1. 24 Jan, 2019 1 commit
    • Colin Ian King's avatar
      cifs: fix memory leak of an allocated cifs_ntsd structure · 73aaf920
      Colin Ian King authored
      The call to SMB2_queary_acl can allocate memory to pntsd and also
      return a failure via a call to SMB2_query_acl (and then query_info).
      This occurs when query_info allocates the structure and then in
      query_info the call to smb2_validate_and_copy_iov fails. Currently the
      failure just returns without kfree'ing pntsd hence causing a memory
      leak.
      
      Currently, *data is allocated if it's not already pointing to a buffer,
      so it needs to be kfree'd only if was allocated in query_info, so the
      fix adds an allocated flag to track this.  Also set *dlen to zero on
      an error just to be safe since *data is kfree'd.
      
      Also set errno to -ENOMEM if the allocation of *data fails.
      Signed-off-by: default avatarColin Ian King <colin.king@canonical.com>
      Signed-off-by: default avatarSteve French <stfrench@microsoft.com>
      Reviewed-by: default avatarDan Carpener <dan.carpenter@oracle.com>
      73aaf920
  2. 23 Jan, 2019 11 commits
    • Linus Torvalds's avatar
      Revert "Change mincore() to count "mapped" pages rather than "cached" pages" · 30bac164
      Linus Torvalds authored
      This reverts commit 574823bf.
      
      It turns out that my hope that we could just remove the code that
      exposes the cache residency status from mincore() was too optimistic.
      
      There are various random users that want it, and one example would be
      the Netflix database cluster maintenance. To quote Josh Snyder:
      
       "For Netflix, losing accurate information from the mincore syscall
        would lengthen database cluster maintenance operations from days to
        months. We rely on cross-process mincore to migrate the contents of a
        page cache from machine to machine, and across reboots.
      
        To do this, I wrote and maintain happycache [1], a page cache
        dumper/loader tool. It is quite similar in architecture to pgfincore,
        except that it is agnostic to workload. The gist of happycache's
        operation is "produce a dump of residence status for each page, do
        some operation, then reload exactly the same pages which were present
        before." happycache is entirely dependent on accurate reporting of the
        in-core status of file-backed pages, as accessed by another process.
      
        We primarily use happycache with Cassandra, which (like Postgres +
        pgfincore) relies heavily on OS page cache to reduce disk accesses.
        Because our workloads never experience a cold page cache, we are able
        to provision hardware for a peak utilization level that is far lower
        than the hypothetical "every query is a cache miss" peak.
      
        A database warmed by happycache can be ready for service in seconds
        (bounded only by the performance of the drives and the I/O subsystem),
        with no period of in-service degradation. By contrast, putting a
        database in service without a page cache entails a potentially
        unbounded period of degradation (at Netflix, the time to populate a
        single node's cache via natural cache misses varies by workload from
        hours to weeks). If a single node upgrade were to take weeks, then
        upgrading an entire cluster would take months. Since we want to apply
        security upgrades (and other things) on a somewhat tighter schedule,
        we would have to develop more complex solutions to provide the same
        functionality already provided by mincore.
      
        At the bottom line, happycache is designed to benignly exploit the
        same information leak documented in the paper [2]. I think it makes
        perfect sense to remove cross-process mincore functionality from
        unprivileged users, but not to remove it entirely"
      
      We do have an alternate approach that limits the cache residency
      reporting only to processes that have write permissions to the file, so
      we can fix the original information leak issue that way.  It involves
      _adding_ code rather than removing it, which is sad, but hey, at least
      we haven't found any users that would find the restrictions
      unacceptable.
      
      So revert the optimistic first approach to make room for that alternate
      fix instead.
      Reported-by: default avatarJosh Snyder <joshs@netflix.com>
      Cc: Jiri Kosina <jikos@kernel.org>
      Cc: Dominique Martinet <asmadeus@codewreck.org>
      Cc: Andy Lutomirski <luto@amacapital.net>
      Cc: Dave Chinner <david@fromorbit.com>
      Cc: Kevin Easton <kevin@guarana.org>
      Cc: Matthew Wilcox <willy@infradead.org>
      Cc: Cyril Hrubis <chrubis@suse.cz>
      Cc: Vlastimil Babka <vbabka@suse.cz>
      Cc: Tejun Heo <tj@kernel.org>
      Cc: Kirill A. Shutemov <kirill@shutemov.name>
      Cc: Daniel Gruss <daniel@gruss.cc>
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      30bac164
    • Linus Torvalds's avatar
      Merge tag 'for-linus-5.0' of git://github.com/cminyard/linux-ipmi · db781446
      Linus Torvalds authored
      Pull IPMI fixes from Corey Minyard:
       "I missed the merge window, which wasn't really important at the time
        as there was nothing that critical that I had for 5.0.
      
        However, I say that,and then a number of critical fixes come in:
      
         - ipmi: fix use-after-free of user->release_barrier.rda
         - ipmi: Prevent use-after-free in deliver_response
         - ipmi: msghandler: Fix potential Spectre v1 vulnerabilities
      
        which are obvious candidates for 5.0.  Then there is:
      
         - ipmi:ssif: Fix handling of multi-part return messages
      
        which is less critical, but it still has some off-by-one things that
        are not great, so it seemed appropriate. Some machines are broken
        without it. Then:
      
         - ipmi: Don't initialize anything in the core until something uses it
      
        It turns out that using SRCU causes large chunks of memory to be used
        on big iron machines, even if IPMI is never used. This was causing
        some issues for people on those machines.
      
        Everything here is destined for stable"
      
      * tag 'for-linus-5.0' of git://github.com/cminyard/linux-ipmi:
        ipmi: Don't initialize anything in the core until something uses it
        ipmi: fix use-after-free of user->release_barrier.rda
        ipmi: Prevent use-after-free in deliver_response
        ipmi: msghandler: Fix potential Spectre v1 vulnerabilities
        ipmi:ssif: Fix handling of multi-part return messages
      db781446
    • Linus Torvalds's avatar
      Merge tag 's390-5.0-2' of git://git.kernel.org/pub/scm/linux/kernel/git/s390/linux · 09c2fe60
      Linus Torvalds authored
      Pull s390 fixes from Martin Schwidefsky:
      
       - Do not claim to run under z/VM if the hypervisor can not be
         identified
      
       - Fix crashes due to outdated ASCEs in CR1
      
       - Avoid a deadlock in regard to CPU hotplug
      
       - Really fix the vdso mapping issue for compat tasks
      
       - Avoid crash on restart due to an incorrect stack address
      
      * tag 's390-5.0-2' of git://git.kernel.org/pub/scm/linux/kernel/git/s390/linux:
        s390/smp: Fix calling smp_call_ipl_cpu() from ipl CPU
        s390/vdso: correct vdso mapping for compat tasks
        s390/smp: fix CPU hotplug deadlock with CPU rescan
        s390/mm: always force a load of the primary ASCE on context switch
        s390/early: improve machine detection
      09c2fe60
    • Corey Minyard's avatar
      ipmi: Don't initialize anything in the core until something uses it · 913a89f0
      Corey Minyard authored
      The IPMI driver was recently modified to use SRCU, but it turns out
      this uses a chunk of percpu memory, even if IPMI is never used.
      
      So modify thing to on initialize on the first use.  There was already
      code to sort of handle this for handling init races, so piggy back
      on top of that, and simplify it in the process.
      Signed-off-by: default avatarCorey Minyard <cminyard@mvista.com>
      Reported-by: default avatarTejun Heo <tj@kernel.org>
      Cc: Paul E. McKenney <paulmck@linux.vnet.ibm.com>
      Reviewed-by: default avatarPaul E. McKenney <paulmck@linux.vnet.ibm.com>
      Cc: stable@vger.kernel.org # 4.18
      913a89f0
    • Yang Yingliang's avatar
      ipmi: fix use-after-free of user->release_barrier.rda · 77f82696
      Yang Yingliang authored
      When we do the following test, we got oops in ipmi_msghandler driver
      while((1))
      do
      	service ipmievd restart & service ipmievd restart
      done
      
      ---------------------------------------------------------------
      [  294.230186] Unable to handle kernel paging request at virtual address 0000803fea6ea008
      [  294.230188] Mem abort info:
      [  294.230190]   ESR = 0x96000004
      [  294.230191]   Exception class = DABT (current EL), IL = 32 bits
      [  294.230193]   SET = 0, FnV = 0
      [  294.230194]   EA = 0, S1PTW = 0
      [  294.230195] Data abort info:
      [  294.230196]   ISV = 0, ISS = 0x00000004
      [  294.230197]   CM = 0, WnR = 0
      [  294.230199] user pgtable: 4k pages, 48-bit VAs, pgdp = 00000000a1c1b75a
      [  294.230201] [0000803fea6ea008] pgd=0000000000000000
      [  294.230204] Internal error: Oops: 96000004 [#1] SMP
      [  294.235211] Modules linked in: nls_utf8 isofs rpcrdma ib_iser ib_srpt target_core_mod ib_srp scsi_transport_srp ib_ipoib rdma_ucm ib_umad rdma_cm ib_cm iw_cm dm_mirror dm_region_hash dm_log dm_mod aes_ce_blk crypto_simd cryptd aes_ce_cipher ghash_ce sha2_ce ses sha256_arm64 sha1_ce hibmc_drm hisi_sas_v2_hw enclosure sg hisi_sas_main sbsa_gwdt ip_tables mlx5_ib ib_uverbs marvell ib_core mlx5_core ixgbe ipmi_si mdio hns_dsaf ipmi_devintf ipmi_msghandler hns_enet_drv hns_mdio
      [  294.277745] CPU: 3 PID: 0 Comm: swapper/3 Kdump: loaded Not tainted 5.0.0-rc2+ #113
      [  294.285511] Hardware name: Huawei TaiShan 2280 /BC11SPCD, BIOS 1.37 11/21/2017
      [  294.292835] pstate: 80000005 (Nzcv daif -PAN -UAO)
      [  294.297695] pc : __srcu_read_lock+0x38/0x58
      [  294.301940] lr : acquire_ipmi_user+0x2c/0x70 [ipmi_msghandler]
      [  294.307853] sp : ffff00001001bc80
      [  294.311208] x29: ffff00001001bc80 x28: ffff0000117e5000
      [  294.316594] x27: 0000000000000000 x26: dead000000000100
      [  294.321980] x25: dead000000000200 x24: ffff803f6bd06800
      [  294.327366] x23: 0000000000000000 x22: 0000000000000000
      [  294.332752] x21: ffff00001001bd04 x20: ffff80df33d19018
      [  294.338137] x19: ffff80df33d19018 x18: 0000000000000000
      [  294.343523] x17: 0000000000000000 x16: 0000000000000000
      [  294.348908] x15: 0000000000000000 x14: 0000000000000002
      [  294.354293] x13: 0000000000000000 x12: 0000000000000000
      [  294.359679] x11: 0000000000000000 x10: 0000000000100000
      [  294.365065] x9 : 0000000000000000 x8 : 0000000000000004
      [  294.370451] x7 : 0000000000000000 x6 : ffff80df34558678
      [  294.375836] x5 : 000000000000000c x4 : 0000000000000000
      [  294.381221] x3 : 0000000000000001 x2 : 0000803fea6ea000
      [  294.386607] x1 : 0000803fea6ea008 x0 : 0000000000000001
      [  294.391994] Process swapper/3 (pid: 0, stack limit = 0x0000000083087293)
      [  294.398791] Call trace:
      [  294.401266]  __srcu_read_lock+0x38/0x58
      [  294.405154]  acquire_ipmi_user+0x2c/0x70 [ipmi_msghandler]
      [  294.410716]  deliver_response+0x80/0xf8 [ipmi_msghandler]
      [  294.416189]  deliver_local_response+0x28/0x68 [ipmi_msghandler]
      [  294.422193]  handle_one_recv_msg+0x158/0xcf8 [ipmi_msghandler]
      [  294.432050]  handle_new_recv_msgs+0xc0/0x210 [ipmi_msghandler]
      [  294.441984]  smi_recv_tasklet+0x8c/0x158 [ipmi_msghandler]
      [  294.451618]  tasklet_action_common.isra.5+0x88/0x138
      [  294.460661]  tasklet_action+0x2c/0x38
      [  294.468191]  __do_softirq+0x120/0x2f8
      [  294.475561]  irq_exit+0x134/0x140
      [  294.482445]  __handle_domain_irq+0x6c/0xc0
      [  294.489954]  gic_handle_irq+0xb8/0x178
      [  294.497037]  el1_irq+0xb0/0x140
      [  294.503381]  arch_cpu_idle+0x34/0x1a8
      [  294.510096]  do_idle+0x1d4/0x290
      [  294.516322]  cpu_startup_entry+0x28/0x30
      [  294.523230]  secondary_start_kernel+0x184/0x1d0
      [  294.530657] Code: d538d082 d2800023 8b010c81 8b020021 (c85f7c25)
      [  294.539746] ---[ end trace 8a7a880dee570b29 ]---
      [  294.547341] Kernel panic - not syncing: Fatal exception in interrupt
      [  294.556837] SMP: stopping secondary CPUs
      [  294.563996] Kernel Offset: disabled
      [  294.570515] CPU features: 0x002,21006008
      [  294.577638] Memory Limit: none
      [  294.587178] Starting crashdump kernel...
      [  294.594314] Bye!
      
      Because the user->release_barrier.rda is freed in ipmi_destroy_user(), but
      the refcount is not zero, when acquire_ipmi_user() uses user->release_barrier.rda
      in __srcu_read_lock(), it causes oops.
      Fix this by calling cleanup_srcu_struct() when the refcount is zero.
      
      Fixes: e86ee2d4 ("ipmi: Rework locking and shutdown for hot remove")
      Cc: stable@vger.kernel.org # 4.18
      Signed-off-by: default avatarYang Yingliang <yangyingliang@huawei.com>
      Signed-off-by: default avatarCorey Minyard <cminyard@mvista.com>
      77f82696
    • Fred Klassen's avatar
      ipmi: Prevent use-after-free in deliver_response · 479d6b39
      Fred Klassen authored
      Some IPMI modules (e.g. ibmpex_msg_handler()) will have ipmi_usr_hdlr
      handlers that call ipmi_free_recv_msg() directly. This will essentially
      kfree(msg), leading to use-after-free.
      
      This does not happen in the ipmi_devintf module, which will queue the
      message and run ipmi_free_recv_msg() later.
      
      BUG: KASAN: use-after-free in deliver_response+0x12f/0x1b0
      Read of size 8 at addr ffff888a7bf20018 by task ksoftirqd/3/27
      CPU: 3 PID: 27 Comm: ksoftirqd/3 Tainted: G           O      4.19.11-amd64-ani99-debug #12.0.1.601133+pv
      Hardware name: AppNeta r1000/X11SPW-TF, BIOS 2.1a-AP 09/17/2018
      Call Trace:
      dump_stack+0x92/0xeb
      print_address_description+0x73/0x290
      kasan_report+0x258/0x380
      deliver_response+0x12f/0x1b0
      ? ipmi_free_recv_msg+0x50/0x50
      deliver_local_response+0xe/0x50
      handle_one_recv_msg+0x37a/0x21d0
      handle_new_recv_msgs+0x1ce/0x440
      ...
      
      Allocated by task 9885:
      kasan_kmalloc+0xa0/0xd0
      kmem_cache_alloc_trace+0x116/0x290
      ipmi_alloc_recv_msg+0x28/0x70
      i_ipmi_request+0xb4a/0x1640
      ipmi_request_settime+0x1b8/0x1e0
      ...
      
      Freed by task 27:
      __kasan_slab_free+0x12e/0x180
      kfree+0xe9/0x280
      deliver_response+0x122/0x1b0
      deliver_local_response+0xe/0x50
      handle_one_recv_msg+0x37a/0x21d0
      handle_new_recv_msgs+0x1ce/0x440
      tasklet_action_common.isra.19+0xc4/0x250
      __do_softirq+0x11f/0x51f
      
      Fixes: e86ee2d4 ("ipmi: Rework locking and shutdown for hot remove")
      Cc: stable@vger.kernel.org # 4.18
      Signed-off-by: default avatarFred Klassen <fklassen@appneta.com>
      Signed-off-by: default avatarCorey Minyard <cminyard@mvista.com>
      479d6b39
    • Gustavo A. R. Silva's avatar
      ipmi: msghandler: Fix potential Spectre v1 vulnerabilities · a7102c74
      Gustavo A. R. Silva authored
      channel and addr->channel are indirectly controlled by user-space,
      hence leading to a potential exploitation of the Spectre variant 1
      vulnerability.
      
      These issues were detected with the help of Smatch:
      
      drivers/char/ipmi/ipmi_msghandler.c:1381 ipmi_set_my_address() warn: potential spectre issue 'user->intf->addrinfo' [w] (local cap)
      drivers/char/ipmi/ipmi_msghandler.c:1401 ipmi_get_my_address() warn: potential spectre issue 'user->intf->addrinfo' [r] (local cap)
      drivers/char/ipmi/ipmi_msghandler.c:1421 ipmi_set_my_LUN() warn: potential spectre issue 'user->intf->addrinfo' [w] (local cap)
      drivers/char/ipmi/ipmi_msghandler.c:1441 ipmi_get_my_LUN() warn: potential spectre issue 'user->intf->addrinfo' [r] (local cap)
      drivers/char/ipmi/ipmi_msghandler.c:2260 check_addr() warn: potential spectre issue 'intf->addrinfo' [r] (local cap)
      
      Fix this by sanitizing channel and addr->channel before using them to
      index user->intf->addrinfo and intf->addrinfo, correspondingly.
      
      Notice that given that speculation windows are large, the policy is
      to kill the speculation on the first load and not worry if it can be
      completed with a dependent load/store [1].
      
      [1] https://lore.kernel.org/lkml/20180423164740.GY17484@dhcp22.suse.cz/
      
      Cc: stable@vger.kernel.org
      Signed-off-by: default avatarGustavo A. R. Silva <gustavo@embeddedor.com>
      Signed-off-by: default avatarCorey Minyard <cminyard@mvista.com>
      a7102c74
    • Corey Minyard's avatar
      ipmi:ssif: Fix handling of multi-part return messages · 7d6380cd
      Corey Minyard authored
      The block number was not being compared right, it was off by one
      when checking the response.
      
      Some statistics wouldn't be incremented properly in some cases.
      
      Check to see if that middle-part messages always have 31 bytes of
      data.
      Signed-off-by: default avatarCorey Minyard <cminyard@mvista.com>
      Cc: stable@vger.kernel.org # 4.4
      7d6380cd
    • Linus Torvalds's avatar
      Merge branch 'for-rc' of git://git.kernel.org/pub/scm/linux/kernel/git/rzhang/linux · 333478a7
      Linus Torvalds authored
      Pull thermal management fixes from Zhang Rui:
      
       - Fix a race condition that sysfs could be accessed before necessary
         initialization in int340x thermal driver. (Aaron Hill)
      
       - Fix a NULL vs IS_ERR() check in int340x thermal driver. (Dan
         Carpenter)
      
      * 'for-rc' of git://git.kernel.org/pub/scm/linux/kernel/git/rzhang/linux:
        drivers: thermal: int340x_thermal: Fix sysfs race condition
        thermal: int340x_thermal: Fix a NULL vs IS_ERR() check
      333478a7
    • Linus Torvalds's avatar
      Merge tag 'clk-fixes-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/clk/linux · 0b0d4be6
      Linus Torvalds authored
      Pull clk fixes from Stephen Boyd:
       "This is a sort of random collection of clk fixes that have come in
        since the merge window:
      
         - Handful of memory allocation and potentially bad pointer usage
           fixes
      
         - JSON format was incorrect for clk_dump because it missed a comma
      
         - Two Kconfig fixes, one duplicate and one missing select line
      
         - Compiler warning fix for the VC5 clk driver
      
         - Name and rate fixes for PLLs in the stratix10 driver so it can
           properly detect PLL rates and parents"
      
      * tag 'clk-fixes-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/clk/linux:
        clk: socfpga: stratix10: fix naming convention for the fixed-clocks
        clk: socfpga: stratix10: fix rate calculation for pll clocks
        clk: qcom: Select QCOM_GDSC with MSM_GCC_8998
        clk: vc5: Abort clock configuration without upstream clock
        clk: sysfs: fix invalid JSON in clk_dump
        clk: imx: Remove Kconfig duplicate include
        clk: zynqmp: Fix memory allocation in zynqmp_clk_setup
        clk: tegra: dfll: Fix a potential Oop in remove()
        clk: imx: fix potential NULL dereference in imx8qxp_lpcg_clk_probe()
      0b0d4be6
    • Linus Torvalds's avatar
      Merge tag 'linux-kselftest-5.0-rc4' of... · 8f45fa27
      Linus Torvalds authored
      Merge tag 'linux-kselftest-5.0-rc4' of git://git.kernel.org/pub/scm/linux/kernel/git/shuah/linux-kselftest
      
      Pull kselftest fixes from Shuah Khan:
       "Fixes to rtc, seccomp and other tests"
      
      * tag 'linux-kselftest-5.0-rc4' of git://git.kernel.org/pub/scm/linux/kernel/git/shuah/linux-kselftest:
        selftests/seccomp: Abort without user notification support
        selftests: gpio-mockup-chardev: Check asprintf() for error
        selftests: seccomp: use LDLIBS instead of LDFLAGS
        selftests/vm/gup_benchmark.c: match gup struct to kernel
        tools/testing/selftests/x86/unwind_vdso.c: Remove duplicate header
        x86/mpx/selftests: fix spelling mistake "succeded" -> "succeeded"
        selftests: rtc: rtctest: add alarm test on minute boundary
        selftests: rtc: rtctest: fix alarm tests
      8f45fa27
  3. 22 Jan, 2019 3 commits
  4. 21 Jan, 2019 5 commits
  5. 20 Jan, 2019 13 commits
    • Linus Torvalds's avatar
      Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net · 7d0ae236
      Linus Torvalds authored
      Pull networking fixes from David Miller:
      
       1) Fix endless loop in nf_tables, from Phil Sutter.
      
       2) Fix cross namespace ip6_gre tunnel hash list corruption, from
          Olivier Matz.
      
       3) Don't be too strict in phy_start_aneg() otherwise we might not allow
          restarting auto negotiation. From Heiner Kallweit.
      
       4) Fix various KMSAN uninitialized value cases in tipc, from Ying Xue.
      
       5) Memory leak in act_tunnel_key, from Davide Caratti.
      
       6) Handle chip errata of mv88e6390 PHY, from Andrew Lunn.
      
       7) Remove linear SKB assumption in fou/fou6, from Eric Dumazet.
      
       8) Missing udplite rehash callbacks, from Alexey Kodanev.
      
       9) Log dirty pages properly in vhost, from Jason Wang.
      
      10) Use consume_skb() in neigh_probe() as this is a normal free not a
          drop, from Yang Wei. Likewise in macvlan_process_broadcast().
      
      11) Missing device_del() in mdiobus_register() error paths, from Thomas
          Petazzoni.
      
      12) Fix checksum handling of short packets in mlx5, from Cong Wang.
      
      * git://git.kernel.org/pub/scm/linux/kernel/git/davem/net: (96 commits)
        bpf: in __bpf_redirect_no_mac pull mac only if present
        virtio_net: bulk free tx skbs
        net: phy: phy driver features are mandatory
        isdn: avm: Fix string plus integer warning from Clang
        net/mlx5e: Fix cb_ident duplicate in indirect block register
        net/mlx5e: Fix wrong (zero) TX drop counter indication for representor
        net/mlx5e: Fix wrong error code return on FEC query failure
        net/mlx5e: Force CHECKSUM_UNNECESSARY for short ethernet frames
        tools: bpftool: Cleanup license mess
        bpf: fix inner map masking to prevent oob under speculation
        bpf: pull in pkt_sched.h header for tooling to fix bpftool build
        selftests: forwarding: Add a test case for externally learned FDB entries
        selftests: mlxsw: Test FDB offload indication
        mlxsw: spectrum_switchdev: Do not treat static FDB entries as sticky
        net: bridge: Mark FDB entries that were added by user as such
        mlxsw: spectrum_fid: Update dummy FID index
        mlxsw: pci: Return error on PCI reset timeout
        mlxsw: pci: Increase PCI SW reset timeout
        mlxsw: pci: Ring CQ's doorbell before RDQ's
        MAINTAINERS: update email addresses of liquidio driver maintainers
        ...
      7d0ae236
    • Kees Cook's avatar
      pstore/ram: Avoid allocation and leak of platform data · 5631e857
      Kees Cook authored
      Yue Hu noticed that when parsing device tree the allocated platform data
      was never freed. Since it's not used beyond the function scope, this
      switches to using a stack variable instead.
      Reported-by: default avatarYue Hu <huyue2@yulong.com>
      Fixes: 35da6094 ("pstore/ram: add Device Tree bindings")
      Cc: stable@vger.kernel.org
      Signed-off-by: default avatarKees Cook <keescook@chromium.org>
      5631e857
    • Ard Biesheuvel's avatar
      gcc-plugins: arm_ssp_per_task_plugin: fix for GCC 9+ · 2c88c742
      Ard Biesheuvel authored
      GCC 9 reworks the way the references to the stack canary are
      emitted, to prevent the value from being spilled to the stack
      before the final comparison in the epilogue, defeating the
      purpose, given that the spill slot is under control of the
      attacker that we are protecting ourselves from.
      
      Since our canary value address is obtained without accessing
      memory (as opposed to pre-v7 code that will obtain it from a
      literal pool), it is unlikely (although not guaranteed) that
      the compiler will spill the canary value in the same way, so
      let's just disable this improvement when building with GCC9+.
      Signed-off-by: default avatarArd Biesheuvel <ard.biesheuvel@linaro.org>
      Signed-off-by: default avatarKees Cook <keescook@chromium.org>
      2c88c742
    • Ard Biesheuvel's avatar
      gcc-plugins: arm_ssp_per_task_plugin: sign extend the SP mask · 560706d5
      Ard Biesheuvel authored
      The ARM per-task stack protector GCC plugin hits an assert in
      the compiler in some case, due to the fact the the SP mask
      expression is not sign-extended as it should be. So fix that.
      Suggested-by: default avatarKugan Vivekanandarajah <kugan.vivekanandarajah@linaro.org>
      Signed-off-by: default avatarArd Biesheuvel <ard.biesheuvel@linaro.org>
      Signed-off-by: default avatarKees Cook <keescook@chromium.org>
      560706d5
    • Linus Torvalds's avatar
      Merge tag 'for_linus' of git://git.kernel.org/pub/scm/linux/kernel/git/mst/vhost · bb617b9b
      Linus Torvalds authored
      Pull virtio/vhost fixes and cleanups from Michael Tsirkin:
       "Fixes and cleanups all over the place"
      
      * tag 'for_linus' of git://git.kernel.org/pub/scm/linux/kernel/git/mst/vhost:
        vhost/scsi: Use copy_to_iter() to send control queue response
        vhost: return EINVAL if iovecs size does not match the message size
        virtio-balloon: tweak config_changed implementation
        virtio: don't allocate vqs when names[i] = NULL
        virtio_pci: use queue idx instead of array idx to set up the vq
        virtio: document virtio_config_ops restrictions
        virtio: fix virtio_config_ops description
      bb617b9b
    • Linus Torvalds's avatar
      Merge tag 'for-5.0-rc2-tag' of git://git.kernel.org/pub/scm/linux/kernel/git/kdave/linux · 1be969f4
      Linus Torvalds authored
      Pull btrfs fixes from David Sterba:
       "A handful of fixes (some of them in testing for a long time):
      
         - fix some test failures regarding cleanup after transaction abort
      
         - revert of a patch that could cause a deadlock
      
         - delayed iput fixes, that can help in ENOSPC situation when there's
           low space and a lot data to write"
      
      * tag 'for-5.0-rc2-tag' of git://git.kernel.org/pub/scm/linux/kernel/git/kdave/linux:
        btrfs: wakeup cleaner thread when adding delayed iput
        btrfs: run delayed iputs before committing
        btrfs: wait on ordered extents on abort cleanup
        btrfs: handle delayed ref head accounting cleanup in abort
        Revert "btrfs: balance dirty metadata pages in btrfs_finish_ordered_io"
      1be969f4
    • Linus Torvalds's avatar
      Merge tags 'compiler-attributes-for-linus-v5.0-rc3' and... · 315a6d85
      Linus Torvalds authored
      Merge tags 'compiler-attributes-for-linus-v5.0-rc3' and 'clang-format-for-linus-v5.0-rc3' of git://github.com/ojeda/linux
      
      Pull misc clang fixes from Miguel Ojeda:
      
        - A fix for OPTIMIZER_HIDE_VAR from Michael S Tsirkin
      
        - Update clang-format with the latest for_each macro list from Jason
          Gunthorpe
      
      * tag 'compiler-attributes-for-linus-v5.0-rc3' of git://github.com/ojeda/linux:
        include/linux/compiler*.h: fix OPTIMIZER_HIDE_VAR
      
      * tag 'clang-format-for-linus-v5.0-rc3' of git://github.com/ojeda/linux:
        clang-format: Update .clang-format with the latest for_each macro list
      315a6d85
    • Florian La Roche's avatar
      fix int_sqrt64() for very large numbers · fbfaf851
      Florian La Roche authored
      If an input number x for int_sqrt64() has the highest bit set, then
      fls64(x) is 64.  (1UL << 64) is an overflow and breaks the algorithm.
      
      Subtracting 1 is a better guess for the initial value of m anyway and
      that's what also done in int_sqrt() implicitly [*].
      
      [*] Note how int_sqrt() uses __fls() with two underscores, which already
          returns the proper raw bit number.
      
          In contrast, int_sqrt64() used fls64(), and that returns bit numbers
          illogically starting at 1, because of error handling for the "no
          bits set" case. Will points out that he bug probably is due to a
          copy-and-paste error from the regular int_sqrt() case.
      Signed-off-by: default avatarFlorian La Roche <Florian.LaRoche@googlemail.com>
      Acked-by: default avatarWill Deacon <will.deacon@arm.com>
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      fbfaf851
    • Will Deacon's avatar
      x86: uaccess: Inhibit speculation past access_ok() in user_access_begin() · 6e693b3f
      Will Deacon authored
      Commit 594cc251 ("make 'user_access_begin()' do 'access_ok()'")
      makes the access_ok() check part of the user_access_begin() preceding a
      series of 'unsafe' accesses.  This has the desirable effect of ensuring
      that all 'unsafe' accesses have been range-checked, without having to
      pick through all of the callsites to verify whether the appropriate
      checking has been made.
      
      However, the consolidated range check does not inhibit speculation, so
      it is still up to the caller to ensure that they are not susceptible to
      any speculative side-channel attacks for user addresses that ultimately
      fail the access_ok() check.
      
      This is an oversight, so use __uaccess_begin_nospec() to ensure that
      speculation is inhibited until the access_ok() check has passed.
      Reported-by: default avatarJulien Thierry <julien.thierry@arm.com>
      Signed-off-by: default avatarWill Deacon <will.deacon@arm.com>
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      6e693b3f
    • Linus Torvalds's avatar
      Merge tag 'arm64-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/arm64/linux · b0f3e768
      Linus Torvalds authored
      Pull arm64 fixes from Will Deacon:
       "Three arm64 fixes for -rc3.
      
        We've plugged a couple of nasty issues involving KASLR-enabled
        kernels, and removed a redundant #define that was introduced as part
        of the KHWASAN fixes from akpm at -rc2.
      
         - Fix broken kpti page-table rewrite in bizarre KASLR configuration
      
         - Fix module loading with KASLR
      
         - Remove redundant definition of ARCH_SLAB_MINALIGN"
      
      * tag 'arm64-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/arm64/linux:
        kasan, arm64: remove redundant ARCH_SLAB_MINALIGN define
        arm64: kaslr: ensure randomized quantities are clean to the PoC
        arm64: kpti: Update arm64_kernel_use_ng_mappings() when forced on
      b0f3e768
    • David S. Miller's avatar
      Merge git://git.kernel.org/pub/scm/linux/kernel/git/bpf/bpf · 6436408e
      David S. Miller authored
      Daniel Borkmann says:
      
      ====================
      pull-request: bpf 2019-01-20
      
      The following pull-request contains BPF updates for your *net* tree.
      
      The main changes are:
      
      1) Fix a out-of-bounds access in __bpf_redirect_no_mac, from Willem.
      
      2) Fix bpf_setsockopt to reset sock dst on SO_MARK changes, from Peter.
      
      3) Fix map in map masking to prevent out-of-bounds access under
         speculative execution, from Daniel.
      
      4) Fix bpf_setsockopt's SO_MAX_PACING_RATE to support TCP internal
         pacing, from Yuchung.
      
      5) Fix json writer license in bpftool, from Thomas.
      
      6) Fix AF_XDP to check if an actually queue exists during umem
         setup, from Krzysztof.
      
      7) Several fixes to BPF stackmap's build id handling. Another fix
         for bpftool build to account for libbfd variations wrt linking
         requirements, from Stanislav.
      
      8) Fix BPF samples build with clang by working around missing asm
         goto, from Yonghong.
      
      9) Fix libbpf to retry program load on signal interrupt, from Lorenz.
      
      10) Various minor compile warning fixes in BPF code, from Mathieu.
      ====================
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      6436408e
    • Willem de Bruijn's avatar
      bpf: in __bpf_redirect_no_mac pull mac only if present · e7c87bd6
      Willem de Bruijn authored
      Syzkaller was able to construct a packet of negative length by
      redirecting from bpf_prog_test_run_skb with BPF_PROG_TYPE_LWT_XMIT:
      
          BUG: KASAN: slab-out-of-bounds in memcpy include/linux/string.h:345 [inline]
          BUG: KASAN: slab-out-of-bounds in skb_copy_from_linear_data include/linux/skbuff.h:3421 [inline]
          BUG: KASAN: slab-out-of-bounds in __pskb_copy_fclone+0x2dd/0xeb0 net/core/skbuff.c:1395
          Read of size 4294967282 at addr ffff8801d798009c by task syz-executor2/12942
      
          kasan_report.cold.9+0x242/0x309 mm/kasan/report.c:412
          check_memory_region_inline mm/kasan/kasan.c:260 [inline]
          check_memory_region+0x13e/0x1b0 mm/kasan/kasan.c:267
          memcpy+0x23/0x50 mm/kasan/kasan.c:302
          memcpy include/linux/string.h:345 [inline]
          skb_copy_from_linear_data include/linux/skbuff.h:3421 [inline]
          __pskb_copy_fclone+0x2dd/0xeb0 net/core/skbuff.c:1395
          __pskb_copy include/linux/skbuff.h:1053 [inline]
          pskb_copy include/linux/skbuff.h:2904 [inline]
          skb_realloc_headroom+0xe7/0x120 net/core/skbuff.c:1539
          ipip6_tunnel_xmit net/ipv6/sit.c:965 [inline]
          sit_tunnel_xmit+0xe1b/0x30d0 net/ipv6/sit.c:1029
          __netdev_start_xmit include/linux/netdevice.h:4325 [inline]
          netdev_start_xmit include/linux/netdevice.h:4334 [inline]
          xmit_one net/core/dev.c:3219 [inline]
          dev_hard_start_xmit+0x295/0xc90 net/core/dev.c:3235
          __dev_queue_xmit+0x2f0d/0x3950 net/core/dev.c:3805
          dev_queue_xmit+0x17/0x20 net/core/dev.c:3838
          __bpf_tx_skb net/core/filter.c:2016 [inline]
          __bpf_redirect_common net/core/filter.c:2054 [inline]
          __bpf_redirect+0x5cf/0xb20 net/core/filter.c:2061
          ____bpf_clone_redirect net/core/filter.c:2094 [inline]
          bpf_clone_redirect+0x2f6/0x490 net/core/filter.c:2066
          bpf_prog_41f2bcae09cd4ac3+0xb25/0x1000
      
      The generated test constructs a packet with mac header, network
      header, skb->data pointing to network header and skb->len 0.
      
      Redirecting to a sit0 through __bpf_redirect_no_mac pulls the
      mac length, even though skb->data already is at skb->network_header.
      bpf_prog_test_run_skb has already pulled it as LWT_XMIT !is_l2.
      
      Update the offset calculation to pull only if skb->data differs
      from skb->network_header, which is not true in this case.
      
      The test itself can be run only from commit 1cf1cae9 ("bpf:
      introduce BPF_PROG_TEST_RUN command"), but the same type of packets
      with skb at network header could already be built from lwt xmit hooks,
      so this fix is more relevant to that commit.
      
      Also set the mac header on redirect from LWT_XMIT, as even after this
      change to __bpf_redirect_no_mac that field is expected to be set, but
      is not yet in ip_finish_output2.
      
      Fixes: 3a0af8fd ("bpf: BPF for lightweight tunnel infrastructure")
      Reported-by: default avatarsyzbot <syzkaller@googlegroups.com>
      Signed-off-by: default avatarWillem de Bruijn <willemb@google.com>
      Acked-by: default avatarMartin KaFai Lau <kafai@fb.com>
      Signed-off-by: default avatarDaniel Borkmann <daniel@iogearbox.net>
      e7c87bd6
    • Michael S. Tsirkin's avatar
      virtio_net: bulk free tx skbs · df133f3f
      Michael S. Tsirkin authored
      Use napi_consume_skb() to get bulk free.  Note that napi_consume_skb is
      safe to call in a non-napi context as long as the napi_budget flag is
      correct.
      Signed-off-by: default avatarMichael S. Tsirkin <mst@redhat.com>
      Acked-by: default avatarJason Wang <jasowang@redhat.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      df133f3f
  6. 19 Jan, 2019 7 commits
    • Linus Torvalds's avatar
      Merge tag 'mips_fixes_5.0_2' of git://git.kernel.org/pub/scm/linux/kernel/git/mips/linux · 5d5c303e
      Linus Torvalds authored
      Pull MIPS fixes from Paul Burton:
      
       - Fix IPI handling for Lantiq SoCs, which was broken by changes made
         back in v4.12.
      
       - Enable OF/DT serial support in ath79_defconfig to give us working
         serial by default.
      
       - Fix 64b builds for the Jazz platform.
      
       - Set up a struct device for the BCM47xx SoC to allow BCM47xx drivers
         to perform DMA again following the major DMA mapping changes made in
         v4.19.
      
       - Disable MSI on Cavium Octeon systems when the pcie_disable command
         line parameter introduced in v3.3 is used, in order to avoid
         inadvetently accessing PCIe controller registers despite the command
         line.
      
       - Fix a build failure for Cavium Octeon kernels with kexec enabled,
         introduced in v4.20.
      
       - Fix a regression in the behaviour of semctl/shmctl/msgctl IPC
         syscalls for kernels including n32 support but not o32 support caused
         by some cleanup in v3.19.
      
      * tag 'mips_fixes_5.0_2' of git://git.kernel.org/pub/scm/linux/kernel/git/mips/linux:
        MIPS: OCTEON: fix kexec support
        mips: fix n32 compat_ipc_parse_version
        Disable MSI also when pcie-octeon.pcie_disable on
        MIPS: BCM47XX: Setup struct device for the SoC
        MIPS: jazz: fix 64bit build
        MIPS: ath79: Enable OF serial ports in the default config
        MIPS: lantiq: Use CP0_LEGACY_COMPARE_IRQ
        MIPS: lantiq: Fix IPI interrupt handling
      5d5c303e
    • Linus Torvalds's avatar
      Merge tag 'devicetree-fixes-for-5.0-2' of git://git.kernel.org/pub/scm/linux/kernel/git/robh/linux · 6a0141a0
      Linus Torvalds authored
      Pull Devicetree fix from Rob Herring:
       "A single build fix for powerpc due to device_node.type removal"
      
      * tag 'devicetree-fixes-for-5.0-2' of git://git.kernel.org/pub/scm/linux/kernel/git/robh/linux:
        powerpc: chrp: Use of_node_is_type to access device_type
      6a0141a0
    • Linus Torvalds's avatar
      Merge tag 'libnvdimm-fixes-5.0-rc3' of git://git.kernel.org/pub/scm/linux/kernel/git/nvdimm/nvdimm · 26caabbc
      Linus Torvalds authored
      Pull libnvdimm fixes from Dan Williams:
       "A crash fix, a build warning fix, a miscellaneous small cleanups.
      
        In case anyone is looking for them, there was a regression caught by
        testing that caused two patches to be dropped from this update.  Those
        patches have been reworked and will soak for another week / re-target
        5.0-rc4.
      
         - Fix driver initialization crash due to the inability to report an
           'error' state for a DIMM's security capability.
      
         - Build warning fix for little-endian ARM64 builds
      
         - Fix a potential race between the EDAC driver's usage of the NFIT
           SMBIOS id for a DIMM and the driver shutdown path.
      
         - A small collection of one-line benign cleanups for duplicate
           variable assignments, a duplicate header include and a mis-typed
           function argument"
      
      * tag 'libnvdimm-fixes-5.0-rc3' of git://git.kernel.org/pub/scm/linux/kernel/git/nvdimm/nvdimm:
        libnvdimm/security: Fix nvdimm_security_state() state request selection
        acpi/nfit: Remove duplicate set nd_set in acpi_nfit_init_interleave_set()
        acpi/nfit: Fix race accessing memdev in nfit_get_smbios_id()
        libnvdimm/dimm: Fix security capability detection for non-Intel NVDIMMs
        nfit: Mark some functions as __maybe_unused
        ACPI/nfit: delete the function to_acpi_nfit_desc
        ACPI/nfit: delete the redundant header file
      26caabbc
    • Linus Torvalds's avatar
      Merge tag 'linux-watchdog-5.0-rc-fixes' of git://www.linux-watchdog.org/linux-watchdog · f403d718
      Linus Torvalds authored
      Pull watchdog fixes from Wim Van Sebroeck:
      
       - mt7621_wdt/rt2880_wdt: Fix compilation problem
      
       - tqmx86: Fix a couple IS_ERR() vs NULL bugs
      
      * tag 'linux-watchdog-5.0-rc-fixes' of git://www.linux-watchdog.org/linux-watchdog:
        watchdog: tqmx86: Fix a couple IS_ERR() vs NULL bugs
        watchdog: mt7621_wdt/rt2880_wdt: Fix compilation problem
      f403d718
    • Linus Torvalds's avatar
      Merge tag 'nfs-for-5.0-2' of git://git.linux-nfs.org/projects/anna/linux-nfs · b0efca46
      Linus Torvalds authored
      Pull NFS client fixes from Anna Schumaker:
       "These are mostly fixes for SUNRPC bugs, with a single v4.2
        copy_file_range() fix mixed in.
      
        Stable bugfixes:
         - Fix TCP receive code on archs with flush_dcache_page()
      
        Other bugfixes:
         - Fix error code in rpcrdma_buffer_create()
         - Fix a double free in rpcrdma_send_ctxs_create()
         - Fix kernel BUG at kernel/cred.c:825
         - Fix unnecessary retry in nfs42_proc_copy_file_range()
         - Ensure rq_bytes_sent is reset before request transmission
         - Ensure we respect the RPCSEC_GSS sequence number limit
         - Address Kerberos performance/behavior regression"
      
      * tag 'nfs-for-5.0-2' of git://git.linux-nfs.org/projects/anna/linux-nfs:
        SUNRPC: Address Kerberos performance/behavior regression
        SUNRPC: Ensure we respect the RPCSEC_GSS sequence number limit
        SUNRPC: Ensure rq_bytes_sent is reset before request transmission
        NFSv4.2 fix unnecessary retry in nfs4_copy_file_range
        sunrpc: kernel BUG at kernel/cred.c:825!
        SUNRPC: Fix TCP receive code on archs with flush_dcache_page()
        xprtrdma: Double free in rpcrdma_sendctxs_create()
        xprtrdma: Fix error code in rpcrdma_buffer_create()
      b0efca46
    • Linus Torvalds's avatar
      Merge tag 'scsi-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/jejb/scsi · 4d5f6e02
      Linus Torvalds authored
      Pull SCSI fixes from James Bottomley:
       "A set of 17 fixes. Most of these are minor or trivial.
      
        The one fix that may be serious is the isci one: the bug can cause hba
        parameters to be set from uninitialized memory. I don't think it's
        exploitable, but you never know"
      
      * tag 'scsi-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/jejb/scsi:
        scsi: cxgb4i: add wait_for_completion()
        scsi: qla1280: set 64bit coherent mask
        scsi: ufs: Fix geometry descriptor size
        scsi: megaraid_sas: Retry reads of outbound_intr_status reg
        scsi: qedi: Add ep_state for login completion on un-reachable targets
        scsi: ufs: Fix system suspend status
        scsi: qla2xxx: Use correct number of vectors for online CPUs
        scsi: hisi_sas: Set protection parameters prior to adding SCSI host
        scsi: tcmu: avoid cmd/qfull timers updated whenever a new cmd comes
        scsi: isci: initialize shost fully before calling scsi_add_host()
        scsi: lpfc: lpfc_sli: Mark expected switch fall-throughs
        scsi: smartpqi_init: fix boolean expression in pqi_device_remove_start
        scsi: core: Synchronize request queue PM status only on successful resume
        scsi: pm80xx: reduce indentation
        scsi: qla4xxx: check return code of qla4xxx_copy_from_fwddb_param
        scsi: megaraid_sas: correct an info message
        scsi: target/iscsi: fix error msg typo when create lio_qr_cache failed
        scsi: sd: Fix cache_type_store()
      4d5f6e02
    • Linus Torvalds's avatar
      Merge tag 'for-linus-20190118' of git://git.kernel.dk/linux-block · 0facb892
      Linus Torvalds authored
      Pull block fixes from Jens Axboe:
      
       - block size setting fixes for loop/nbd (Jan Kara)
      
       - md bio_alloc_mddev() cleanup (Marcos)
      
       - Ensure we don't lose the REQ_INTEGRITY flag (Ming)
      
       - Two NVMe fixes by way of Christoph:
          - Fix NVMe IRQ calculation (Ming)
          - Uninitialized variable in nvmet-tcp (Sagi)
      
       - BFQ comment fix (Paolo)
      
       - License cleanup for recently added blk-mq-debugfs-zoned (Thomas)
      
      * tag 'for-linus-20190118' of git://git.kernel.dk/linux-block:
        block: Cleanup license notice
        nvme-pci: fix nvme_setup_irqs()
        nvmet-tcp: fix uninitialized variable access
        block: don't lose track of REQ_INTEGRITY flag
        blockdev: Fix livelocks on loop device
        nbd: Use set_blocksize() to set device blocksize
        md: Make bio_alloc_mddev use bio_alloc_bioset
        block, bfq: fix comments on __bfq_deactivate_entity
      0facb892