Linux Kernel https://git.stealer.net/cgit.cgi/user/sven/linux.git/atom?h=v4.7-rc2 2016-06-05T21:31:26Z 2016-06-05T21:31:26Z Linus Torvalds torvalds@linux-foundation.org 2016-06-05T21:31:26Z urn:sha1:af8c34ce6ae32addda3788d54a7e340cad22516b 2016-06-05T18:15:33Z Linus Torvalds torvalds@linux-foundation.org 2016-06-05T18:15:33Z urn:sha1:5975b2c0c10adbc7894a54ab7b30db4fbcdd8c41 Pull parisc fixes from Helge Deller: - Fix printk time stamps on SMP systems which got wrong due to a patch which was added during the merge window - Fix two bugs in the stack backtrace code: Races in module unloading and possible invalid accesses to memory due to wrong instruction decoding (Mikulas Patocka) - Fix userspace crash when syscalls access invalid unaligned userspace addresses. Those syscalls will now return EFAULT as expected. (tagged for stable kernel series) * 'parisc-4.7-2' of git://git.kernel.org/pub/scm/linux/kernel/git/deller/parisc-linux: parisc: Move die_if_kernel() prototype into traps.h header parisc: Fix pagefault crash in unaligned __get_user() call parisc: Fix printk time during boot parisc: Fix backtrace on PA-RISC 2016-06-05T18:02:00Z Linus Torvalds torvalds@linux-foundation.org 2016-06-05T18:02:00Z urn:sha1:d834502e2fca9380a1579fecd134ef94c063b662 Pull key handling update from James Morris: "This alters a new keyctl function added in the current merge window to allow for a future extension planned for the next merge window" * 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/jmorris/linux-security: KEYS: Add placeholder for KDF usage with DH 2016-06-05T17:36:01Z Eric W. Biederman ebiederm@xmission.com 2016-06-02T15:29:47Z urn:sha1:eedf265aa003b4781de24cfed40a655a664457e6 The /dev/ptmx device node is changed to lookup the directory entry "pts" in the same directory as the /dev/ptmx device node was opened in. If there is a "pts" entry and that entry is a devpts filesystem /dev/ptmx uses that filesystem. Otherwise the open of /dev/ptmx fails. The DEVPTS_MULTIPLE_INSTANCES configuration option is removed, so that userspace can now safely depend on each mount of devpts creating a new instance of the filesystem. Each mount of devpts is now a separate and equal filesystem. Reserved ttys are now available to all instances of devpts where the mounter is in the initial mount namespace. A new vfs helper path_pts is introduced that finds a directory entry named "pts" in the directory of the passed in path, and changes the passed in path to point to it. The helper path_pts uses a function path_parent_directory that was factored out of follow_dotdot. In the implementation of devpts: - devpts_mnt is killed as it is no longer meaningful if all mounts of devpts are equal. - pts_sb_from_inode is replaced by just inode->i_sb as all cached inodes in the tty layer are now from the devpts filesystem. - devpts_add_ref is rolled into the new function devpts_ptmx. And the unnecessary inode hold is removed. - devpts_del_ref is renamed devpts_release and reduced to just a deacrivate_super. - The newinstance mount option continues to be accepted but is now ignored. In devpts_fs.h definitions for when !CONFIG_UNIX98_PTYS are removed as they are never used. Documentation/filesystems/devices.txt is updated to describe the current situation. This has been verified to work properly on openwrt-15.05, centos5, centos6, centos7, debian-6.0.2, debian-7.9, debian-8.2, ubuntu-14.04.3, ubuntu-15.10, fedora23, magia-5, mint-17.3, opensuse-42.1, slackware-14.1, gentoo-20151225 (13.0?), archlinux-2015-12-01. With the caveat that on centos6 and on slackware-14.1 that there wind up being two instances of the devpts filesystem mounted on /dev/pts, the lower copy does not end up getting used. Signed-off-by: "Eric W. Biederman" <ebiederm@xmission.com> Cc: Greg KH <greg@kroah.com> Cc: Peter Hurley <peter@hurleysoftware.com> Cc: Peter Anvin <hpa@zytor.com> Cc: Andy Lutomirski <luto@amacapital.net> Cc: Al Viro <viro@zeniv.linux.org.uk> Cc: Serge Hallyn <serge.hallyn@ubuntu.com> Cc: Willy Tarreau <w@1wt.eu> Cc: Aurelien Jarno <aurelien@aurel32.net> Cc: One Thousand Gnomes <gnomes@lxorguk.ukuu.org.uk> Cc: Jann Horn <jann@thejh.net> Cc: Jiri Slaby <jslaby@suse.com> Cc: Florian Weimer <fw@deneb.enyo.de> Cc: Konstantin Khlebnikov <koct9i@gmail.com> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org> 2016-06-05T06:49:01Z Helge Deller deller@gmx.de 2016-06-04T15:38:09Z urn:sha1:58f1c654d13a42575d507ea61f6de0332a761e75 Signed-off-by: Helge Deller <deller@gmx.de> 2016-06-05T06:48:24Z Helge Deller deller@gmx.de 2016-06-04T15:21:33Z urn:sha1:8b78f260887df532da529f225c49195d18fef36b One of the debian buildd servers had this crash in the syslog without any other information: Unaligned handler failed, ret = -2 clock_adjtime (pid 22578): Unaligned data reference (code 28) CPU: 1 PID: 22578 Comm: clock_adjtime Tainted: G E 4.5.0-2-parisc64-smp #1 Debian 4.5.4-1 task: 000000007d9960f8 ti: 00000001bde7c000 task.ti: 00000001bde7c000 YZrvWESTHLNXBCVMcbcbcbcbOGFRQPDI PSW: 00001000000001001111100000001111 Tainted: G E r00-03 000000ff0804f80f 00000001bde7c2b0 00000000402d2be8 00000001bde7c2b0 r04-07 00000000409e1fd0 00000000fa6f7fff 00000001bde7c148 00000000fa6f7fff r08-11 0000000000000000 00000000ffffffff 00000000fac9bb7b 000000000002b4d4 r12-15 000000000015241c 000000000015242c 000000000000002d 00000000fac9bb7b r16-19 0000000000028800 0000000000000001 0000000000000070 00000001bde7c218 r20-23 0000000000000000 00000001bde7c210 0000000000000002 0000000000000000 r24-27 0000000000000000 0000000000000000 00000001bde7c148 00000000409e1fd0 r28-31 0000000000000001 00000001bde7c320 00000001bde7c350 00000001bde7c218 sr00-03 0000000001200000 0000000001200000 0000000000000000 0000000001200000 sr04-07 0000000000000000 0000000000000000 0000000000000000 0000000000000000 IASQ: 0000000000000000 0000000000000000 IAOQ: 00000000402d2e84 00000000402d2e88 IIR: 0ca0d089 ISR: 0000000001200000 IOR: 00000000fa6f7fff CPU: 1 CR30: 00000001bde7c000 CR31: ffffffffffffffff ORIG_R28: 00000002369fe628 IAOQ[0]: compat_get_timex+0x2dc/0x3c0 IAOQ[1]: compat_get_timex+0x2e0/0x3c0 RP(r2): compat_get_timex+0x40/0x3c0 Backtrace: [<00000000402d4608>] compat_SyS_clock_adjtime+0x40/0xc0 [<0000000040205024>] syscall_exit+0x0/0x14 This means the userspace program clock_adjtime called the clock_adjtime() syscall and then crashed inside the compat_get_timex() function. Syscalls should never crash programs, but instead return EFAULT. The IIR register contains the executed instruction, which disassebles into "ldw 0(sr3,r5),r9". This load-word instruction is part of __get_user() which tried to read the word at %r5/IOR (0xfa6f7fff). This means the unaligned handler jumped in. The unaligned handler is able to emulate all ldw instructions, but it fails if it fails to read the source e.g. because of page fault. The following program reproduces the problem: #define _GNU_SOURCE #include <unistd.h> #include <sys/syscall.h> #include <sys/mman.h> int main(void) { /* allocate 8k */ char *ptr = mmap(NULL, 2*4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0); /* free second half (upper 4k) and make it invalid. */ munmap(ptr+4096, 4096); /* syscall where first int is unaligned and clobbers into invalid memory region */ /* syscall should return EFAULT */ return syscall(__NR_clock_adjtime, 0, ptr+4095); } To fix this issue we simply need to check if the faulting instruction address is in the exception fixup table when the unaligned handler failed. If it is, call the fixup routine instead of crashing. While looking at the unaligned handler I found another issue as well: The target register should not be modified if the handler was unsuccessful. Signed-off-by: Helge Deller <deller@gmx.de> Cc: stable@vger.kernel.org 2016-06-05T06:45:09Z Helge Deller deller@gmx.de 2016-06-03T17:22:31Z urn:sha1:0032c08833ab7c7861d12eb35da26dce85f3e229 Avoid showing invalid printk time stamps during boot. Signed-off-by: Helge Deller <deller@gmx.de> Reviewed-by: Aaro Koskinen <aaro.koskinen@iki.fi> 2016-06-04T20:05:07Z Mikulas Patocka mpatocka@redhat.com 2011-06-28T22:48:19Z urn:sha1:be24a89700eef61bedaba40f3b05ef07f5806e38 This patch fixes backtrace on PA-RISC There were several problems: 1) The code that decodes instructions handles instructions that subtract from the stack pointer incorrectly. If the instruction subtracts the number X from the stack pointer the code increases the frame size by (0x100000000-X). This results in invalid accesses to memory and recursive page faults. 2) Because gcc reorders blocks, handling instructions that subtract from the frame pointer is incorrect. For example, this function int f(int a) { if (__builtin_expect(a, 1)) return a; g(); return a; } is compiled in such a way, that the code that decreases the stack pointer for the first "return a" is placed before the code for "g" call. If we recognize this decrement, we mistakenly believe that the frame size for the "g" call is zero. To fix problems 1) and 2), the patch doesn't recognize instructions that decrease the stack pointer at all. To further safeguard the unwind code against nonsense values, we don't allow frame size larger than Total_frame_size. 3) The backtrace is not locked. If stack dump races with module unload, invalid table can be accessed. This patch adds a spinlock when processing module tables. Note, that for correct backtrace, you need recent binutils. Binutils 2.18 from Debian 5 produce garbage unwind tables. Binutils 2.21 work better (it sometimes forgets function frames, but at least it doesn't generate garbage). Signed-off-by: Mikulas Patocka <mpatocka@redhat.com> Signed-off-by: Helge Deller <deller@gmx.de> 2016-06-04T19:30:36Z Linus Torvalds torvalds@linux-foundation.org 2016-06-04T19:30:36Z urn:sha1:049ec1b5a76d34a6980cccdb7c0baeb4eed7a993 Pull drm fixes from Dave Airlie: "A bunch of ARM drivers got into the fixes vibe this time around, so this contains a bunch of fixes for imx, atmel hlcdc, arm hdlcd (only so many combos of hlcd), mediatek and omap drm. Other than that there is one mgag200 fix and a few core drm regression fixes" * tag 'drm-fixes-for-v4.7-rc2' of git://people.freedesktop.org/~airlied/linux: (34 commits) drm/omap: fix unused variable warning. drm: hdlcd: Add information about the underlying framebuffers in debugfs drm: hdlcd: Cleanup the atomic plane operations drm/hdlcd: Fix up crtc_state->event handling drm: hdlcd: Revamp runtime power management drm/mediatek: mtk_dsi: Remove spurious drm_connector_unregister drm/mediatek: mtk_dpi: remove invalid error message drm: atmel-hlcdc: fix a NULL check drm: atmel-hlcdc: fix atmel_hlcdc_crtc_reset() implementation drm/mgag200: Black screen fix for G200e rev 4 drm: Wrap direct calls to driver->gem_free_object from CMA drm: fix fb refcount issue with atomic modesetting drm: make drm_atomic_set_mode_prop_for_crtc() more reliable drm/sti: remove extra mode fixup drm: add missing drm_mode_set_crtcinfo call drm/omap: include gpio/consumer.h where needed drm/omap: include linux/seq_file.h where needed Revert "drm/omap: no need to select OMAP2_DSS" drm/omap: Remove regulator API abuse OMAPDSS: HDMI5: Change DDC timings ... 2016-06-04T19:25:36Z Linus Torvalds torvalds@linux-foundation.org 2016-06-04T19:25:36Z urn:sha1:f2c6b9e4b2708ae50e3ab8c91dcad1564974f2a4 Pull VFIO fixes from Alex Williamson: "Fix irqfd shutdown ordering, build warning, and VPD short read" * tag 'vfio-v4.7-rc2' of git://github.com/awilliam/linux-vfio: vfio/pci: Allow VPD short read vfio/type1: Fix build warning vfio/pci: Fix ordering of eventfd vs virqfd shutdown