:36 +09:00
Oleg Nesterov 8751853091 swap_readpage(): avoid blk_wake_io_task() if !synchronous
swap_readpage() sets waiter = bio->bi_private even if synchronous = F,
this means that the caller can get the spurious wakeup after return.

This can be fatal if blk_wake_io_task() does
set_current_state(TASK_RUNNING) after the caller does
set_special_state(), in the worst case the kernel can crash in
do_task_dead().

Link: http://lkml.kernel.org/r/20190704160301.GA5956@redhat.com
Fixes: 0619317ff8 ("block: add polled wakeup task helper")
Signed-off-by: Oleg Nesterov <oleg@redhat.com>
Reported-by: Qian Cai <cai@lca.pw>
Acked-by: Hugh Dickins <hughd@google.com>
Reviewed-by: Jens Axboe <axboe@kernel.dk>
Cc: <stable@vger.kernel.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
2019-07-05 11:12:07 +09:00
Arnd Bergmann eef778c99c devres: allow const resource arguments
devm_ioremap_resource() does not currently take 'const' arguments, which
results in a warning from the first driver trying to do it anyway:

  drivers/gpio/gpio-amd-fch.c: In function 'amd_fch_gpio_probe':
  drivers/gpio/gpio-amd-fch.c:171:49: error: passing argument 2 of 'devm_ioremap_resource' discards 'const' qualifier from pointer target type [-Werror=discarded-qualifiers]
    priv->base = devm_ioremap_resource(&pdev->dev, &amd_fch_gpio_iores);
                                                   ^~~~~~~~~~~~~~~~~~~

Change the prototype to allow it, as there is no real reason not to.

Link: http://lkml.kernel.org/r/20190628150049.1108048-1-arnd@arndb.de
Fixes: 9bb2e0452508 ("gpio: amd: Make resource struct const")
Signed-off-by: Arnd Bergmann <arnd@arndb.de>
Acked-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Reviewed-by: Enrico Weigelt <info@metux.net>
Reviewed-by: Andrew Morton <akpm@linux-foundation.org>
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Cc: Linus Walleij <linus.walleij@linaro.org>
Cc: Arnd Bergmann <arnd@arndb.de>
Cc: "Rafael J. Wysocki" <rafael.j.wysocki@intel.com>
Cc: Ulf Hansson <ulf.hansson@linaro.org>
Cc: Andy Shevchenko <andy.shevchenko@gmail.com>
Cc: Heikki Krogerus <heikki.krogerus@linux.intel.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
2019-07-05 11:12:07 +09:00
Shakeel Butt dffcac2cb8 mm/vmscan.c: prevent useless kswapd loops
In production we have noticed hard lockups on large machines running
large jobs due to kswaps hoarding lru lock within isolate_lru_pages when
sc->reclaim_idx is 0 which is a small zone.  The lru was couple hundred
GiBs and the condition (page_zonenum(page) > sc->reclaim_idx) in
isolate_lru_pages() was basically skipping GiBs of pages while holding
the LRU spinlock with interrupt disabled.

On further inspection, it seems like there are two issues:

(1) If kswapd on the return from balance_pgdat() could not sleep (i.e.
    node is still unbalanced), the classzone_idx is unintentionally set
    to 0 and the whole reclaim cycle of kswapd will try to reclaim only
    the lowest and smallest zone while traversing the whole memory.

(2) Fundamentally isolate_lru_pages() is really bad when the
    allocation has woken kswapd for a smaller zone on a very large machine
    running very large jobs.  It can hoard the LRU spinlock while skipping
    over 100s of GiBs of pages.

This patch only fixes (1).  (2) needs a more fundamental solution.  To
fix (1), in the kswapd context, if pgdat->kswapd_classzone_idx is
invalid use the classzone_idx of the previous kswapd loop otherwise use
the one the waker has requested.

Link: http://lkml.kernel.org/r/20190701201847.251028-1-shakeelb@google.com
Fixes: e716f2eb24 ("mm, vmscan: prevent kswapd sleeping prematurely due to mismatched classzone_idx")
Signed-off-by: Shakeel Butt <shakeelb@google.com>
Reviewed-by: Yang Shi <yang.shi@linux.alibaba.com>
Acked-by: Mel Gorman <mgorman@techsingularity.net>
Cc: Johannes Weiner <hannes@cmpxchg.org>
Cc: Michal Hocko <mhocko@suse.com>
Cc: Vlastimil Babka <vbabka@suse.cz>
Cc: Hillf Danton <hdanton@sina.com>
Cc: Roman Gushchin <guro@fb.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
2019-07-05 11:12:07 +09:00
Eric Biggers cbcfa130a9 fs/userfaultfd.c: disable irqs for fault_pending and event locks
When IOCB_CMD_POLL is used on a userfaultfd, aio_poll() disables IRQs
and takes kioctx::ctx_lock, then userfaultfd_ctx::fd_wqh.lock.

This may have to wait for userfaultfd_ctx::fd_wqh.lock to be released by
userfaultfd_ctx_read(), which in turn can be waiting for
userfaultfd_ctx::fault_pending_wqh.lock or
userfaultfd_ctx::event_wqh.lock.

But elsewhere the fault_pending_wqh and event_wqh locks are taken with
IRQs enabled.  Since the IRQ handler may take kioctx::ctx_lock, lockdep
reports that a deadlock is possible.

Fix it by always disabling IRQs when taking the fault_pending_wqh and
event_wqh locks.

Commit ae62c16e10 ("userfaultfd: disable irqs when taking the
waitqueue lock") didn't fix this because it only accounted for the
fd_wqh lock, not the other locks nested inside it.

Link: http://lkml.kernel.org/r/20190627075004.21259-1-ebiggers@kernel.org
Fixes: bfe4037e72 ("aio: implement IOCB_CMD_POLL")
Signed-off-by: Eric Biggers <ebiggers@google.com>
Reported-by: syzbot+fab6de82892b6b9c6191@syzkaller.appspotmail.com
Reported-by: syzbot+53c0b767f7ca0dc0c451@syzkaller.appspotmail.com
Reported-by: syzbot+a3accb352f9c22041cfa@syzkaller.appspotmail.com
Reviewed-by: Andrew Morton <akpm@linux-foundation.org>
Cc: Christoph Hellwig <hch@lst.de>
Cc: Andrea Arcangeli <aarcange@redhat.com>
Cc: <stable@vger.kernel.org>	[4.19+]
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
2019-07-05 11:12:07 +09:00
Juergen Gross b9705d8778 mm/page_alloc.c: fix regression with deferred struct page init
Commit 0e56acae4b ("mm: initialize MAX_ORDER_NR_PAGES at a time
instead of doing larger sections") is causing a regression on some
systems when the kernel is booted as Xen dom0.

The system will just hang in early boot.

Reason is an endless loop in get_page_from_freelist() in case the first
zone looked at has no free memory.  deferred_grow_zone() is always
returning true due to the following code snipplet:

  /* If the zone is empty somebody else may have cleared out the zone */
  if (!deferred_init_mem_pfn_range_in_zone(&i, zone, &spfn, &epfn,
                                           first_deferred_pfn)) {
          pgdat->first_deferred_pfn = ULONG_MAX;
          pgdat_resize_unlock(pgdat, &flags);
          return true;
  }

This in turn results in the loop as get_page_from_freelist() is assuming
forward progress can be made by doing some more struct page
initialization.

Link: http://lkml.kernel.org/r/20190620160821.4210-1-jgross@suse.com
Fixes: 0e56acae4b ("mm: initialize MAX_ORDER_NR_PAGES at a time instead of doing larger sections")
Signed-off-by: Juergen Gross <jgross@suse.com>
Suggested-by: Alexander Duyck <alexander.h.duyck@linux.intel.com>
Acked-by: Alexander Duyck <alexander.h.duyck@linux.intel.com>
Cc: Michal Hocko <mhocko@suse.com>
Cc: Pavel Tatashin <pasha.tatashin@soleen.com>
Cc: Mike Rapoport <rppt@linux.ibm.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
2019-07-05 11:12:07 +09:00
Linus Torvalds c212ddaee2 sound fixes for 5.2
Here are a collection of small fixes for:
 - A race with ASoC HD-audio registration
 - LINE6 usb-audio memory overwrite by malformed descriptor
 - FireWire MIDI handling
 - Missing cast for bit shifts in a few USB-audio quirks
 - The wrong function calls in minor OSS sequencer code paths
 - A couple of HD-audio quirks
 -----BEGIN PGP SIGNATURE-----
 
 iQJCBAABCAAsFiEEIXTw5fNLNI7mMiVaLtJE4w1nLE8FAl0cmzoOHHRpd2FpQHN1
 c2UuZGUACgkQLtJE4w1nLE+Tvw/+L6btk7A3kIAFU5RVf1dNVBzuaHcXm0/AZl4I
 AfiyVTNtSHSwaxXFSnWuAE1Y6fxVOcs9iRMToxQCZlWqjsF5I8GA8OEpRA2hqrgb
 C1BxlNeriOJMoD9wazRM6hmgprmwKS4ssGYEb9EMKyWbKcZ2IAExmQNLKAnd1Uhr
 KH8Ryc6CGqYUbtafHCmhpfI7ROgZBDydO7LWWiUpCl2GNFMMeX9Q16WueEjBgNvL
 qXWW8r5ix67qZuODKGdhei0JmZGSkrR1uT9EMqx15cks6+NsLAFVRy8/h2k/sbob
 ut9VTn4N7kGoXVnqpcOIQNZuvOr8NkG7gDEVILmPqeI+0w/Gm+mhNSSZl3aEo8G2
 F/smMeqPSgZQfWVouH56u1QKDps5kCKenSar6a+7SuATLL5LUq4xDkw9o/T/nb9i
 8ijp4ZtyKUt+YQvtQrjuGunzbhhaZywTBNodKtxHzqzMPnqGQhma6SWx+bxvLYOO
 hoNfU8i2nfg6MoBh1Q6aKZgE+Oz8c2kjOnkQsxV5pYrMGqPMTLNaz+s3+Sq7G9Wc
 Zy2lZ1rNJditG/oqyVGfOMt7qu/fOeo//lfX1ZSQ95W+lSs3hYrMeckPpuhWRwCD
 YK9zMQ9kuRYooHZJgf0F62EoN+/PUXvozAHXUBsDw7XwWUULX9ffUoZewFUj2NwY
 mKer+p8=
 =KxxN
 -----END PGP SIGNATURE-----

Merge tag 'sound-5.2' of git://git.kernel.org/pub/scm/linux/kernel/git/tiwai/sound

Pull sound fixes from Takashi Iwai:
 "Here are a collection of small fixes for:

   - A race with ASoC HD-audio registration

   - LINE6 usb-audio memory overwrite by malformed descriptor

   - FireWire MIDI handling

   - Missing cast for bit shifts in a few USB-audio quirks

   - The wrong function calls in minor OSS sequencer code paths

   - A couple of HD-audio quirks"

* tag 'sound-5.2' of git://git.kernel.org/pub/scm/linux/kernel/git/tiwai/sound:
  ALSA: line6: Fix write on zero-sized buffer
  ALSA: hda: Fix widget_mutex incomplete protection
  ALSA: firewire-lib/fireworks: fix miss detection of received MIDI messages
  ALSA: seq: fix incorrect order of dest_client/dest_ports arguments
  ALSA: hda/realtek - Change front mic location for Lenovo M710q
  ALSA: usb-audio: fix sign unintended sign extension on left shifts
  ALSA: hda/realtek: Add quirks for several Clevo notebook barebones
2019-07-05 02:03:50 +09:00
Jann Horn 6994eefb00 ptrace: Fix ->ptracer_cred handling for PTRACE_TRACEME
Fix two issues:

When called for PTRACE_TRACEME, ptrace_link() would obtain an RCU
reference to the parent's objective credentials, then give that pointer
to get_cred().  However, the object lifetime rules for things like
struct cred do not permit unconditionally turning an RCU reference into
a stable reference.

PTRACE_TRACEME records the parent's credentials as if the parent was
acting as the subject, but that's not the case.  If a malicious
unprivileged child uses PTRACE_TRACEME and the parent is privileged, and
at a later point, the parent process becomes attacker-controlled
(because it drops privileges and calls execve()), the attacker ends up
with control over two processes with a privileged ptrace relationship,
which can be abused to ptrace a suid binary and obtain root privileges.

Fix both of these by always recording the credentials of the process
that is requesting the creation of the ptrace relationship:
current_cred() can't change under us, and current is the proper subject
for access control.

This change is theoretically userspace-visible, but I am not aware of
any code that it will actually break.

Fixes: 64b875f7ac ("ptrace: Capture the ptracer's creds not PT_PTRACE_CAP")
Signed-off-by: Jann Horn <jannh@google.com>
Acked-by: Oleg Nesterov <oleg@redhat.com>
Cc: stable@vger.kernel.org
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
2019-07-05 02:00:41 +09:00
Robert Beckett 5aeab2bfc9 drm/imx: only send event on crtc disable if kept disabled
The event will be sent as part of the vblank enable during the modeset
if the crtc is not being kept disabled.

Fixes: 5f2f911578 ("drm/imx: atomic phase 3 step 1: Use atomic configuration")

Signed-off-by: Robert Beckett <bob.beckett@collabora.com>
Reviewed-by: Daniel Vetter <daniel.vetter@ffwll.ch>
Signed-off-by: Philipp Zabel <p.zabel@pengutronix.de>
2019-07-04 12:21:25 +02:00
Robert Beckett 78c68e8f5c drm/imx: notify drm core before sending event during crtc disable
Notify drm core before sending pending events during crtc disable.
This fixes the first event after disable having an old stale timestamp
by having drm_crtc_vblank_off update the timestamp to now.

This was seen while debugging weston log message:
Warning: computed repaint delay is insane: -8212 msec

This occurred due to:
1. driver starts up
2. fbcon comes along and restores fbdev, enabling vblank
3. vblank_disable_fn fires via timer disabling vblank, keeping vblank
seq number and time set at current value
(some time later)
4. weston starts and does a modeset
5. atomic commit disables crtc while it does the modeset
6. ipu_crtc_atomic_disable sends vblank with old seq number and time

Fixes: a474478642 ("drm/imx: fix crtc vblank state regression")

Signed-off-by: Robert Beckett <bob.beckett@collabora.com>
Reviewed-by: Daniel Vetter <daniel.vetter@ffwll.ch>
Signed-off-by: Philipp Zabel <p.zabel@pengutronix.de>
2019-07-04 12:21:25 +02:00
Linus Torvalds 550d1f5bda This includes three fixes:
- Fixes a deadlock from a previous fix to keep module loading
    and function tracing text modifications from stepping on each other.
    (this has a few patches to help document the issue in comments)
 
  - Fix a crash when the snapshot buffer gets out of sync with the
    main ring buffer.
 
  - Fix a memory leak when reading the memory logs
 -----BEGIN PGP SIGNATURE-----
 
 iIoEABYIADIWIQRRSw7ePDh/lE+zeZMp5XQQmuv6qgUCXRzBCBQccm9zdGVkdEBn
 b29kbWlzLm9yZwAKCRAp5XQQmuv6qnDaAP9qTFBOFtgIGCT5wVP8xjQeESxh1b8R
 tbaT7/U2oPpeiwEAvp1mYo5UYcc8KauBqVaLSLJVN4pv07xiZF5Qgh9C1QE=
 =m2IT
 -----END PGP SIGNATURE-----

Merge tag 'trace-v5.2-rc5' of git://git.kernel.org/pub/scm/linux/kernel/git/rostedt/linux-trace

Pull tracing fixes from Steven Rostedt:
 "This includes three fixes:

   - Fix a deadlock from a previous fix to keep module loading and
     function tracing text modifications from stepping on each other
     (this has a few patches to help document the issue in comments)

   - Fix a crash when the snapshot buffer gets out of sync with the main
     ring buffer

   - Fix a memory leak when reading the memory logs"

* tag 'trace-v5.2-rc5' of git://git.kernel.org/pub/scm/linux/kernel/git/rostedt/linux-trace:
  ftrace/x86: Anotate text_mutex split between ftrace_arch_code_modify_post_process() and ftrace_arch_code_modify_prepare()
  tracing/snapshot: Resize spare buffer if size changed
  tracing: Fix memory leak in tracing_err_log_open()
  ftrace/x86: Add a comment to why we take text_mutex in ftrace_arch_code_modify_prepare()
  ftrace/x86: Remove possible deadlock between register_kprobe() and ftrace_run_update_code()
2019-07-04 10:26:17 +09:00
Dave Airlie b5252bdf09 Merge branch 'etnaviv/fixes' of https://git.pengutronix.de/git/lst/linux into drm-fixes
Fix a kernel nullptr deref on module
unload when any etnaviv GPU failed to initialize properly.

Signed-off-by: Dave Airlie <airlied@redhat.com>
From: Lucas Stach <l.stach@pengutronix.de>
Link: https://patchwork.freedesktop.org/patch/msgid/1561974148.2321.1.camel@pengutronix.de
2019-07-04 11:19:34 +10:00
Dave Airlie a956c56b6a panfrost- Avoid double free by deleting GEM handle in create_bo failure
path (Boris)
 
 Cc: Boris Brezillon <boris.brezillon@collabora.com>
 -----BEGIN PGP SIGNATURE-----
 
 iQEzBAABCgAdFiEEfxcpfMSgdnQMs+QqlvcN/ahKBwoFAl0dRFUACgkQlvcN/ahK
 Bwokcwf/aNT6EGTUsQZK1AHzoA6YN7o5Hgpng0Ut/Co67DN2QKj6FKGQxQKQ+uMf
 a/pKufg1yHUOd+lJm/MgJl1fAy0mqDv75LAO1askAusWqGZulRcpEbUwMmYs02v5
 xt1nHpPB7rvLCQsUK0vurX9E4HJ7VsHiaeDcWXRybc7XKxdafJVDPxOyzk+z3fpK
 ZxaRj8SjlWTS0NREcAPaPJQWhbr1Uf+FaNQuqnX/p7bHXtavq4SqouW42DM0bx7D
 sbGLEtvB/iusozOwQ6aXzRWdeCX7haYPPprJn78dlDJof1A9TU9cmLOgqtq9EHEL
 4yorb/aj3aDgsnmqC4BBZ17fnq6axw==
 =EjV2
 -----END PGP SIGNATURE-----

Merge tag 'drm-misc-fixes-2019-07-03' of git://anongit.freedesktop.org/drm/drm-misc into drm-fixes

panfrost- Avoid double free by deleting GEM handle in create_bo failure
          path (Boris)

Cc: Boris Brezillon <boris.brezillon@collabora.com>
Signed-off-by: Dave Airlie <airlied@redhat.com>

From: Sean Paul <sean@poorly.run>
Link: https://patchwork.freedesktop.org/patch/msgid/20190704001302.GA260390@art_vandelay
2019-07-04 11:17:48 +10:00
Dave Airlie 5ee5d30a81 Merge tag 'drm-fixes-5.2-2019-07-02' of git://people.freedesktop.org/~agd5f/linux into drm-fixes
drm-fixes-5.2-2019-07-02:

Fixes for stable

amdgpu:
- stability fix for gfx9
- regression fix for HG on some polaris boards
- crash fix for some new OEM boards

Signed-off-by: Dave Airlie <airlied@redhat.com>
From: Alex Deucher <alexdeucher@gmail.com>
Link: https://patchwork.freedesktop.org/patch/msgid/20190703015705.3162-1-alexander.deucher@amd.com
2019-07-04 11:17:23 +10:00
Linus Torvalds 179c96d9f7 A single fixup for the SPI CS gpios that regressed
in the current kernel cycle.
 -----BEGIN PGP SIGNATURE-----
 
 iQIcBAABAgAGBQJdHJ83AAoJEEEQszewGV1zStUP/joc3S0VFFVXQjCxzZysQbpw
 cea8SVMOvhaDYp+lQugDIqyYQsSbD+kstozHNsyL1rgRoL5WWESrA65acmDIuEaO
 C30uqg6C/MJ9VgTg0m0DKLCWpfz8ZCTsfah8Ln8l1uYOmBNdK5dpzx5YZT+Ir3m5
 a+NoH77t1xRERrtiFjwYLgZB1/HX6FCTF6xglSX8ni1TL1yyMzLBBcd8+EA/TFWY
 ngXy/bnJKixPDVPTFspXQl3+8QwerHMmXxxs02vDpYW3wVDJiOvrHa/63tMswPce
 3K2Ir1tHkU2EhbdY0Dr9xEDFbXF3jGsN6Na1Xb/shlYMT7v5wp99eLPwV32sAGzu
 NWDxPezPmbm1dzMmjodh8rh57Tuy4wTFPZoo0El2xHmmphB5lcL7IfqpqTZ0zP/y
 3/7tQePtcvT0NmDC7HLQjqeoEwBenTA7m5jUO0GJ2++T0FbE3wLH/7Q4IX1L8W9S
 BFXiejhDVbkWwjPpq6MbXEtfaDGDFrWb8mgvY/H3iTzGtl5z6lALtFC12eyQWiqs
 bz/YnrFyAcf2ZlCoLQzoWnN4TDXIEA5bdhaQIswVkwOhPCYq9qb9YrX7MI++vRnh
 soIWZ0I84Vl5oKdTq78OJUggHiTI5rJA5xQaUtqOIDD+HoXWr7Sb6H2aUda9uP0Y
 jD8KvOJnZNUGxkt5IdiQ
 =C8n2
 -----END PGP SIGNATURE-----

Merge tag 'gpio-v5.2-4' of git://git.kernel.org/pub/scm/linux/kernel/git/linusw/linux-gpio

Pull GPIO fix from Linus Walleij:
 "A single fixup for the SPI CS gpios that regressed in the current
  kernel cycle"

* tag 'gpio-v5.2-4' of git://git.kernel.org/pub/scm/linux/kernel/git/linusw/linux-gpio:
  gpio/spi: Fix spi-gpio regression on active high CS
2019-07-04 09:59:08 +09:00
Paul Menzel 3b2d4dcf71 nfsd: Fix overflow causing non-working mounts on 1 TB machines
Since commit 10a68cdf10 (nfsd: fix performance-limiting session
calculation) (Linux 5.1-rc1 and 4.19.31), shares from NFS servers with
1 TB of memory cannot be mounted anymore. The mount just hangs on the
client.

The gist of commit 10a68cdf10 is the change below.

    -avail = clamp_t(int, avail, slotsize, avail/3);
    +avail = clamp_t(int, avail, slotsize, total_avail/3);

Here are the macros.

    #define min_t(type, x, y)       __careful_cmp((type)(x), (type)(y), <)
    #define clamp_t(type, val, lo, hi) min_t(type, max_t(type, val, lo), hi)

`total_avail` is 8,434,659,328 on the 1 TB machine. `clamp_t()` casts
the values to `int`, which for 32-bit integers can only hold values
−2,147,483,648 (−2^31) through 2,147,483,647 (2^31 − 1).

`avail` (in the function signature) is just 65536, so that no overflow
was happening. Before the commit the assignment would result in 21845,
and `num = 4`.

When using `total_avail`, it is causing the assignment to be
18446744072226137429 (printed as %lu), and `num` is then 4164608182.

My next guess is, that `nfsd_drc_mem_used` is then exceeded, and the
server thinks there is no memory available any more for this client.

Updating the arguments of `clamp_t()` and `min_t()` to `unsigned long`
fixes the issue.

Now, `avail = 65536` (before commit 10a68cdf10 `avail = 21845`), but
`num = 4` remains the same.

Fixes: c54f24e338 (nfsd: fix performance-limiting session calculation)
Cc: stable@vger.kernel.org
Signed-off-by: Paul Menzel <pmenzel@molgen.mpg.de>
Signed-off-by: J. Bruce Fields <bfields@redhat.com>
2019-07-03 17:51:31 -04:00
Eric Biggers 21d4120ec6 crypto: user - prevent operating on larval algorithms
Michal Suchanek reported [1] that running the pcrypt_aead01 test from
LTP [2] in a loop and holding Ctrl-C causes a NULL dereference of
alg->cra_users.next in crypto_remove_spawns(), via crypto_del_alg().
The test repeatedly uses CRYPTO_MSG_NEWALG and CRYPTO_MSG_DELALG.

The crash occurs when the instance that CRYPTO_MSG_DELALG is trying to
unregister isn't a real registered algorithm, but rather is a "test
larval", which is a special "algorithm" added to the algorithms list
while the real algorithm is still being tested.  Larvals don't have
initialized cra_users, so that causes the crash.  Normally pcrypt_aead01
doesn't trigger this because CRYPTO_MSG_NEWALG waits for the algorithm
to be tested; however, CRYPTO_MSG_NEWALG returns early when interrupted.

Everything else in the "crypto user configuration" API has this same bug
too, i.e. it inappropriately allows operating on larval algorithms
(though it doesn't look like the other cases can cause a crash).

Fix this by making crypto_alg_match() exclude larval algorithms.

[1] https://lkml.kernel.org/r/20190625071624.27039-1-msuchanek@suse.de
[2] https://github.com/linux-test-project/ltp/blob/20190517/testcases/kernel/crypto/pcrypt_aead01.c

Reported-by: Michal Suchanek <msuchanek@suse.de>
Fixes: a38f7907b9 ("crypto: Add userspace configuration API")
Cc: <stable@vger.kernel.org> # v3.2+
Cc: Steffen Klassert <steffen.klassert@secunet.com>
Signed-off-by: Eric Biggers <ebiggers@google.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
2019-07-03 22:11:55 +08:00
Vincent Whitchurch 1a0fad630e crypto: cryptd - Fix skcipher instance memory leak
cryptd_skcipher_free() fails to free the struct skcipher_instance
allocated in cryptd_create_skcipher(), leading to a memory leak.  This
is detected by kmemleak on bootup on ARM64 platforms:

 unreferenced object 0xffff80003377b180 (size 1024):
   comm "cryptomgr_probe", pid 822, jiffies 4294894830 (age 52.760s)
   backtrace:
     kmem_cache_alloc_trace+0x270/0x2d0
     cryptd_create+0x990/0x124c
     cryptomgr_probe+0x5c/0x1e8
     kthread+0x258/0x318
     ret_from_fork+0x10/0x1c

Fixes: 4e0958d19b ("crypto: cryptd - Add support for skcipher")
Cc: <stable@vger.kernel.org>
Signed-off-by: Vincent Whitchurch <vincent.whitchurch@axis.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
2019-07-03 22:11:55 +08:00
Herbert Xu c8ea9fce2b lib/mpi: Fix karactx leak in mpi_powm
Sometimes mpi_powm will leak karactx because a memory allocation
failure causes a bail-out that skips the freeing of karactx.  This
patch moves the freeing of karactx to the end of the function like
everything else so that it can't be skipped.

Reported-by: syzbot+f7baccc38dcc1e094e77@syzkaller.appspotmail.com
Fixes: cdec9cb516 ("crypto: GnuPG based MPI lib - source files...")
Cc: <stable@vger.kernel.org>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Reviewed-by: Eric Biggers <ebiggers@kernel.org>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
2019-07-03 22:11:55 +08:00
Matias Karhumaa eca9443293 Bluetooth: Fix faulty expression for minimum encryption key size check
Fix minimum encryption key size check so that HCI_MIN_ENC_KEY_SIZE is
also allowed as stated in the comment.

This bug caused connection problems with devices having maximum
encryption key size of 7 octets (56-bit).

Fixes: 693cd8ce3f ("Bluetooth: Fix regression with minimum encryption key size alignment")
Bugzilla: https://bugzilla.kernel.org/show_bug.cgi?id=203997
Signed-off-by: Matias Karhumaa <matias.karhumaa@gmail.com>
Cc: stable@vger.kernel.org
Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
2019-07-03 16:09:09 +08:00
Linus Torvalds 6e692c3b72 SMB3 fix (for stable as well) for crash mishandling one of the Windows reparse point symlink tags
-----BEGIN PGP SIGNATURE-----
 
 iQGzBAABCgAdFiEE6fsu8pdIjtWE/DpLiiy9cAdyT1EFAl0b67IACgkQiiy9cAdy
 T1H/Ngv/XNc9l/OEHwyWZ1QnSCBKZyLyD5ZcKQRFFkfiktmQ8FtPUzf4qKlHxX1h
 ssefwBIbkW1+DG2sgvrL7OfqnPDnSezVoifvRmbh0nFX8anWhtChZMc0s+xiLtz2
 SbDBugNSkc8l9fvQz5A6VPJ3TcNA+VsSE2rr1HuimS9S4RAy1RsPhhWNyUh3GV5A
 SWuD7bsnxZ7/H2l+hx+s2O5RLDFoeniEIGFTsH9/f7Q19YGJtf6arnUlyUaZjkXK
 bPV2jZyalRUznK7RSFDLu49fS2zH8/m6MfBYyat31SZVtLFcQC/ijhKYTWr8wrKu
 +iQPlX+IDk4rfH/++7PXJJv1sKFLZNEs22dOi1YG0FgkRtMNA8HzmJqVFLcgoB2d
 QD7Ahj4dE0ghXv1dLMjfKdchNbkrWiygfpje54AkhU9SWUIS/EljDbQSq3e/wpAW
 i9HxCGCmmTPFzVKDVhyaBXHi6h5pzd7FfNNS4iJ2Lsy5PRLOHBMxaX1wknu/8vP0
 IIWuB9Hh
 =1zkr
 -----END PGP SIGNATURE-----

Merge tag '5.2-rc6-smb3-fix' of git://git.samba.org/sfrench/cifs-2.6

Pull cifs fix from Steve French:
 "SMB3 fix (for stable as well) for crash mishandling one of the Windows
  reparse point symlink tags"

* tag '5.2-rc6-smb3-fix' of git://git.samba.org/sfrench/cifs-2.6:
  cifs: fix crash querying symlinks stored as reparse-points
2019-07-03 16:06:36 +08:00