user/sven/linux.git/include, branch v4.1.34

fix fault_in_multipages_...() on architectures with no-op access_ok()

2016-10-03T16:58:36Z

[ Upstream commit e23d4159b109167126e5bcd7f3775c95de7fee47 ] Switching iov_iter fault-in to multipages variants has exposed an old bug in underlying fault_in_multipages_...(); they break if the range passed to them wraps around. Normally access_ok() done by callers will prevent such (and it's a guaranteed EFAULT - ERR_PTR() values fall into such a range and they should not point to any valid objects). However, on architectures where userland and kernel live in different MMU contexts (e.g. s390) access_ok() is a no-op and on those a range with a wraparound can reach fault_in_multipages_...(). Since any wraparound means EFAULT there, the fix is trivial - turn those while (uaddr <= end) ... into if (unlikely(uaddr > end)) return -EFAULT; do ... while (uaddr <= end); Reported-by: Jan Stancek Tested-by: Jan Stancek Cc: stable@vger.kernel.org # v3.5+ Signed-off-by: Al Viro Signed-off-by: Linus Torvalds Signed-off-by: Sasha Levin

fanotify: fix list corruption in fanotify_get_response()

2016-10-03T16:58:10Z

[ Upstream commit 96d41019e3ac55f6f0115b0ce97e4f24a3d636d2 ] fanotify_get_response() calls fsnotify_remove_event() when it finds that group is being released from fanotify_release() (bypass_perm is set). However the event it removes need not be only in the group's notification queue but it can have already moved to access_list (userspace read the event before closing the fanotify instance fd) which is protected by a different lock. Thus when fsnotify_remove_event() races with fanotify_release() operating on access_list, the list can get corrupted. Fix the problem by moving all the logic removing permission events from the lists to one place - fanotify_release(). Fixes: 5838d4442bd5 ("fanotify: fix double free of pending permission events") Link: http://lkml.kernel.org/r/1473797711-14111-3-git-send-email-jack@suse.cz Signed-off-by: Jan Kara Reported-by: Miklos Szeredi Tested-by: Miklos Szeredi Reviewed-by: Miklos Szeredi Cc: Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds Signed-off-by: Sasha Levin

fsnotify: add a way to stop queueing events on group shutdown

2016-10-03T16:58:04Z

[ Upstream commit 12703dbfeb15402260e7554d32a34ac40c233990 ] Implement a function that can be called when a group is being shutdown to stop queueing new events to the group. Fanotify will use this. Fixes: 5838d4442bd5 ("fanotify: fix double free of pending permission events") Link: http://lkml.kernel.org/r/1473797711-14111-2-git-send-email-jack@suse.cz Signed-off-by: Jan Kara Reviewed-by: Miklos Szeredi Cc: Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds Signed-off-by: Sasha Levin

fix iov_iter_fault_in_readable()

2016-10-03T12:35:04Z

[ Upstream commit d4690f1e1cdabb4d61207b6787b1605a0dc0aeab ] ... by turning it into what used to be multipages counterpart Cc: stable@vger.kernel.org Signed-off-by: Al Viro Signed-off-by: Linus Torvalds Signed-off-by: Sasha Levin

asm-generic: make get_user() clear the destination on errors

2016-10-03T01:12:56Z

[ Upstream commit 9ad18b75c2f6e4a78ce204e79f37781f8815c0fa ] both for access_ok() failures and for faults halfway through Cc: stable@vger.kernel.org Signed-off-by: Al Viro Signed-off-by: Sasha Levin

asm-generic: {get,put}_user ptr argument evaluate only 1 time

2016-10-03T01:12:48Z

[ Upstream commit a02613a4ba679eacec8251976d02809d533fa717 ] Current implemantation ptr argument evaluate 2 times. It'll be an unexpected result. Changes v5: Remove unnecessary const. Changes v4: Temporary pointer type change to const void* Changes v3: Some build error fix. Changes v2: Argument x protect. Signed-off-by: Yoshinori Sato Signed-off-by: Sasha Levin

genirq: Provide irq_gc_{lock_irqsave,unlock_irqrestore}() helpers

2016-10-03T00:51:35Z

[ Upstream commit ebf9ff753c041b296241990aef76163bbb2cc9c8 ] Some irqchip drivers need to take the generic chip lock outside of the irq context. Provide the irq_gc_{lock_irqsave,unlock_irqrestore}() helpers to allow one to disable irqs while entering a critical section protected by gc->lock. Note that we do not provide optimized version of these helpers for !SMP, because they are not called from the hot-path. [ tglx: Added a comment when these helpers should be [not] used ] Signed-off-by: Boris Brezillon Cc: Jason Cooper Cc: Marc Zyngier Cc: Nicolas Ferre Cc: stable@vger.kernel.org Cc: Alexandre Belloni Link: http://lkml.kernel.org/r/1473775109-4192-1-git-send-email-boris.brezillon@free-electrons.com Signed-off-by: Thomas Gleixner Signed-off-by: Sasha Levin

asm-generic: make copy_from_user() zero the destination properly

2016-10-03T00:32:37Z

[ Upstream commit 2545e5da080b4839dd859e3b09343a884f6ab0e3 ] ... in all cases, including the failing access_ok() Note that some architectures using asm-generic/uaccess.h have __copy_from_user() not zeroing the tail on failure halfway through. This variant works either way. Cc: stable@vger.kernel.org Signed-off-by: Al Viro Signed-off-by: Sasha Levin

PCI: Add Netronome NFP4000 PF device ID

2016-09-03T03:39:45Z

[ Upstream commit 69874ec233871a62e1bc8c89e643993af93a8630 ] Add the device ID for the PF of the NFP4000. The device ID for the VF, 0x6003, is already present as PCI_DEVICE_ID_NETRONOME_NFP6000_VF. Signed-off-by: Simon Horman Signed-off-by: Bjorn Helgaas Signed-off-by: Sasha Levin

PCI: Add Netronome vendor and device IDs

2016-09-03T03:39:19Z

[ Upstream commit a755e169031dac9ebaed03302c4921687c271d62 ] Device IDs for the Netronome NFP3200, NFP3240, NFP6000, and NFP6000 SR-IOV devices. Signed-off-by: Jason S. McMullan [simon: edited changelog] Signed-off-by: Simon Horman Signed-off-by: Bjorn Helgaas Signed-off-by: Sasha Levin