1. 13 Sep, 2018 1 commit
    • Cong Wang's avatar
      ucma: fix a use-after-free in ucma_resolve_ip() · 5fe23f26
      Cong Wang authored
      There is a race condition between ucma_close() and ucma_resolve_ip():
      
      CPU0				CPU1
      ucma_resolve_ip():		ucma_close():
      
      ctx = ucma_get_ctx(file, cmd.id);
      
              list_for_each_entry_safe(ctx, tmp, &file->ctx_list, list) {
                      mutex_lock(&mut);
                      idr_remove(&ctx_idr, ctx->id);
                      mutex_unlock(&mut);
      		...
                      mutex_lock(&mut);
                      if (!ctx->closing) {
                              mutex_unlock(&mut);
                              rdma_destroy_id(ctx->cm_id);
      		...
                      ucma_free_ctx(ctx);
      
      ret = rdma_resolve_addr();
      ucma_put_ctx(ctx);
      
      Before idr_remove(), ucma_get_ctx() could still find the ctx
      and after rdma_destroy_id(), rdma_resolve_addr() may still
      access id_priv pointer. Also, ucma_put_ctx() may use ctx after
      ucma_free_ctx() too.
      
      ucma_close() should call ucma_put_ctx() too which tests the
      refcnt and waits for the last one releasing it. The similar
      pattern is already used by ucma_destroy_id().
      
      Reported-and-tested-by: syzbot+da2591e115d57a9cbb8b@syzkaller.appspotmail.com
      Reported-by: syzbot+cfe3c1e8ef634ba8964b@syzkaller.appspotmail.com
      Cc: Jason Gunthorpe <jgg@mellanox.com>
      Cc: Doug Ledford <dledford@redhat.com>
      Cc: Leon Romanovsky <leon@kernel.org>
      Signed-off-by: default avatarCong Wang <xiyou.wangcong@gmail.com>
      Reviewed-by: default avatarLeon Romanovsky <leonro@mellanox.com>
      Signed-off-by: default avatarDoug Ledford <dledford@redhat.com>
      5fe23f26
  2. 12 Sep, 2018 1 commit
    • Steve Wise's avatar
      RDMA/uverbs: Atomically flush and mark closed the comp event queue · 67e38168
      Steve Wise authored
      Currently a uverbs completion event queue is flushed of events in
      ib_uverbs_comp_event_close() with the queue spinlock held and then
      released.  Yet setting ev_queue->is_closed is not set until later in
      uverbs_hot_unplug_completion_event_file().
      
      In between the time ib_uverbs_comp_event_close() releases the lock and
      uverbs_hot_unplug_completion_event_file() acquires the lock, a completion
      event can arrive and be inserted into the event queue by
      ib_uverbs_comp_handler().
      
      This can cause a "double add" list_add warning or crash depending on the
      kernel configuration, or a memory leak because the event is never dequeued
      since the queue is already closed down.
      
      So add setting ev_queue->is_closed = 1 to ib_uverbs_comp_event_close().
      
      Cc: stable@vger.kernel.org
      Fixes: 1e7710f3 ("IB/core: Change completion channel to use the reworked objects schema")
      Signed-off-by: default avatarSteve Wise <swise@opengridcomputing.com>
      Signed-off-by: default avatarJason Gunthorpe <jgg@mellanox.com>
      67e38168
  3. 11 Sep, 2018 1 commit
  4. 06 Sep, 2018 2 commits
  5. 05 Sep, 2018 3 commits
    • Parav Pandit's avatar
      RDMA/uverbs: Fix error cleanup path of ib_uverbs_add_one() · 08e74be1
      Parav Pandit authored
      If ib_uverbs_create_uapi() fails, dev_num should be freed from the bitmap.
      
      Fixes: 7d96c9b1 ("IB/uverbs: Have the core code create the uverbs_root_spec")
      Signed-off-by: default avatarParav Pandit <parav@mellanox.com>
      Signed-off-by: default avatarLeon Romanovsky <leonro@mellanox.com>
      Signed-off-by: default avatarJason Gunthorpe <jgg@mellanox.com>
      08e74be1
    • Somnath Kotur's avatar
      bnxt_re: Fix couple of memory leaks that could lead to IOMMU call traces · f40f299b
      Somnath Kotur authored
      1. DMA-able memory allocated for Shadow QP was not being freed.
      2. bnxt_qplib_alloc_qp_hdr_buf() had a bug wherein the SQ pointer was
         erroneously pointing to the RQ. But since the corresponding
         free_qp_hdr_buf() was correct, memory being free was less than what was
         allocated.
      
      Fixes: 1ac5a404 ("RDMA/bnxt_re: Add bnxt_re RoCE driver")
      Signed-off-by: default avatarSomnath Kotur <somnath.kotur@broadcom.com>
      Signed-off-by: default avatarJason Gunthorpe <jgg@mellanox.com>
      f40f299b
    • Aaron Knister's avatar
      IB/ipoib: Avoid a race condition between start_xmit and cm_rep_handler · 816e846c
      Aaron Knister authored
      Inside of start_xmit() the call to check if the connection is up and the
      queueing of the packets for later transmission is not atomic which leaves
      a window where cm_rep_handler can run, set the connection up, dequeue
      pending packets and leave the subsequently queued packets by start_xmit()
      sitting on neigh->queue until they're dropped when the connection is torn
      down. This only applies to connected mode. These dropped packets can
      really upset TCP, for example, and cause multi-minute delays in
      transmission for open connections.
      
      Here's the code in start_xmit where we check to see if the connection is
      up:
      
             if (ipoib_cm_get(neigh)) {
                     if (ipoib_cm_up(neigh)) {
                             ipoib_cm_send(dev, skb, ipoib_cm_get(neigh));
                             goto unref;
                     }
             }
      
      The race occurs if cm_rep_handler execution occurs after the above
      connection check (specifically if it gets to the point where it acquires
      priv->lock to dequeue pending skb's) but before the below code snippet in
      start_xmit where packets are queued.
      
             if (skb_queue_len(&neigh->queue) < IPOIB_MAX_PATH_REC_QUEUE) {
                     push_pseudo_header(skb, phdr->hwaddr);
                     spin_lock_irqsave(&priv->lock, flags);
                     __skb_queue_tail(&neigh->queue, skb);
                     spin_unlock_irqrestore(&priv->lock, flags);
             } else {
                     ++dev->stats.tx_dropped;
                     dev_kfree_skb_any(skb);
             }
      
      The patch acquires the netif tx lock in cm_rep_handler for the section
      where it sets the connection up and dequeues and retransmits deferred
      skb's.
      
      Fixes: 839fcaba ("IPoIB: Connected mode experimental support")
      Cc: stable@vger.kernel.org
      Signed-off-by: default avatarAaron Knister <aaron.s.knister@nasa.gov>
      Tested-by: default avatarIra Weiny <ira.weiny@intel.com>
      Reviewed-by: default avatarIra Weiny <ira.weiny@intel.com>
      Signed-off-by: default avatarJason Gunthorpe <jgg@mellanox.com>
      816e846c
  6. 04 Sep, 2018 3 commits
    • Steve Wise's avatar
      iw_cxgb4: only allow 1 flush on user qps · 308aa2b8
      Steve Wise authored
      Once the qp has been flushed, it cannot be flushed again.  The user qp
      flush logic wasn't enforcing it however.  The bug can cause
      touch-after-free crashes like:
      
      Unable to handle kernel paging request for data at address 0x000001ec
      Faulting instruction address: 0xc008000016069100
      Oops: Kernel access of bad area, sig: 11 [#1]
      ...
      NIP [c008000016069100] flush_qp+0x80/0x480 [iw_cxgb4]
      LR [c00800001606cd6c] c4iw_modify_qp+0x71c/0x11d0 [iw_cxgb4]
      Call Trace:
      [c00800001606cd6c] c4iw_modify_qp+0x71c/0x11d0 [iw_cxgb4]
      [c00800001606e868] c4iw_ib_modify_qp+0x118/0x200 [iw_cxgb4]
      [c0080000119eae80] ib_security_modify_qp+0xd0/0x3d0 [ib_core]
      [c0080000119c4e24] ib_modify_qp+0xc4/0x2c0 [ib_core]
      [c008000011df0284] iwcm_modify_qp_err+0x44/0x70 [iw_cm]
      [c008000011df0fec] destroy_cm_id+0xcc/0x370 [iw_cm]
      [c008000011ed4358] rdma_destroy_id+0x3c8/0x520 [rdma_cm]
      [c0080000134b0540] ucma_close+0x90/0x1b0 [rdma_ucm]
      [c000000000444da4] __fput+0xe4/0x2f0
      
      So fix flush_qp() to only flush the wq once.
      
      Cc: stable@vger.kernel.org
      Signed-off-by: default avatarSteve Wise <swise@opengridcomputing.com>
      Signed-off-by: default avatarJason Gunthorpe <jgg@mellanox.com>
      308aa2b8
    • Artemy Kovalyov's avatar
      IB/core: Release object lock if destroy failed · e4ff3d22
      Artemy Kovalyov authored
      The object lock was supposed to always be released during destroy, but
      when the destruction retry series was integrated with the destroy series
      it created a failure path that missed the unlock.
      
      Keep with convention, if destroy fails the caller must undo all locking.
      
      Fixes: 87ad80ab ("IB/uverbs: Consolidate uobject destruction")
      Signed-off-by: default avatarArtemy Kovalyov <artemyko@mellanox.com>
      Signed-off-by: default avatarLeon Romanovsky <leonro@mellanox.com>
      Signed-off-by: default avatarJason Gunthorpe <jgg@mellanox.com>
      e4ff3d22
    • Jann Horn's avatar
      RDMA/ucma: check fd type in ucma_migrate_id() · 0d23ba60
      Jann Horn authored
      The current code grabs the private_data of whatever file descriptor
      userspace has supplied and implicitly casts it to a `struct ucma_file *`,
      potentially causing a type confusion.
      
      This is probably fine in practice because the pointer is only used for
      comparisons, it is never actually dereferenced; and even in the
      comparisons, it is unlikely that a file from another filesystem would have
      a ->private_data pointer that happens to also be valid in this context.
      But ->private_data is not always guaranteed to be a valid pointer to an
      object owned by the file's filesystem; for example, some filesystems just
      cram numbers in there.
      
      Check the type of the supplied file descriptor to be safe, analogous to how
      other places in the kernel do it.
      
      Fixes: 88314e4d ("RDMA/cma: add support for rdma_migrate_id()")
      Signed-off-by: default avatarJann Horn <jannh@google.com>
      Signed-off-by: default avatarJason Gunthorpe <jgg@mellanox.com>
      0d23ba60
  7. 02 Sep, 2018 8 commits
    • Linus Torvalds's avatar
      Linux 4.19-rc2 · 57361846
      Linus Torvalds authored
      57361846
    • Linus Torvalds's avatar
      Merge tag 'devicetree-fixes-for-4.19' of git://git.kernel.org/pub/scm/linux/kernel/git/robh/linux · fd6868d8
      Linus Torvalds authored
      Pull devicetree updates from Rob Herring:
       "A couple of new helper functions in preparation for some tree wide
        clean-ups.
      
        I'm sending these new helpers now for rc2 in order to simplify the
        dependencies on subsequent cleanups across the tree in 4.20"
      
      * tag 'devicetree-fixes-for-4.19' of git://git.kernel.org/pub/scm/linux/kernel/git/robh/linux:
        of: Add device_type access helper functions
        of: add node name compare helper functions
        of: add helper to lookup compatible child node
      fd6868d8
    • Linus Torvalds's avatar
      Merge tag 'armsoc-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/arm/arm-soc · a3ea9911
      Linus Torvalds authored
      Pull ARM SoC fixes from Olof Johansson:
       "First batch of fixes post-merge window:
      
         - A handful of devicetree changes for i.MX2{3,8} to change over to
           new panel bindings. The platforms were moved from legacy
           framebuffers to DRM and some development board panels hadn't yet
           been converted.
      
         - OMAP fixes related to ti-sysc driver conversion fallout, fixing
           some register offsets, no_console_suspend fixes, etc.
      
         - Droid4 changes to fix flaky eMMC probing and vibrator DTS mismerge.
      
         - Fixed 0755->0644 permissions on a newly added file.
      
         - Defconfig changes to make ARM Versatile more useful with QEMU
           (helps testing).
      
         - Enable defconfig options for new TI SoC platform that was merged
           this window (AM6)"
      
      * tag 'armsoc-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/arm/arm-soc:
        arm64: defconfig: Enable TI's AM6 SoC platform
        ARM: defconfig: Update the ARM Versatile defconfig
        ARM: dts: omap4-droid4: Fix emmc errors seen on some devices
        ARM: dts: Fix file permission for am335x-osd3358-sm-red.dts
        ARM: imx_v6_v7_defconfig: Select CONFIG_DRM_PANEL_SEIKO_43WVF1G
        ARM: mxs_defconfig: Select CONFIG_DRM_PANEL_SEIKO_43WVF1G
        ARM: dts: imx23-evk: Convert to the new display bindings
        ARM: dts: imx23-evk: Move regulators outside simple-bus
        ARM: dts: imx28-evk: Convert to the new display bindings
        ARM: dts: imx28-evk: Move regulators outside simple-bus
        Revert "ARM: dts: imx7d: Invert legacy PCI irq mapping"
        arm: dts: am4372: setup rtc as system-power-controller
        ARM: dts: omap4-droid4: fix vibrations on Droid 4
        bus: ti-sysc: Fix no_console_suspend handling
        bus: ti-sysc: Fix module register ioremap for larger offsets
        ARM: OMAP2+: Fix module address for modules using mpu_rt_idx
        ARM: OMAP2+: Fix null hwmod for ti-sysc debug
      a3ea9911
    • Linus Torvalds's avatar
      Merge branch 'x86-urgent-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip · 899ba795
      Linus Torvalds authored
      Pull x86 fixes from Thomas Gleixner:
       "Speculation:
      
         - Make the microcode check more robust
      
         - Make the L1TF memory limit depend on the internal cache physical
           address space and not on the CPUID advertised physical address
           space, which might be significantly smaller. This avoids disabling
           L1TF on machines which utilize the full physical address space.
      
         - Fix the GDT mapping for EFI calls on 32bit PTI
      
         - Fix the MCE nospec implementation to prevent #GP
      
        Fixes and robustness:
      
         - Use the proper operand order for LSL in the VDSO
      
         - Prevent NMI uaccess race against CR3 switching
      
         - Add a lockdep check to verify that text_mutex is held in
           text_poke() functions
      
         - Repair the fallout of giving native_restore_fl() a prototype
      
         - Prevent kernel memory dumps based on usermode RIP
      
         - Wipe KASAN shadow stack before rewinding the stack to prevent false
           positives
      
         - Move the AMS GOTO enforcement to the actual build stage to allow
           user API header extraction without a compiler
      
         - Fix a section mismatch introduced by the on demand VDSO mapping
           change
      
        Miscellaneous:
      
         - Trivial typo, GCC quirk removal and CC_SET/OUT() cleanups"
      
      * 'x86-urgent-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip:
        x86/pti: Fix section mismatch warning/error
        x86/vdso: Fix lsl operand order
        x86/mce: Fix set_mce_nospec() to avoid #GP fault
        x86/efi: Load fixmap GDT in efi_call_phys_epilog()
        x86/nmi: Fix NMI uaccess race against CR3 switching
        x86: Allow generating user-space headers without a compiler
        x86/dumpstack: Don't dump kernel memory based on usermode RIP
        x86/asm: Use CC_SET()/CC_OUT() in __gen_sigismember()
        x86/alternatives: Lockdep-enforce text_mutex in text_poke*()
        x86/entry/64: Wipe KASAN stack shadow before rewind_stack_do_exit()
        x86/irqflags: Mark native_restore_fl extern inline
        x86/build: Remove jump label quirk for GCC older than 4.5.2
        x86/Kconfig: Fix trivial typo
        x86/speculation/l1tf: Increase l1tf memory limit for Nehalem+
        x86/spectre: Add missing family 6 check to microcode check
      899ba795
    • Linus Torvalds's avatar
      Merge branch 'smp-urgent-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip · 1395d109
      Linus Torvalds authored
      Pull CPU hotplug fix from Thomas Gleixner:
       "Remove the stale skip_onerr member from the hotplug states"
      
      * 'smp-urgent-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip:
        cpu/hotplug: Remove skip_onerr field from cpuhp_step structure
      1395d109
    • Linus Torvalds's avatar
      Merge branch 'core-urgent-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip · 501dacbc
      Linus Torvalds authored
      Pull core fixes from Thomas Gleixner:
       "A small set of updates for core code:
      
         - Prevent tracing in functions which are called from trace patching
           via stop_machine() to prevent executing half patched function trace
           entries.
      
         - Remove old GCC workarounds
      
         - Remove pointless includes of notifier.h"
      
      * 'core-urgent-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip:
        objtool: Remove workaround for unreachable warnings from old GCC
        notifier: Remove notifier header file wherever not used
        watchdog: Mark watchdog touch functions as notrace
      501dacbc
    • Randy Dunlap's avatar
      x86/pti: Fix section mismatch warning/error · ff924c5a
      Randy Dunlap authored
      Fix the section mismatch warning in arch/x86/mm/pti.c:
      
      WARNING: vmlinux.o(.text+0x6972a): Section mismatch in reference from the function pti_clone_pgtable() to the function .init.text:pti_user_pagetable_walk_pte()
      The function pti_clone_pgtable() references
      the function __init pti_user_pagetable_walk_pte().
      This is often because pti_clone_pgtable lacks a __init
      annotation or the annotation of pti_user_pagetable_walk_pte is wrong.
      FATAL: modpost: Section mismatches detected.
      
      Fixes: 85900ea5 ("x86/pti: Map the vsyscall page if needed")
      Reported-by: default avatarkbuild test robot <lkp@intel.com>
      Signed-off-by: default avatarRandy Dunlap <rdunlap@infradead.org>
      Signed-off-by: default avatarThomas Gleixner <tglx@linutronix.de>
      Cc: Andy Lutomirski <luto@kernel.org>
      Link: https://lkml.kernel.org/r/43a6d6a3-d69d-5eda-da09-0b1c88215a2a@infradead.org
      
      ff924c5a
    • Olof Johansson's avatar
      Merge tag 'omap-for-v4.19/fixes-v2-signed' of... · a72b44a8
      Olof Johansson authored
      Merge tag 'omap-for-v4.19/fixes-v2-signed' of git://git.kernel.org/pub/scm/linux/kernel/git/tmlind/linux-omap into fixes
      
      Fixes for omap variants against v4.19-rc1
      
      These are mostly fixes related to using ti-sysc interconnect target module
      driver for accessing right register offsets for sgx and cpsw and for
      no_console_suspend regression.
      
      There is also a droid4 emmc fix where emmc may not get detected for some
      models, and vibrator dts mismerge fix.
      
      And we have a file permission fix for am335x-osd3358-sm-red.dts that
      just got added. And we must tag RTC as system-power-controller for
      am437x for PMIC to shut down during poweroff.
      
      * tag 'omap-for-v4.19/fixes-v2-signed' of git://git.kernel.org/pub/scm/linux/kernel/git/tmlind/linux-omap:
        ARM: dts: omap4-droid4: Fix emmc errors seen on some devices
        ARM: dts: Fix file permission for am335x-osd3358-sm-red.dts
        arm: dts: am4372: setup rtc as system-power-controller
        ARM: dts: omap4-droid4: fix vibrations on Droid 4
        bus: ti-sysc: Fix no_console_suspend handling
        bus: ti-sysc: Fix module register ioremap for larger offsets
        ARM: OMAP2+: Fix module address for modules using mpu_rt_idx
        ARM: OMAP2+: Fix null hwmod for ti-sysc debug
      Signed-off-by: default avatarOlof Johansson <olof@lixom.net>
      a72b44a8
  8. 01 Sep, 2018 4 commits
  9. 31 Aug, 2018 15 commits
  10. 30 Aug, 2018 2 commits