1. 24 Mar, 2020 3 commits
    • Mike Marciniszyn's avatar
      RDMA/core: Ensure security pkey modify is not lost · 2d47fbac
      Mike Marciniszyn authored
      The following modify sequence (loosely based on ipoib) will lose a pkey
      modifcation:
      
      - Modify (pkey index, port)
      - Modify (new pkey index, NO port)
      
      After the first modify, the qp_pps list will have saved the pkey and the
      unit on the main list.
      
      During the second modify, get_new_pps() will fetch the port from qp_pps
      and read the new pkey index from qp_attr->pkey_index.  The state will
      still be zero, or IB_PORT_PKEY_NOT_VALID. Because of the invalid state,
      the new values will never replace the one in the qp pps list, losing the
      new pkey.
      
      This happens because the following if statements will never correct the
      state because the first term will be false. If the code had been executed,
      it would incorrectly overwrite valid values.
      
        if ((qp_attr_mask & IB_QP_PKEY_INDEX) && (qp_attr_mask & IB_QP_PORT))
      	  new_pps->main.state = IB_PORT_PKEY_VALID;
      
        if (!(qp_attr_mask & (IB_QP_PKEY_INDEX | IB_QP_PORT)) && qp_pps) {
      	  new_pps->main.port_num = qp_pps->main.port_num;
      	  new_pps->main.pkey_index = qp_pps->main.pkey_index;
      	  if (qp_pps->main.state != IB_PORT_PKEY_NOT_VALID)
      		  new_pps->main.state = IB_PORT_PKEY_VALID;
        }
      
      Fix by joining the two if statements with an or test to see if qp_pps is
      non-NULL and in the correct state.
      
      Fixes: 1dd01788 ("RDMA/core: Fix protection fault in get_pkey_idx_qp_list")
      Link: https://lore.kernel.org/r/20200313124704.14982.55907.stgit@awfm-01.aw.intel.comReviewed-by: default avatarKaike Wan <kaike.wan@intel.com>
      Signed-off-by: default avatarMike Marciniszyn <mike.marciniszyn@intel.com>
      Reviewed-by: default avatarLeon Romanovsky <leonro@mellanox.com>
      Signed-off-by: default avatarJason Gunthorpe <jgg@mellanox.com>
      2d47fbac
    • Leon Romanovsky's avatar
      MAINTAINERS: Clean RXE section and add Zhu as RXE maintainer · 1fa70778
      Leon Romanovsky authored
      Zhu Yanjun contributed many patches to RXE and expressed genuine interest
      in improve RXE even more. Let's add him as a maintainer.
      
      Link: https://lore.kernel.org/r/20200312083658.29603-1-leon@kernel.orgSigned-off-by: default avatarLeon Romanovsky <leonro@mellanox.com>
      Acked-by: default avatarMoni Shoua <monis@mellanox.com>
      Signed-off-by: default avatarJason Gunthorpe <jgg@mellanox.com>
      1fa70778
    • Mike Marciniszyn's avatar
      IB/hfi1: Ensure pq is not left on waitlist · 9a293d1e
      Mike Marciniszyn authored
      The following warning can occur when a pq is left on the dmawait list and
      the pq is then freed:
      
        WARNING: CPU: 47 PID: 3546 at lib/list_debug.c:29 __list_add+0x65/0xc0
        list_add corruption. next->prev should be prev (ffff939228da1880), but was ffff939cabb52230. (next=ffff939cabb52230).
        Modules linked in: mmfs26(OE) mmfslinux(OE) tracedev(OE) 8021q garp mrp ib_isert iscsi_target_mod target_core_mod crc_t10dif crct10dif_generic opa_vnic rpcrdma ib_iser libiscsi scsi_transport_iscsi ib_ipoib(OE) bridge stp llc iTCO_wdt iTCO_vendor_support intel_powerclamp coretemp intel_rapl iosf_mbi kvm_intel kvm irqbypass crct10dif_pclmul crct10dif_common crc32_pclmul ghash_clmulni_intel aesni_intel lrw gf128mul glue_helper ablk_helper cryptd ast ttm drm_kms_helper syscopyarea sysfillrect sysimgblt fb_sys_fops drm pcspkr joydev drm_panel_orientation_quirks i2c_i801 mei_me lpc_ich mei wmi ipmi_si ipmi_devintf ipmi_msghandler nfit libnvdimm acpi_power_meter acpi_pad hfi1(OE) rdmavt(OE) rdma_ucm ib_ucm ib_uverbs ib_umad rdma_cm ib_cm iw_cm ib_core binfmt_misc numatools(OE) xpmem(OE) ip_tables
        nfsv3 nfs_acl nfs lockd grace sunrpc fscache igb ahci libahci i2c_algo_bit dca libata ptp pps_core crc32c_intel [last unloaded: i2c_algo_bit]
        CPU: 47 PID: 3546 Comm: wrf.exe Kdump: loaded Tainted: G W OE ------------ 3.10.0-957.41.1.el7.x86_64 #1
        Hardware name: HPE.COM HPE SGI 8600-XA730i Gen10/X11DPT-SB-SG007, BIOS SBED1229 01/22/2019
        Call Trace:
        [<ffffffff91f65ac0>] dump_stack+0x19/0x1b
        [<ffffffff91898b78>] __warn+0xd8/0x100
        [<ffffffff91898bff>] warn_slowpath_fmt+0x5f/0x80
        [<ffffffff91a1dabe>] ? ___slab_alloc+0x24e/0x4f0
        [<ffffffff91b97025>] __list_add+0x65/0xc0
        [<ffffffffc03926a5>] defer_packet_queue+0x145/0x1a0 [hfi1]
        [<ffffffffc0372987>] sdma_check_progress+0x67/0xa0 [hfi1]
        [<ffffffffc03779d2>] sdma_send_txlist+0x432/0x550 [hfi1]
        [<ffffffff91a20009>] ? kmem_cache_alloc+0x179/0x1f0
        [<ffffffffc0392973>] ? user_sdma_send_pkts+0xc3/0x1990 [hfi1]
        [<ffffffffc0393e3a>] user_sdma_send_pkts+0x158a/0x1990 [hfi1]
        [<ffffffff918ab65e>] ? try_to_del_timer_sync+0x5e/0x90
        [<ffffffff91a3fe1a>] ? __check_object_size+0x1ca/0x250
        [<ffffffffc0395546>] hfi1_user_sdma_process_request+0xd66/0x1280 [hfi1]
        [<ffffffffc034e0da>] hfi1_aio_write+0xca/0x120 [hfi1]
        [<ffffffff91a4245b>] do_sync_readv_writev+0x7b/0xd0
        [<ffffffff91a4409e>] do_readv_writev+0xce/0x260
        [<ffffffff918df69f>] ? pick_next_task_fair+0x5f/0x1b0
        [<ffffffff918db535>] ? sched_clock_cpu+0x85/0xc0
        [<ffffffff91f6b16a>] ? __schedule+0x13a/0x860
        [<ffffffff91a442c5>] vfs_writev+0x35/0x60
        [<ffffffff91a4447f>] SyS_writev+0x7f/0x110
        [<ffffffff91f78ddb>] system_call_fastpath+0x22/0x27
      
      The issue happens when wait_event_interruptible_timeout() returns a value
      <= 0.
      
      In that case, the pq is left on the list. The code continues sending
      packets and potentially can complete the current request with the pq still
      on the dmawait list provided no descriptor shortage is seen.
      
      If the pq is torn down in that state, the sdma interrupt handler could
      find the now freed pq on the list with list corruption or memory
      corruption resulting.
      
      Fix by adding a flush routine to ensure that the pq is never on a list
      after processing a request.
      
      A follow-up patch series will address issues with seqlock surfaced in:
      https://lore.kernel.org/r/20200320003129.GP20941@ziepe.ca
      
      The seqlock use for sdma will then be converted to a spin lock since the
      list_empty() doesn't need the protection afforded by the sequence lock
      currently in use.
      
      Fixes: a0d40693 ("staging/rdma/hfi1: Add page lock limit check for SDMA requests")
      Link: https://lore.kernel.org/r/20200320200200.23203.37777.stgit@awfm-01.aw.intel.comReviewed-by: default avatarKaike Wan <kaike.wan@intel.com>
      Signed-off-by: default avatarMike Marciniszyn <mike.marciniszyn@intel.com>
      Signed-off-by: default avatarDennis Dalessandro <dennis.dalessandro@intel.com>
      Signed-off-by: default avatarJason Gunthorpe <jgg@mellanox.com>
      9a293d1e
  2. 13 Mar, 2020 4 commits
    • Kaike Wan's avatar
      IB/rdmavt: Free kernel completion queue when done · 941224e0
      Kaike Wan authored
      When a kernel ULP requests the rdmavt to create a completion queue, it
      allocated the queue and set cq->kqueue to point to it. However, when the
      completion queue is destroyed, cq->queue is freed instead, leading to a
      memory leak:
      
      https://lore.kernel.org/r/215235485.15264050.1583334487658.JavaMail.zimbra@redhat.com
      
       unreferenced object 0xffffc90006639000 (size 12288):
       comm "kworker/u128:0", pid 8, jiffies 4295777598 (age 589.085s)
          hex dump (first 32 bytes):
            4d 00 00 00 4d 00 00 00 00 c0 08 ac 8b 88 ff ff  M...M...........
            00 00 00 00 80 00 00 00 00 00 00 00 10 00 00 00  ................
          backtrace:
            [<0000000035a3d625>] __vmalloc_node_range+0x361/0x720
            [<000000002942ce4f>] __vmalloc_node.constprop.30+0x63/0xb0
            [<00000000f228f784>] rvt_create_cq+0x98a/0xd80 [rdmavt]
            [<00000000b84aec66>] __ib_alloc_cq_user+0x281/0x1260 [ib_core]
            [<00000000ef3764be>] nvme_rdma_cm_handler+0xdb7/0x1b80 [nvme_rdma]
            [<00000000936b401c>] cma_cm_event_handler+0xb7/0x550 [rdma_cm]
            [<00000000d9c40b7b>] addr_handler+0x195/0x310 [rdma_cm]
            [<00000000c7398a03>] process_one_req+0xdd/0x600 [ib_core]
            [<000000004d29675b>] process_one_work+0x920/0x1740
            [<00000000efedcdb5>] worker_thread+0x87/0xb40
            [<000000005688b340>] kthread+0x327/0x3f0
            [<0000000043a168d6>] ret_from_fork+0x3a/0x50
      
      This patch fixes the issue by freeing cq->kqueue instead.
      
      Fixes: 239b0e52 ("IB/hfi1: Move rvt_cq_wc struct into uapi directory")
      Link: https://lore.kernel.org/r/20200313123957.14343.43879.stgit@awfm-01.aw.intel.com
      Cc: <stable@vger.kernel.org> # 5.4.x
      Reported-by: default avatarYi Zhang <yi.zhang@redhat.com>
      Reviewed-by: default avatarMike Marciniszyn <mike.marciniszyn@intel.com>
      Reviewed-by: default avatarDennis Dalessandro <dennis.dalessandro@intel.com>
      Signed-off-by: default avatarKaike Wan <kaike.wan@intel.com>
      Signed-off-by: default avatarDennis Dalessandro <dennis.dalessandro@intel.com>
      Signed-off-by: default avatarJason Gunthorpe <jgg@mellanox.com>
      941224e0
    • Jason Gunthorpe's avatar
      RDMA/mad: Do not crash if the rdma device does not have a umad interface · 5bdfa854
      Jason Gunthorpe authored
      Non-IB devices do not have a umad interface and the client_data will be
      left set to NULL. In this case calling get_nl_info() will try to kref a
      NULL cdev causing a crash:
      
        general protection fault, probably for non-canonical address 0xdffffc00000000ba: 0000 [#1] PREEMPT SMP KASAN
        KASAN: null-ptr-deref in range [0x00000000000005d0-0x00000000000005d7]
        CPU: 0 PID: 20851 Comm: syz-executor.0 Not tainted 5.6.0-rc2-syzkaller #0
        Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
        RIP: 0010:kobject_get+0x35/0x150 lib/kobject.c:640
        Code: 53 e8 3f b0 8b f9 4d 85 e4 0f 84 a2 00 00 00 e8 31 b0 8b f9 49 8d 7c 24 3c 48 b8 00 00 00 00 00 fc ff df 48 89 fa 48 c1 ea 03 <0f  b6 04 02 48 89 fa
      +83 e2 07 38 d0 7f 08 84 c0 0f 85 eb 00 00 00
        RSP: 0018:ffffc9000946f1a0 EFLAGS: 00010203
        RAX: dffffc0000000000 RBX: ffffffff85bdbbb0 RCX: ffffc9000bf22000
        RDX: 00000000000000ba RSI: ffffffff87e9d78f RDI: 00000000000005d4
        RBP: ffffc9000946f1b8 R08: ffff8880581a6440 R09: ffff8880581a6cd0
        R10: fffffbfff154b838 R11: ffffffff8aa5c1c7 R12: 0000000000000598
        R13: 0000000000000000 R14: ffffc9000946f278 R15: ffff88805cb0c4d0
        FS:  00007faa9e8af700(0000) GS:ffff8880ae800000(0000) knlGS:0000000000000000
        CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
        CR2: 0000001b30121000 CR3: 000000004515d000 CR4: 00000000001406f0
        DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
        DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
        Call Trace:
         get_device+0x25/0x40 drivers/base/core.c:2574
         __ib_get_client_nl_info+0x205/0x2e0 drivers/infiniband/core/device.c:1861
         ib_get_client_nl_info+0x35/0x180 drivers/infiniband/core/device.c:1881
         nldev_get_chardev+0x575/0xac0 drivers/infiniband/core/nldev.c:1621
         rdma_nl_rcv_msg drivers/infiniband/core/netlink.c:195 [inline]
         rdma_nl_rcv_skb drivers/infiniband/core/netlink.c:239 [inline]
         rdma_nl_rcv+0x5d9/0x980 drivers/infiniband/core/netlink.c:259
         netlink_unicast_kernel net/netlink/af_netlink.c:1303 [inline]
         netlink_unicast+0x59e/0x7e0 net/netlink/af_netlink.c:1329
         netlink_sendmsg+0x91c/0xea0 net/netlink/af_netlink.c:1918
         sock_sendmsg_nosec net/socket.c:652 [inline]
         sock_sendmsg+0xd7/0x130 net/socket.c:672
         ____sys_sendmsg+0x753/0x880 net/socket.c:2343
         ___sys_sendmsg+0x100/0x170 net/socket.c:2397
         __sys_sendmsg+0x105/0x1d0 net/socket.c:2430
         __do_sys_sendmsg net/socket.c:2439 [inline]
         __se_sys_sendmsg net/socket.c:2437 [inline]
         __x64_sys_sendmsg+0x78/0xb0 net/socket.c:2437
         do_syscall_64+0xfa/0x790 arch/x86/entry/common.c:294
         entry_SYSCALL_64_after_hwframe+0x49/0xbe
      
      Cc: stable@kernel.org
      Fixes: 8f71bb00 ("RDMA: Report available cdevs through RDMA_NLDEV_CMD_GET_CHARDEV")
      Link: https://lore.kernel.org/r/20200310075339.238090-1-leon@kernel.org
      Reported-by: syzbot+46fe08363dbba223dec5@syzkaller.appspotmail.com
      Signed-off-by: default avatarLeon Romanovsky <leonro@mellanox.com>
      Signed-off-by: default avatarJason Gunthorpe <jgg@mellanox.com>
      5bdfa854
    • Jason Gunthorpe's avatar
      RDMA/core: Fix missing error check on dev_set_name() · f2f2b3bb
      Jason Gunthorpe authored
      If name memory allocation fails the name will be left empty and
      device_add_one() will crash:
      
        kobject: (0000000004952746): attempted to be registered with empty name!
        WARNING: CPU: 0 PID: 329 at lib/kobject.c:234 kobject_add_internal+0x7ac/0x9a0 lib/kobject.c:234
        Kernel panic - not syncing: panic_on_warn set ...
        CPU: 0 PID: 329 Comm: syz-executor.5 Not tainted 5.6.0-rc2-syzkaller #0
        Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
        Call Trace:
         __dump_stack lib/dump_stack.c:77 [inline]
         dump_stack+0x197/0x210 lib/dump_stack.c:118
         panic+0x2e3/0x75c kernel/panic.c:221
         __warn.cold+0x2f/0x3e kernel/panic.c:582
         report_bug+0x289/0x300 lib/bug.c:195
         fixup_bug arch/x86/kernel/traps.c:174 [inline]
         fixup_bug arch/x86/kernel/traps.c:169 [inline]
         do_error_trap+0x11b/0x200 arch/x86/kernel/traps.c:267
         do_invalid_op+0x37/0x50 arch/x86/kernel/traps.c:286
         invalid_op+0x23/0x30 arch/x86/entry/entry_64.S:1027
        RIP: 0010:kobject_add_internal+0x7ac/0x9a0 lib/kobject.c:234
        Code: 1a 98 ca f9 e9 f0 f8 ff ff 4c 89 f7 e8 6d 98 ca f9 e9 95 f9 ff ff e8 c3 f0 8b f9 4c 89 e6 48 c7 c7 a0 0e 1a 89 e8 e3 41 5c f9 <0f> 0b 41 bd ea ff ff ff e9 52 ff ff ff e8 a2 f0 8b f9 0f 0b e8 9b
        RSP: 0018:ffffc90005b27908 EFLAGS: 00010286
        RAX: 0000000000000000 RBX: 0000000000000000 RCX: 0000000000000000
        RDX: 0000000000040000 RSI: ffffffff815eae46 RDI: fffff52000b64f13
        RBP: ffffc90005b27960 R08: ffff88805aeba480 R09: ffffed1015d06659
        R10: ffffed1015d06658 R11: ffff8880ae8332c7 R12: ffff8880a37fd000
        R13: 0000000000000000 R14: ffff888096691780 R15: 0000000000000001
         kobject_add_varg lib/kobject.c:390 [inline]
         kobject_add+0x150/0x1c0 lib/kobject.c:442
         device_add+0x3be/0x1d00 drivers/base/core.c:2412
         add_one_compat_dev drivers/infiniband/core/device.c:901 [inline]
         add_one_compat_dev+0x46a/0x7e0 drivers/infiniband/core/device.c:857
         rdma_dev_init_net+0x2eb/0x490 drivers/infiniband/core/device.c:1120
         ops_init+0xb3/0x420 net/core/net_namespace.c:137
         setup_net+0x2d5/0x8b0 net/core/net_namespace.c:327
         copy_net_ns+0x29e/0x5a0 net/core/net_namespace.c:468
         create_new_namespaces+0x403/0xb50 kernel/nsproxy.c:108
         unshare_nsproxy_namespaces+0xc2/0x200 kernel/nsproxy.c:229
         ksys_unshare+0x444/0x980 kernel/fork.c:2955
         __do_sys_unshare kernel/fork.c:3023 [inline]
         __se_sys_unshare kernel/fork.c:3021 [inline]
         __x64_sys_unshare+0x31/0x40 kernel/fork.c:3021
         do_syscall_64+0xfa/0x790 arch/x86/entry/common.c:294
         entry_SYSCALL_64_after_hwframe+0x49/0xbe
      
      Link: https://lore.kernel.org/r/20200309193200.GA10633@ziepe.ca
      Cc: stable@kernel.org
      Fixes: 4e0f7b90 ("RDMA/core: Implement compat device/sysfs tree in net namespace")
      Reported-by: syzbot+ab4dae63f7d310641ded@syzkaller.appspotmail.com
      Signed-off-by: default avatarJason Gunthorpe <jgg@mellanox.com>
      f2f2b3bb
    • Jason Gunthorpe's avatar
      RDMA/nl: Do not permit empty devices names during RDMA_NLDEV_CMD_NEWLINK/SET · 7aefa623
      Jason Gunthorpe authored
      Empty device names cannot be added to sysfs and crash with:
      
        kobject: (00000000f9de3792): attempted to be registered with empty name!
        WARNING: CPU: 1 PID: 10856 at lib/kobject.c:234 kobject_add_internal+0x7ac/0x9a0 lib/kobject.c:234
        Kernel panic - not syncing: panic_on_warn set ...
        CPU: 1 PID: 10856 Comm: syz-executor459 Not tainted 5.6.0-rc3-syzkaller #0
        Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
        Call Trace:
         __dump_stack lib/dump_stack.c:77 [inline]
         dump_stack+0x197/0x210 lib/dump_stack.c:118
         panic+0x2e3/0x75c kernel/panic.c:221
         __warn.cold+0x2f/0x3e kernel/panic.c:582
         report_bug+0x289/0x300 lib/bug.c:195
         fixup_bug arch/x86/kernel/traps.c:174 [inline]
         fixup_bug arch/x86/kernel/traps.c:169 [inline]
         do_error_trap+0x11b/0x200 arch/x86/kernel/traps.c:267
         do_invalid_op+0x37/0x50 arch/x86/kernel/traps.c:286
         invalid_op+0x23/0x30 arch/x86/entry/entry_64.S:1027
        RIP: 0010:kobject_add_internal+0x7ac/0x9a0 lib/kobject.c:234
        Code: 7a ca ca f9 e9 f0 f8 ff ff 4c 89 f7 e8 cd ca ca f9 e9 95 f9 ff ff e8 13 25 8c f9 4c 89 e6 48 c7 c7 a0 08 1a 89 e8 a3 76 5c f9 <0f> 0b 41 bd ea ff ff ff e9 52 ff ff ff e8 f2 24 8c f9 0f 0b e8 eb
        RSP: 0018:ffffc90002006eb0 EFLAGS: 00010286
        RAX: 0000000000000000 RBX: 0000000000000000 RCX: 0000000000000000
        RDX: 0000000000000000 RSI: ffffffff815eae46 RDI: fffff52000400dc8
        RBP: ffffc90002006f08 R08: ffff8880972ac500 R09: ffffed1015d26659
        R10: ffffed1015d26658 R11: ffff8880ae9332c7 R12: ffff888093034668
        R13: 0000000000000000 R14: ffff8880a69d7600 R15: 0000000000000001
         kobject_add_varg lib/kobject.c:390 [inline]
         kobject_add+0x150/0x1c0 lib/kobject.c:442
         device_add+0x3be/0x1d00 drivers/base/core.c:2412
         ib_register_device drivers/infiniband/core/device.c:1371 [inline]
         ib_register_device+0x93e/0xe40 drivers/infiniband/core/device.c:1343
         rxe_register_device+0x52e/0x655 drivers/infiniband/sw/rxe/rxe_verbs.c:1231
         rxe_add+0x122b/0x1661 drivers/infiniband/sw/rxe/rxe.c:302
         rxe_net_add+0x91/0xf0 drivers/infiniband/sw/rxe/rxe_net.c:539
         rxe_newlink+0x39/0x90 drivers/infiniband/sw/rxe/rxe.c:318
         nldev_newlink+0x28a/0x430 drivers/infiniband/core/nldev.c:1538
         rdma_nl_rcv_msg drivers/infiniband/core/netlink.c:195 [inline]
         rdma_nl_rcv_skb drivers/infiniband/core/netlink.c:239 [inline]
         rdma_nl_rcv+0x5d9/0x980 drivers/infiniband/core/netlink.c:259
         netlink_unicast_kernel net/netlink/af_netlink.c:1303 [inline]
         netlink_unicast+0x59e/0x7e0 net/netlink/af_netlink.c:1329
         netlink_sendmsg+0x91c/0xea0 net/netlink/af_netlink.c:1918
         sock_sendmsg_nosec net/socket.c:652 [inline]
         sock_sendmsg+0xd7/0x130 net/socket.c:672
         ____sys_sendmsg+0x753/0x880 net/socket.c:2343
         ___sys_sendmsg+0x100/0x170 net/socket.c:2397
         __sys_sendmsg+0x105/0x1d0 net/socket.c:2430
         __do_sys_sendmsg net/socket.c:2439 [inline]
         __se_sys_sendmsg net/socket.c:2437 [inline]
         __x64_sys_sendmsg+0x78/0xb0 net/socket.c:2437
         do_syscall_64+0xfa/0x790 arch/x86/entry/common.c:294
         entry_SYSCALL_64_after_hwframe+0x49/0xbe
      
      Prevent empty names when checking the name provided from userspace during
      newlink and rename.
      
      Fixes: 3856ec4b ("RDMA/core: Add RDMA_NLDEV_CMD_NEWLINK/DELLINK support")
      Fixes: 05d940d3 ("RDMA/nldev: Allow IB device rename through RDMA netlink")
      Cc: stable@kernel.org
      Link: https://lore.kernel.org/r/20200309191648.GA30852@ziepe.ca
      Reported-and-tested-by: syzbot+da615ac67d4dbea32cbc@syzkaller.appspotmail.com
      Signed-off-by: default avatarJason Gunthorpe <jgg@mellanox.com>
      7aefa623
  3. 10 Mar, 2020 3 commits
    • Mark Zhang's avatar
      RDMA/mlx5: Fix the number of hwcounters of a dynamic counter · ec16b6bb
      Mark Zhang authored
      When we read the global counter and there's any dynamic counter allocated,
      the value of a hwcounter is the sum of the default counter and all dynamic
      counters. So the number of hwcounters of a dynamically allocated counter
      must be same as of the default counter, otherwise there will be read
      violations.
      
      This fixes the KASAN slab-out-of-bounds bug:
      
        BUG: KASAN: slab-out-of-bounds in rdma_counter_get_hwstat_value+0x36d/0x390 [ib_core]
        Read of size 8 at addr ffff8884192a5778 by task rdma/10138
      
        CPU: 7 PID: 10138 Comm: rdma Not tainted 5.5.0-for-upstream-dbg-2020-02-06_18-30-19-27 #1
        Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.12.1-0-ga5cab58e9a3f-prebuilt.qemu.org 04/01/2014
        Call Trace:
         dump_stack+0xb7/0x10b
         print_address_description.constprop.4+0x1e2/0x400
         ? rdma_counter_get_hwstat_value+0x36d/0x390 [ib_core]
         __kasan_report+0x15c/0x1e0
         ? mlx5_ib_query_q_counters+0x13f/0x270 [mlx5_ib]
         ? rdma_counter_get_hwstat_value+0x36d/0x390 [ib_core]
         kasan_report+0xe/0x20
         rdma_counter_get_hwstat_value+0x36d/0x390 [ib_core]
         ? rdma_counter_query_stats+0xd0/0xd0 [ib_core]
         ? memcpy+0x34/0x50
         ? nla_put+0xe2/0x170
         nldev_stat_get_doit+0x9c7/0x14f0 [ib_core]
         ...
         do_syscall_64+0x95/0x490
         entry_SYSCALL_64_after_hwframe+0x49/0xbe
        RIP: 0033:0x7fcc457fe65a
        Code: bb 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 8b 05 fa f1 2b 00 45 89 c9 4c 63 d1 48 63 ff 85 c0 75 15 b8 2c 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 76 f3 c3 0f 1f 40 00 41 55 41 54 4d 89 c5 55
        RSP: 002b:00007ffc0586f868 EFLAGS: 00000246 ORIG_RAX: 000000000000002c
        RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007fcc457fe65a
        RDX: 0000000000000020 RSI: 00000000013db920 RDI: 0000000000000003
        RBP: 00007ffc0586fa90 R08: 00007fcc45ac10e0 R09: 000000000000000c
        R10: 0000000000000000 R11: 0000000000000246 R12: 00000000004089c0
        R13: 0000000000000000 R14: 00007ffc0586fab0 R15: 00000000013dc9a0
      
        Allocated by task 9700:
         save_stack+0x19/0x80
         __kasan_kmalloc.constprop.7+0xa0/0xd0
         mlx5_ib_counter_alloc_stats+0xd1/0x1d0 [mlx5_ib]
         rdma_counter_alloc+0x16d/0x3f0 [ib_core]
         rdma_counter_bind_qpn_alloc+0x216/0x4e0 [ib_core]
         nldev_stat_set_doit+0x8c2/0xb10 [ib_core]
         rdma_nl_rcv_msg+0x3d2/0x730 [ib_core]
         rdma_nl_rcv+0x2a8/0x400 [ib_core]
         netlink_unicast+0x448/0x620
         netlink_sendmsg+0x731/0xd10
         sock_sendmsg+0xb1/0xf0
         __sys_sendto+0x25d/0x2c0
         __x64_sys_sendto+0xdd/0x1b0
         do_syscall_64+0x95/0x490
         entry_SYSCALL_64_after_hwframe+0x49/0xbe
      
      Fixes: 18d422ce ("IB/mlx5: Add counter_alloc_stats() and counter_update_stats() support")
      Link: https://lore.kernel.org/r/20200305124052.196688-1-leon@kernel.orgSigned-off-by: default avatarMark Zhang <markz@mellanox.com>
      Signed-off-by: default avatarLeon Romanovsky <leonro@mellanox.com>
      Signed-off-by: default avatarJason Gunthorpe <jgg@mellanox.com>
      ec16b6bb
    • Weihang Li's avatar
      MAINTAINERS: Update maintainers for HISILICON ROCE DRIVER · d372abf3
      Weihang Li authored
      Add myself as a maintainer for HNS RoCE drivers, and update Xavier's
      e-amil address.
      
      Link: https://lore.kernel.org/r/1583575114-32194-1-git-send-email-liweihang@huawei.comSigned-off-by: default avatarWeihang Li <liweihang@huawei.com>
      Acked-by: default avatarWei Hu (Xavier) <xavier.huwei@huawei.com>
      Signed-off-by: default avatarJason Gunthorpe <jgg@mellanox.com>
      d372abf3
    • Jason Gunthorpe's avatar
      RDMA/odp: Fix leaking the tgid for implicit ODP · 0f9826f4
      Jason Gunthorpe authored
      The tgid used to be part of ib_umem_free_notifier(), when it was reworked
      it got moved to release, but it should have been unconditional as all umem
      alloc paths get the tgid.
      
      As is, creating an implicit ODP will leak the tgid reference.
      
      Link: https://lore.kernel.org/r/20200304181607.GA22412@ziepe.ca
      Cc: stable@kernel.org
      Fixes: f25a546e ("RDMA/odp: Use mmu_interval_notifier_insert()")
      Signed-off-by: default avatarJason Gunthorpe <jgg@mellanox.com>
      0f9826f4
  4. 09 Mar, 2020 3 commits
    • Linus Torvalds's avatar
      Linux 5.6-rc5 · 2c523b34
      Linus Torvalds authored
      2c523b34
    • Linus Torvalds's avatar
      Merge tag 'armsoc-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/soc/soc · 62790268
      Linus Torvalds authored
      Pull ARM SoC fixes from Olof Johansson:
       "We've been accruing these for a couple of weeks, so the batch is a bit
        bigger than usual.
      
        Largest delta is due to a led-bl driver that is added -- there was a
        miscommunication before the merge window and the driver didn't make it
        in. Due to this, the platforms needing it regressed. At this point, it
        seemed easier to add the new driver than unwind the changes.
      
        Besides that, there are a handful of various fixes:
      
         - AMD tee memory leak fix
      
         - A handful of fixlets for i.MX SCU communication
      
         - A few maintainers woke up and realized DEBUG_FS had been missing
           for a while, so a few updates of that.
      
        ... and the usual collection of smaller fixes to various platforms"
      
      * tag 'armsoc-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/soc/soc: (37 commits)
        ARM: socfpga_defconfig: Add back DEBUG_FS
        arm64: dts: socfpga: agilex: Fix gmac compatible
        ARM: bcm2835_defconfig: Explicitly restore CONFIG_DEBUG_FS
        arm64: dts: meson: fix gxm-khadas-vim2 wifi
        arm64: dts: meson-sm1-sei610: add missing interrupt-names
        ARM: meson: Drop unneeded select of COMMON_CLK
        ARM: dts: bcm2711: Add pcie0 alias
        ARM: dts: bcm283x: Add missing properties to the PWR LED
        tee: amdtee: fix memory leak in amdtee_open_session()
        ARM: OMAP2+: Fix compile if CONFIG_HAVE_ARM_SMCCC is not set
        arm: dts: dra76x: Fix mmc3 max-frequency
        ARM: dts: dra7: Add "dma-ranges" property to PCIe RC DT nodes
        bus: ti-sysc: Fix 1-wire reset quirk
        ARM: dts: r8a7779: Remove deprecated "renesas, rcar-sata" compatible value
        soc: imx-scu: Align imx sc msg structs to 4
        firmware: imx: Align imx_sc_msg_req_cpu_start to 4
        firmware: imx: scu-pd: Align imx sc msg structs to 4
        firmware: imx: misc: Align imx sc msg structs to 4
        firmware: imx: scu: Ensure sequential TX
        ARM: dts: imx7-colibri: Fix frequency for sd/mmc
        ...
      62790268
    • Linus Torvalds's avatar
      Merge tag 'edac_urgent-2020-03-08' of git://git.kernel.org/pub/scm/linux/kernel/git/ras/ras · efe582a1
      Linus Torvalds authored
      Pull EDAC fix from Borislav Petkov:
       "Error reporting fix for synopsys_edac: do not overwrite partial
        decoded error message (Sherry Sun)"
      
      * tag 'edac_urgent-2020-03-08' of git://git.kernel.org/pub/scm/linux/kernel/git/ras/ras:
        EDAC/synopsys: Do not print an error with back-to-back snprintf() calls
      efe582a1
  5. 08 Mar, 2020 5 commits
    • Linus Torvalds's avatar
      Merge tag 'char-misc-5.6-rc5' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/char-misc · 378fee2e
      Linus Torvalds authored
      Pull char/misc fixes from Greg KH:
       "Here are four small char/misc driver fixes for reported issues for
        5.6-rc5.
      
        These fixes are:
      
         - binder fix for a potential use-after-free problem found (took two
           tries to get it right)
      
         - interconnect core fix
      
         - altera-stapl driver fix
      
        All four of these have been in linux-next for a while with no reported
        issues"
      
      * tag 'char-misc-5.6-rc5' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/char-misc:
        binder: prevent UAF for binderfs devices II
        interconnect: Handle memory allocation errors
        altera-stapl: altera_get_note: prevent write beyond end of 'key'
        binder: prevent UAF for binderfs devices
      378fee2e
    • Linus Torvalds's avatar
      Merge tag 'driver-core-5.6-rc5' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/driver-core · b34e5c13
      Linus Torvalds authored
      Pull driver core and debugfs fixes from Greg KH:
       "Here are four small driver core / debugfs patches for 5.6-rc3:
      
         - debugfs api cleanup now that all debugfs_create_regset32() callers
           have been fixed up. This was waiting until after the -rc1 merge as
           these fixes came in through different trees
      
         - driver core sync state fixes based on reports of minor issues found
           in the feature
      
        All of these have been in linux-next with no reported issues"
      
      * tag 'driver-core-5.6-rc5' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/driver-core:
        driver core: Skip unnecessary work when device doesn't have sync_state()
        driver core: Add dev_has_sync_state()
        driver core: Call sync_state() even if supplier has no consumers
        debugfs: remove return value of debugfs_create_regset32()
      b34e5c13
    • Linus Torvalds's avatar
      Merge tag 'tty-5.6-rc5' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/tty · cc432aee
      Linus Torvalds authored
      Pull tty/serial fixes from Greg KH:
       "Here are some small tty/serial fixes for 5.6-rc5
      
        Just some small serial driver fixes, and a vt core fixup, full details
        are:
      
         - vt fixes for issues found by syzbot
      
         - serdev fix for Apple boxes
      
         - fsl_lpuart serial driver fixes
      
         - MAINTAINER update for incorrect serial files
      
         - new device ids for 8250_exar driver
      
         - mvebu-uart fix
      
        All of these have been in linux-next with no reported issues"
      
      * tag 'tty-5.6-rc5' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/tty:
        tty: serial: fsl_lpuart: free IDs allocated by IDA
        Revert "tty: serial: fsl_lpuart: drop EARLYCON_DECLARE"
        serdev: Fix detection of UART devices on Apple machines.
        MAINTAINERS: Add missed files related to Synopsys DesignWare UART
        serial: 8250_exar: add support for ACCES cards
        tty:serial:mvebu-uart:fix a wrong return
        vt: selection, push sel_lock up
        vt: selection, push console lock down
      cc432aee
    • Linus Torvalds's avatar
      Merge tag 'usb-5.6-rc5' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/usb · fd3f6cc9
      Linus Torvalds authored
      Pull USB/PHY fixes from Greg KH:
       "Here are some small USB and PHY driver fixes for reported issues for
        5.6-rc5.
      
        Included in here are:
      
         - phy driver fixes
      
         - new USB quirks
      
         - USB cdns3 gadget driver fixes
      
         - USB hub core fixes
      
        All of these have been in linux-next with no reported issues"
      
      * tag 'usb-5.6-rc5' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/usb:
        usb: dwc3: gadget: Update chain bit correctly when using sg list
        usb: core: port: do error out if usb_autopm_get_interface() fails
        usb: core: hub: do error out if usb_autopm_get_interface() fails
        usb: core: hub: fix unhandled return by employing a void function
        usb: storage: Add quirk for Samsung Fit flash
        usb: quirks: add NO_LPM quirk for Logitech Screen Share
        usb: usb251xb: fix regulator probe and error handling
        phy: allwinner: Fix GENMASK misuse
        usb: cdns3: gadget: toggle cycle bit before reset endpoint
        usb: cdns3: gadget: link trb should point to next request
        phy: mapphone-mdm6600: Fix timeouts by adding wake-up handling
        phy: brcm-sata: Correct MDIO operations for 40nm platforms
        phy: ti: gmii-sel: do not fail in case of gmii
        phy: ti: gmii-sel: fix set of copy-paste errors
        phy: core: Fix phy_get() to not return error on link creation failure
        phy: mapphone-mdm6600: Fix write timeouts with shorter GPIO toggle interval
      fd3f6cc9
    • Linus Torvalds's avatar
      Merge tag 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/rdma/rdma · 61a09258
      Linus Torvalds authored
      Pull rdma fixes from Jason Gunthorpe:
       "Nothing particularly exciting, some small ODP regressions from the mmu
        notifier rework, another bunch of syzkaller fixes, and a bug fix for a
        botched syzkaller fix in the first rc pull request.
      
         - Fix busted syzkaller fix in 'get_new_pps' - this turned out to
           crash on certain HW configurations
      
         - Bug fixes for various missed things in error unwinds
      
         - Add a missing rcu_read_lock annotation in hfi/qib
      
         - Fix two ODP related regressions from the recent mmu notifier
           changes
      
         - Several more syzkaller bugs in siw, RDMA netlink, verbs and iwcm
      
         - Revert an old patch in CMA as it is now shown to not be allocating
           port numbers properly"
      
      * tag 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/rdma/rdma:
        RDMA/iwcm: Fix iwcm work deallocation
        RDMA/siw: Fix failure handling during device creation
        RDMA/nldev: Fix crash when set a QP to a new counter but QPN is missing
        RDMA/odp: Ensure the mm is still alive before creating an implicit child
        RDMA/core: Fix protection fault in ib_mr_pool_destroy
        IB/mlx5: Fix implicit ODP race
        IB/hfi1, qib: Ensure RCU is locked when accessing list
        RDMA/core: Fix pkey and port assignment in get_new_pps
        RMDA/cm: Fix missing ib_cm_destroy_id() in ib_cm_insert_listen()
        RDMA/rw: Fix error flow during RDMA context initialization
        RDMA/core: Fix use of logical OR in get_new_pps
        Revert "RDMA/cma: Simplify rdma_resolve_addr() error flow"
      61a09258
  6. 07 Mar, 2020 10 commits
    • Linus Torvalds's avatar
      Merge tag 'io_uring-5.6-2020-03-07' of git://git.kernel.dk/linux-block · c2003765
      Linus Torvalds authored
      Pull io_uring fixes from Jens Axboe:
       "Here are a few io_uring fixes that should go into this release. This
        contains:
      
         - Removal of (now) unused io_wq_flush() and associated flag (Pavel)
      
         - Fix cancelation lockup with linked timeouts (Pavel)
      
         - Fix for potential use-after-free when freeing percpu ref for fixed
           file sets
      
         - io-wq cancelation fixups (Pavel)"
      
      * tag 'io_uring-5.6-2020-03-07' of git://git.kernel.dk/linux-block:
        io_uring: fix lockup with timeouts
        io_uring: free fixed_file_data after RCU grace period
        io-wq: remove io_wq_flush and IO_WQ_WORK_INTERNAL
        io-wq: fix IO_WQ_WORK_NO_CANCEL cancellation
      c2003765
    • Linus Torvalds's avatar
      Merge tag 'block-5.6-2020-03-07' of git://git.kernel.dk/linux-block · 5dfcc139
      Linus Torvalds authored
      Pull block fixes from Jens Axboe:
       "Here are a few fixes that should go into this release. This contains:
      
         - Revert of a bad bcache patch from this merge window
      
         - Removed unused function (Daniel)
      
         - Fixup for the blktrace fix from Jan from this release (Cengiz)
      
         - Fix of deeper level bfqq overwrite in BFQ (Carlo)"
      
      * tag 'block-5.6-2020-03-07' of git://git.kernel.dk/linux-block:
        block, bfq: fix overwrite of bfq_group pointer in bfq_find_set_group()
        blktrace: fix dereference after null check
        Revert "bcache: ignore pending signals when creating gc and allocator thread"
        block: Remove used kblockd_schedule_work_on()
      5dfcc139
    • Linus Torvalds's avatar
      Merge tag 'media/v5.6-2' of git://git.kernel.org/pub/scm/linux/kernel/git/mchehab/linux-media · 6f784a31
      Linus Torvalds authored
      Pull media fixes from Mauro Carvalho Chehab:
      
       - a fix for the media controller links in both hantro driver and in
         v4l2-mem2mem core
      
       - some fixes for the pulse8-cec driver
      
       - vicodec: handle alpha channel for RGB32 formats, as it may be used
      
       - mc-entity.c: fix handling of pad flags
      
      * tag 'media/v5.6-2' of git://git.kernel.org/pub/scm/linux/kernel/git/mchehab/linux-media:
        media: hantro: Fix broken media controller links
        media: mc-entity.c: use & to check pad flags, not ==
        media: v4l2-mem2mem.c: fix broken links
        media: vicodec: process all 4 components for RGB32 formats
        media: pulse8-cec: close serio in disconnect, not adap_free
        media: pulse8-cec: INIT_DELAYED_WORK was called too late
      6f784a31
    • Pavel Begunkov's avatar
      io_uring: fix lockup with timeouts · f0e20b89
      Pavel Begunkov authored
      There is a recipe to deadlock the kernel: submit a timeout sqe with a
      linked_timeout (e.g.  test_single_link_timeout_ception() from liburing),
      and SIGKILL the process.
      
      Then, io_kill_timeouts() takes @ctx->completion_lock, but the timeout
      isn't flagged with REQ_F_COMP_LOCKED, and will try to double grab it
      during io_put_free() to cancel the linked timeout. Probably, the same
      can happen with another io_kill_timeout() call site, that is
      io_commit_cqring().
      Signed-off-by: default avatarPavel Begunkov <asml.silence@gmail.com>
      Signed-off-by: default avatarJens Axboe <axboe@kernel.dk>
      f0e20b89
    • Linus Torvalds's avatar
      Merge tag 's390-5.6-5' of git://git.kernel.org/pub/scm/linux/kernel/git/s390/linux · 9d588f63
      Linus Torvalds authored
      Pull s390 fixes from Vasily Gorbik:
      
       - Fix panic in gup_fast on large pud by providing an implementation of
         pud_write. This has been overlooked during migration to common gup
         code.
      
       - Fix unexpected write combining on PCI stores.
      
      * tag 's390-5.6-5' of git://git.kernel.org/pub/scm/linux/kernel/git/s390/linux:
        s390/pci: Fix unexpected write combine on resource
        s390/mm: fix panic in gup_fast on large pud
      9d588f63
    • Linus Torvalds's avatar
      Merge tag 'powerpc-5.6-4' of git://git.kernel.org/pub/scm/linux/kernel/git/powerpc/linux · 5236647a
      Linus Torvalds authored
      Pull powerpc fixes from Michael Ellerman:
       "Some more powerpc fixes for 5.6:
      
         - One fix for a recent regression to our breakpoint/watchpoint code.
      
         - Another fix for our KUAP support, this time a missing annotation in
           a rarely used path in signal handling.
      
         - A fix for our handling of a CPU feature that effects the PMU, when
           booting guests in some configurations.
      
         - A minor fix to our linker script to explicitly include the .BTF
           section.
      
        Thanks to: Christophe Leroy, Desnes A. Nunes do Rosario, Leonardo
        Bras, Naveen N. Rao, Ravi Bangoria, Stefan Berger"
      
      * tag 'powerpc-5.6-4' of git://git.kernel.org/pub/scm/linux/kernel/git/powerpc/linux:
        powerpc/mm: Fix missing KUAP disable in flush_coherent_icache()
        powerpc: fix hardware PMU exception bug on PowerVM compatibility mode systems
        powerpc: Include .BTF section
        powerpc/watchpoint: Don't call dar_within_range() for Book3S
      5236647a
    • Linus Torvalds's avatar
      Merge tag 'for-linus-5.6b-rc5-tag' of git://git.kernel.org/pub/scm/linux/kernel/git/xen/tip · cbee7c8b
      Linus Torvalds authored
      Pull xen fixes from Juergen Gross:
       "Four fixes and a small cleanup patch:
      
         - two fixes by Dongli Zhang fixing races in the xenbus driver
      
         - two fixes by me fixing issues introduced in 5.6
      
         - a small cleanup by Gustavo Silva replacing a zero-length array with
           a flexible-array"
      
      * tag 'for-linus-5.6b-rc5-tag' of git://git.kernel.org/pub/scm/linux/kernel/git/xen/tip:
        xen/blkfront: fix ring info addressing
        xen/xenbus: fix locking
        xenbus: req->err should be updated before req->state
        xenbus: req->body should be updated before req->state
        xen: Replace zero-length array with flexible-array member
      cbee7c8b
    • Linus Torvalds's avatar
      Merge tag 'for-linus-2020-03-07' of gitolite.kernel.org:pub/scm/linux/kernel/git/brauner/linux · fa883d6a
      Linus Torvalds authored
      Pull thread fixes from Christian Brauner:
       "Here are a few hopefully uncontroversial fixes:
      
         - Use RCU_INIT_POINTER() when initializing rcu protected members in
           task_struct to fix sparse warnings.
      
         - Add pidfd_fdinfo_test binary to .gitignore file"
      
      * tag 'for-linus-2020-03-07' of gitolite.kernel.org:pub/scm/linux/kernel/git/brauner/linux:
        selftests: pidfd: Add pidfd_fdinfo_test in .gitignore
        exit: Fix Sparse errors and warnings
        fork: Use RCU_INIT_POINTER() instead of rcu_access_pointer()
      fa883d6a
    • Linus Torvalds's avatar
      Merge tag 'sound-5.6-rc5' of git://git.kernel.org/pub/scm/linux/kernel/git/tiwai/sound · 676fc8de
      Linus Torvalds authored
      Pull sound fixes from Takashi Iwai:
       "The regular "bump-in-the-middle" updates, containing mostly ASoC-
        related fixes at this time. All changes are reasonably small.
      
        A few entries are for ASoC and ALSA core parts (DAPM, PCM, topology)
        for followups of the recent changes and potential buffer overflow by
        snprintf(), while the rest are (both new and old) device-specific
        fixes for Intel, meson, tas2562, rt1015, as well as the usual HD-audio
        quirks"
      
      * tag 'sound-5.6-rc5' of git://git.kernel.org/pub/scm/linux/kernel/git/tiwai/sound: (25 commits)
        ALSA: sgio2audio: Remove usage of dropped hw_params/hw_free functions
        ALSA: hda/realtek - Enable the headset of ASUS B9450FA with ALC294
        ALSA: hda/realtek - Fix silent output on Gigabyte X570 Aorus Master
        ALSA: hda/realtek - Add Headset Button supported for ThinkPad X1
        ALSA: hda/realtek - Add Headset Mic supported
        ASoC: wm8741: Fix typo in Kconfig prompt
        ASoC: stm32: sai: manage rebind issue
        ASoC: SOF: Fix snd_sof_ipc_stream_posn()
        ASoC: rt1015: modify pre-divider for sysclk
        ASoC: rt1015: add operation callback function for rt1015_dai[]
        ASoC: soc-component: tidyup snd_soc_pcm_component_sync_stop()
        ASoC: dapm: Correct DAPM handling of active widgets during shutdown
        ASoC: tas2562: Fix sample rate error message
        ASoC: Intel: Skylake: Fix available clock counter incrementation
        ASoC: soc-pcm/soc-compress: don't use snd_soc_dapm_stream_stop()
        ASoC: meson: g12a: add tohdmitx reset
        ASoC: pcm512x: Fix unbalanced regulator enable call in probe error path
        ASoC: soc-core: fix for_rtd_codec_dai_rollback() macro
        ASoC: topology: Fix memleak in soc_tplg_manifest_load()
        ASoC: topology: Fix memleak in soc_tplg_link_elems_load()
        ...
      676fc8de
    • Takashi Iwai's avatar
      Merge tag 'asoc-fix-v5.6-rc4' of... · 5a56996b
      Takashi Iwai authored
      Merge tag 'asoc-fix-v5.6-rc4' of https://git.kernel.org/pub/scm/linux/kernel/git/broonie/sound into for-linus
      
      ASoC: Fixes for v5.6
      
      More fixes that have arrived since the merge window, spread out all
      over.  There's a few things like the operation callback addition for
      rt1015 and the meson reset addition which add small new bits of
      functionality to fix non-working systems, they're all very small and for
      parts of newly added functionality.
      5a56996b
  7. 06 Mar, 2020 12 commits
    • Linus Torvalds's avatar
      Merge tag 'linux-kselftest-5.6-rc5' of... · 63849c8f
      Linus Torvalds authored
      Merge tag 'linux-kselftest-5.6-rc5' of git://git.kernel.org/pub/scm/linux/kernel/git/shuah/linux-kselftest
      
      Pull kselftest update from Shuah Khan:
       "This consists of a cleanup patch to undo changes to global .gitignore
        that added selftests/lkdtm objects and add them to a local
        selftests/lkdtm/.gitignore.
      
        Summary of Linus's comments on local vs. global gitignore scope:
      
         - Keep local gitignore patterns in local files.
      
         - Put only global gitignore patterns in the top-level gitignore file.
      
        Local scope keeps things much better separated. It also incidentally
        means that if a directory gets renamed, the gitignore file continues
        to work unless in the case of renaming the actual files themselves
        that are named in the gitignore"
      
      * tag 'linux-kselftest-5.6-rc5' of git://git.kernel.org/pub/scm/linux/kernel/git/shuah/linux-kselftest:
        selftest/lkdtm: Use local .gitignore
      63849c8f
    • Linus Torvalds's avatar
      Merge tag 'riscv-for-linus-5.6-rc5' of git://git.kernel.org/pub/scm/linux/kernel/git/riscv/linux · 7e6582ef
      Linus Torvalds authored
      Pull RISC-V fixes from Palmer Dabbelt:
       "This contains a handful of fixes that I would like to target for 5.6:
      
         - A pair of fixes to module loading, which we hope solve the last of
           the issues with module text being loaded too sparsely for our call
           relocations.
      
         - A Kconfig fix that disallows selecting memory models not supported
           by NOMMU.
      
         - A series of Kconfig updates to ease selecting the drivers necessary
           to run on QEMU's virt platform.
      
         - DTS updates for SiFive's HiFive Unleashed.
      
         - A fix to our seccomp support that avoids mangling restartable
           syscalls"
      
      * tag 'riscv-for-linus-5.6-rc5' of git://git.kernel.org/pub/scm/linux/kernel/git/riscv/linux:
        riscv: fix seccomp reject syscall code path
        riscv: dts: Add GPIO reboot method to HiFive Unleashed DTS file
        RISC-V: Select Goldfish RTC driver for QEMU virt machine
        RISC-V: Select SYSCON Reboot and Poweroff for QEMU virt machine
        RISC-V: Enable QEMU virt machine support in defconfigs
        RISC-V: Add kconfig option for QEMU virt machine
        riscv: Fix range looking for kernel image memblock
        riscv: Force flat memory model with no-mmu
        riscv: Change code model of module to medany to improve data accessing
        riscv: avoid the PIC offset of static percpu data in module beyond 2G limits
      7e6582ef
    • Jonathan Neuschäfer's avatar
      parse-maintainers: Mark as executable · 611d61f9
      Jonathan Neuschäfer authored
      This makes the script more convenient to run.
      Signed-off-by: default avatarJonathan Neuschäfer <j.neuschaefer@gmx.net>
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      611d61f9
    • Linus Torvalds's avatar
      Merge tag 'devicetree-fixes-for-5.6-3' of git://git.kernel.org/pub/scm/linux/kernel/git/robh/linux · bdf1ea7c
      Linus Torvalds authored
      Pull devicetree fixes from Rob Herring:
       "Another batch of DT fixes. I think this should be the last of it, but
        sending pull requests seems to cause people to send more fixes.
      
        Summary:
      
         - Fixes for warnings introduced by hierarchical PSCI binding changes
      
         - Fixes for broken doc references due to DT schema conversions
      
         - Several grammar and typo fixes
      
         - Fix a bunch of dtc warnings in examples"
      
      * tag 'devicetree-fixes-for-5.6-3' of git://git.kernel.org/pub/scm/linux/kernel/git/robh/linux:
        dt-bindings: arm: Fixup the DT bindings for hierarchical PSCI states
        dt-bindings: power: Extend nodename pattern for power-domain providers
        MAINTAINERS: update ALLWINNER CPUFREQ DRIVER entry
        dt-bindings: bus: Drop empty compatible string in example
        dt-bindings: power: Convert domain-idle-states bindings to json-schema
        dt-bindings: arm: Fix cpu compatibles in the hierarchical example for PSCI
        dt-bindings: arm: Correct links to idle states definitions
        dt-bindings: mfd: Fix typo in file name of twl-familly.txt
        dt-bindings: mfd: tps65910: Improve grammar
        dt-bindings: mfd: zii,rave-sp: Fix a typo ("onborad")
        dt-bindings: arm: fsl: fix APF6Dev compatible
        dt-bindings: Fix dtc warnings in examples
        docs: dt: fix several broken doc references
        docs: dt: fix several broken references due to renames
        MAINTAINERS: clean up PCIE DRIVER FOR CAVIUM THUNDERX
      bdf1ea7c
    • Linus Torvalds's avatar
      Merge tag 'drm-fixes-2020-03-06-1' of git://anongit.freedesktop.org/drm/drm · 2f501bb1
      Linus Torvalds authored
      Pull vgacon fix from Daniel Vetter:
       "One vgacon input check for stable"
      
      * tag 'drm-fixes-2020-03-06-1' of git://anongit.freedesktop.org/drm/drm:
        vgacon: Fix a UAF in vgacon_invert_region
      2f501bb1
    • Linus Torvalds's avatar
      Merge tag 'for-5.6-rc4-tag' of git://git.kernel.org/pub/scm/linux/kernel/git/kdave/linux · 30fe0d07
      Linus Torvalds authored
      Pull btrfs fix from David Sterba:
       "One fixup for DIO when in use with the new checksums, a missed case
        where the checksum size was still assuming u32"
      
      * tag 'for-5.6-rc4-tag' of git://git.kernel.org/pub/scm/linux/kernel/git/kdave/linux:
        btrfs: fix RAID direct I/O reads with alternate csums
      30fe0d07
    • Linus Torvalds's avatar
      Merge tag 'filelock-v5.6-1' of git://git.kernel.org/pub/scm/linux/kernel/git/jlayton/linux · 0b25d458
      Linus Torvalds authored
      Pull file locking fixes from Jeff Layton:
       "Just a couple of late-breaking patches for the file locking code. The
        second patch (from yangerkun) fixes a rather nasty looking potential
        use-after-free that should go to stable.
      
        The other patch could technically wait for 5.7, but it's fairly
        innocuous so I figured we might as well take it"
      
      * tag 'filelock-v5.6-1' of git://git.kernel.org/pub/scm/linux/kernel/git/jlayton/linux:
        locks: fix a potential use-after-free problem when wakeup a waiter
        fcntl: Distribute switch variables for initialization
      0b25d458
    • Linus Torvalds's avatar
      Merge tag 'spi-fix-v5.6-rc4' of git://git.kernel.org/pub/scm/linux/kernel/git/broonie/spi · ae24a21b
      Linus Torvalds authored
      Pull spi fixes from Mark Brown:
       "A selection of small fixes, mostly for drivers, that have arrived
        since the merge window. None of them are earth shattering in
        themselves but all useful for affected systems"
      
      * tag 'spi-fix-v5.6-rc4' of git://git.kernel.org/pub/scm/linux/kernel/git/broonie/spi:
        spi: spi_register_controller(): free bus id on error paths
        spi: bcm63xx-hsspi: Really keep pll clk enabled
        spi: atmel-quadspi: fix possible MMIO window size overrun
        spi/zynqmp: remove entry that causes a cs glitch
        spi: pxa2xx: Add CS control clock quirk
        spi: spidev: Fix CS polarity if GPIO descriptors are used
        spi: qup: call spi_qup_pm_resume_runtime before suspending
        spi: spi-omap2-mcspi: Support probe deferral for DMA channels
        spi: spi-omap2-mcspi: Handle DMA size restriction on AM65x
      ae24a21b
    • Linus Torvalds's avatar
      Merge tag 'regulator-fix-v5.6-rc4' of... · 43c63729
      Linus Torvalds authored
      Merge tag 'regulator-fix-v5.6-rc4' of git://git.kernel.org/pub/scm/linux/kernel/git/broonie/regulator
      
      Pull regulator fixes from Mark Brown:
       "A couple of small fixes, one for a minor issue in the stm32-vrefbuf
        driver and a documentation fix in the Qualcomm code"
      
      * tag 'regulator-fix-v5.6-rc4' of git://git.kernel.org/pub/scm/linux/kernel/git/broonie/regulator:
        regulator: stm32-vrefbuf: fix a possible overshoot when re-enabling
        regulator: qcom_spmi: Fix docs for PM8004
      43c63729
    • Linus Torvalds's avatar
      Merge tag 'hwmon-for-v5.6-rc5' of... · 08e39fcb
      Linus Torvalds authored
      Merge tag 'hwmon-for-v5.6-rc5' of git://git.kernel.org/pub/scm/linux/kernel/git/groeck/linux-staging
      
      Pull hwmon fixes from Guenter Roeck:
       "Fix an error return in the adt7462 driver, bad voltage limits reported
        by the xdpe12284 driver, and a broken documentation reference in the
        adm1177 driver documentation"
      
      * tag 'hwmon-for-v5.6-rc5' of git://git.kernel.org/pub/scm/linux/kernel/git/groeck/linux-staging:
        hwmon: (adt7462) Fix an error return in ADT7462_REG_VOLT()
        hwmon: (pmbus/xdpe12284) Add callback for vout limits conversion
        docs: adm1177: fix a broken reference
      08e39fcb
    • Linus Torvalds's avatar
      Merge tag 'arm64-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/arm64/linux · c20c4a08
      Linus Torvalds authored
      Pull arm64 fixes from Will Deacon:
       "Here are another three arm64 fixes for 5.6, all pretty minor. Main
        thing is fixing a silly bug in the fsl_imx8_ddr PMU driver where we
        would zero the counters when disabling them.
      
         - Fix misreporting of ASID limit when KPTI is enabled
      
         - Fix busted NULL pointer checks for GICC structure in ACPI PMU code
      
         - Avoid nobbling the "fsl_imx8_ddr" PMU counters when disabling them"
      
      * tag 'arm64-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/arm64/linux:
        arm64: context: Fix ASID limit in boot messages
        drivers/perf: arm_pmu_acpi: Fix incorrect checking of gicc pointer
        drivers/perf: fsl_imx8_ddr: Correct the CLEAR bit definition
      c20c4a08
    • Zhang Xiaoxu's avatar
      vgacon: Fix a UAF in vgacon_invert_region · 513dc792
      Zhang Xiaoxu authored
      When syzkaller tests, there is a UAF:
        BUG: KASan: use after free in vgacon_invert_region+0x9d/0x110 at addr
          ffff880000100000
        Read of size 2 by task syz-executor.1/16489
        page:ffffea0000004000 count:0 mapcount:-127 mapping:          (null)
        index:0x0
        page flags: 0xfffff00000000()
        page dumped because: kasan: bad access detected
        CPU: 1 PID: 16489 Comm: syz-executor.1 Not tainted
        Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS
        rel-1.9.3-0-ge2fc41e-prebuilt.qemu-project.org 04/01/2014
        Call Trace:
          [<ffffffffb119f309>] dump_stack+0x1e/0x20
          [<ffffffffb04af957>] kasan_report+0x577/0x950
          [<ffffffffb04ae652>] __asan_load2+0x62/0x80
          [<ffffffffb090f26d>] vgacon_invert_region+0x9d/0x110
          [<ffffffffb0a39d95>] invert_screen+0xe5/0x470
          [<ffffffffb0a21dcb>] set_selection+0x44b/0x12f0
          [<ffffffffb0a3bfae>] tioclinux+0xee/0x490
          [<ffffffffb0a1d114>] vt_ioctl+0xff4/0x2670
          [<ffffffffb0a0089a>] tty_ioctl+0x46a/0x1a10
          [<ffffffffb052db3d>] do_vfs_ioctl+0x5bd/0xc40
          [<ffffffffb052e2f2>] SyS_ioctl+0x132/0x170
          [<ffffffffb11c9b1b>] system_call_fastpath+0x22/0x27
          Memory state around the buggy address:
           ffff8800000fff00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00
           00 00
           ffff8800000fff80: 00 00 00 00 00 00 00 00 00 00 00 00 00
           00 00 00
          >ffff880000100000: ff ff ff ff ff ff ff ff ff ff ff ff ff
           ff ff ff
      
      It can be reproduce in the linux mainline by the program:
        #include <stdio.h>
        #include <stdlib.h>
        #include <unistd.h>
        #include <fcntl.h>
        #include <sys/types.h>
        #include <sys/stat.h>
        #include <sys/ioctl.h>
        #include <linux/vt.h>
      
        struct tiocl_selection {
          unsigned short xs;      /* X start */
          unsigned short ys;      /* Y start */
          unsigned short xe;      /* X end */
          unsigned short ye;      /* Y end */
          unsigned short sel_mode; /* selection mode */
        };
      
        #define TIOCL_SETSEL    2
        struct tiocl {
          unsigned char type;
          unsigned char pad;
          struct tiocl_selection sel;
        };
      
        int main()
        {
          int fd = 0;
          const char *dev = "/dev/char/4:1";
      
          struct vt_consize v = {0};
          struct tiocl tioc = {0};
      
          fd = open(dev, O_RDWR, 0);
      
          v.v_rows = 3346;
          ioctl(fd, VT_RESIZEX, &v);
      
          tioc.type = TIOCL_SETSEL;
          ioctl(fd, TIOCLINUX, &tioc);
      
          return 0;
        }
      
      When resize the screen, update the 'vc->vc_size_row' to the new_row_size,
      but when 'set_origin' in 'vgacon_set_origin', vgacon use 'vga_vram_base'
      for 'vc_origin' and 'vc_visible_origin', not 'vc_screenbuf'. It maybe
      smaller than 'vc_screenbuf'. When TIOCLINUX, use the new_row_size to calc
      the offset, it maybe larger than the vga_vram_size in vgacon driver, then
      bad access.
      Also, if set an larger screenbuf firstly, then set an more larger
      screenbuf, when copy old_origin to new_origin, a bad access may happen.
      
      So, If the screen size larger than vga_vram, resize screen should be
      failed. This alse fix CVE-2020-8649 and CVE-2020-8647.
      
      Linus pointed out that overflow checking seems absent. We're saved by
      the existing bounds checks in vc_do_resize() with rather strict
      limits:
      
      	if (cols > VC_RESIZE_MAXCOL || lines > VC_RESIZE_MAXROW)
      		return -EINVAL;
      
      Fixes: 0aec4867 ("[PATCH] SVGATextMode fix")
      Reference: CVE-2020-8647 and CVE-2020-8649
      Reported-by: default avatarHulk Robot <hulkci@huawei.com>
      Signed-off-by: default avatarZhang Xiaoxu <zhangxiaoxu5@huawei.com>
      [danvet: augment commit message to point out overflow safety]
      Cc: stable@vger.kernel.org
      Signed-off-by: default avatarDaniel Vetter <daniel.vetter@ffwll.ch>
      Link: https://patchwork.freedesktop.org/patch/msgid/20200304022429.37738-1-zhangxiaoxu5@huawei.com
      513dc792