1. 05 Jan, 2018 1 commit
    • Eric Biggers's avatar
      crypto: algapi - fix NULL dereference in crypto_remove_spawns() · 9a006742
      Eric Biggers authored
      syzkaller triggered a NULL pointer dereference in crypto_remove_spawns()
      via a program that repeatedly and concurrently requests AEADs
      "authenc(cmac(des3_ede-asm),pcbc-aes-aesni)" and hashes "cmac(des3_ede)"
      through AF_ALG, where the hashes are requested as "untested"
      (CRYPTO_ALG_TESTED is set in ->salg_mask but clear in ->salg_feat; this
      causes the template to be instantiated for every request).
      
      Although AF_ALG users really shouldn't be able to request an "untested"
      algorithm, the NULL pointer dereference is actually caused by a
      longstanding race condition where crypto_remove_spawns() can encounter
      an instance which has had spawn(s) "grabbed" but hasn't yet been
      registered, resulting in ->cra_users still being NULL.
      
      We probably should properly initialize ->cra_users earlier, but that
      would require updating many templates individually.  For now just fix
      the bug in a simple way that can easily be backported: make
      crypto_remove_spawns() treat a NULL ->cra_users list as empty.
      Reported-by: default avatarsyzbot <syzkaller@googlegroups.com>
      Cc: stable@vger.kernel.org
      Signed-off-by: default avatarEric Biggers <ebiggers@google.com>
      Signed-off-by: default avatarHerbert Xu <herbert@gondor.apana.org.au>
      9a006742
  2. 22 Dec, 2017 10 commits
    • Antoine Ténart's avatar
      crypto: inside-secure - do not use areq->result for partial results · 2973633e
      Antoine Ténart authored
      This patches update the SafeXcel driver to stop using the crypto
      ahash_request result field for partial results (i.e. on updates).
      Instead the driver local safexcel_ahash_req state field is used, and
      only on final operations the ahash_request result buffer is updated.
      
      Fixes: 1b44c5a6 ("crypto: inside-secure - add SafeXcel EIP197 crypto engine driver")
      Signed-off-by: default avatarAntoine Tenart <antoine.tenart@free-electrons.com>
      Signed-off-by: default avatarHerbert Xu <herbert@gondor.apana.org.au>
      2973633e
    • Antoine Ténart's avatar
      crypto: inside-secure - fix request allocations in invalidation path · 7cad2fab
      Antoine Ténart authored
      This patch makes use of the SKCIPHER_REQUEST_ON_STACK and
      AHASH_REQUEST_ON_STACK helpers to allocate enough memory to contain both
      the crypto request structures and their embedded context (__ctx).
      
      Fixes: 1b44c5a6 ("crypto: inside-secure - add SafeXcel EIP197 crypto engine driver")
      Suggested-by: default avatarOfer Heifetz <oferh@marvell.com>
      Signed-off-by: default avatarAntoine Tenart <antoine.tenart@free-electrons.com>
      Signed-off-by: default avatarHerbert Xu <herbert@gondor.apana.org.au>
      7cad2fab
    • Antoine Ténart's avatar
      crypto: inside-secure - free requests even if their handling failed · 0a02dcca
      Antoine Ténart authored
      This patch frees the request private data even if its handling failed,
      as it would never be freed otherwise.
      
      Fixes: 1b44c5a6 ("crypto: inside-secure - add SafeXcel EIP197 crypto engine driver")
      Suggested-by: default avatarOfer Heifetz <oferh@marvell.com>
      Signed-off-by: default avatarAntoine Tenart <antoine.tenart@free-electrons.com>
      Signed-off-by: default avatarHerbert Xu <herbert@gondor.apana.org.au>
      0a02dcca
    • Ofer Heifetz's avatar
      crypto: inside-secure - per request invalidation · 1eb7b403
      Ofer Heifetz authored
      When an invalidation request is needed we currently override the context
      .send and .handle_result helpers. This is wrong as under high load other
      requests can already be queued and overriding the context helpers will
      make them execute the wrong .send and .handle_result functions.
      
      This commit fixes this by adding a needs_inv flag in the request to
      choose the action to perform when sending requests or handling their
      results. This flag will be set when needed (i.e. when the context flag
      will be set).
      
      Fixes: 1b44c5a6 ("crypto: inside-secure - add SafeXcel EIP197 crypto engine driver")
      Signed-off-by: default avatarOfer Heifetz <oferh@marvell.com>
      [Antoine: commit message, and removed non related changes from the
      original commit]
      Signed-off-by: default avatarAntoine Tenart <antoine.tenart@free-electrons.com>
      Signed-off-by: default avatarHerbert Xu <herbert@gondor.apana.org.au>
      1eb7b403
    • James Hogan's avatar
      lib/mpi: Fix umul_ppmm() for MIPS64r6 · bbc25bee
      James Hogan authored
      Current MIPS64r6 toolchains aren't able to generate efficient
      DMULU/DMUHU based code for the C implementation of umul_ppmm(), which
      performs an unsigned 64 x 64 bit multiply and returns the upper and
      lower 64-bit halves of the 128-bit result. Instead it widens the 64-bit
      inputs to 128-bits and emits a __multi3 intrinsic call to perform a 128
      x 128 multiply. This is both inefficient, and it results in a link error
      since we don't include __multi3 in MIPS linux.
      
      For example commit 90a53e44 ("cfg80211: implement regdb signature
      checking") merged in v4.15-rc1 recently broke the 64r6_defconfig and
      64r6el_defconfig builds by indirectly selecting MPILIB. The same build
      errors can be reproduced on older kernels by enabling e.g. CRYPTO_RSA:
      
      lib/mpi/generic_mpih-mul1.o: In function `mpihelp_mul_1':
      lib/mpi/generic_mpih-mul1.c:50: undefined reference to `__multi3'
      lib/mpi/generic_mpih-mul2.o: In function `mpihelp_addmul_1':
      lib/mpi/generic_mpih-mul2.c:49: undefined reference to `__multi3'
      lib/mpi/generic_mpih-mul3.o: In function `mpihelp_submul_1':
      lib/mpi/generic_mpih-mul3.c:49: undefined reference to `__multi3'
      lib/mpi/mpih-div.o In function `mpihelp_divrem':
      lib/mpi/mpih-div.c:205: undefined reference to `__multi3'
      lib/mpi/mpih-div.c:142: undefined reference to `__multi3'
      
      Therefore add an efficient MIPS64r6 implementation of umul_ppmm() using
      inline assembly and the DMULU/DMUHU instructions, to prevent __multi3
      calls being emitted.
      
      Fixes: 7fd08ca5 ("MIPS: Add build support for the MIPS R6 ISA")
      Signed-off-by: default avatarJames Hogan <jhogan@kernel.org>
      Cc: Ralf Baechle <ralf@linux-mips.org>
      Cc: Herbert Xu <herbert@gondor.apana.org.au>
      Cc: "David S. Miller" <davem@davemloft.net>
      Cc: linux-mips@linux-mips.org
      Cc: linux-crypto@vger.kernel.org
      Signed-off-by: default avatarHerbert Xu <herbert@gondor.apana.org.au>
      bbc25bee
    • Eric Biggers's avatar
      crypto: pcrypt - fix freeing pcrypt instances · d76c6810
      Eric Biggers authored
      pcrypt is using the old way of freeing instances, where the ->free()
      method specified in the 'struct crypto_template' is passed a pointer to
      the 'struct crypto_instance'.  But the crypto_instance is being
      kfree()'d directly, which is incorrect because the memory was actually
      allocated as an aead_instance, which contains the crypto_instance at a
      nonzero offset.  Thus, the wrong pointer was being kfree()'d.
      
      Fix it by switching to the new way to free aead_instance's where the
      ->free() method is specified in the aead_instance itself.
      Reported-by: default avatarsyzbot <syzkaller@googlegroups.com>
      Fixes: 0496f560 ("crypto: pcrypt - Add support for new AEAD interface")
      Cc: <stable@vger.kernel.org> # v4.2+
      Signed-off-by: default avatarEric Biggers <ebiggers@google.com>
      Signed-off-by: default avatarHerbert Xu <herbert@gondor.apana.org.au>
      d76c6810
    • Jan Engelhardt's avatar
      crypto: n2 - cure use after free · 203f4500
      Jan Engelhardt authored
      queue_cache_init is first called for the Control Word Queue
      (n2_crypto_probe). At that time, queue_cache[0] is NULL and a new
      kmem_cache will be allocated. If the subsequent n2_register_algs call
      fails, the kmem_cache will be released in queue_cache_destroy, but
      queue_cache_init[0] is not set back to NULL.
      
      So when the Module Arithmetic Unit gets probed next (n2_mau_probe),
      queue_cache_init will not allocate a kmem_cache again, but leave it
      as its bogus value, causing a BUG() to trigger when queue_cache[0] is
      eventually passed to kmem_cache_zalloc:
      
      	n2_crypto: Found N2CP at /virtual-devices@100/n2cp@7
      	n2_crypto: Registered NCS HVAPI version 2.0
      	called queue_cache_init
      	n2_crypto: md5 alg registration failed
      	n2cp f028687c: /virtual-devices@100/n2cp@7: Unable to register algorithms.
      	called queue_cache_destroy
      	n2cp: probe of f028687c failed with error -22
      	n2_crypto: Found NCP at /virtual-devices@100/ncp@6
      	n2_crypto: Registered NCS HVAPI version 2.0
      	called queue_cache_init
      	kernel BUG at mm/slab.c:2993!
      	Call Trace:
      	 [0000000000604488] kmem_cache_alloc+0x1a8/0x1e0
                        (inlined) kmem_cache_zalloc
                        (inlined) new_queue
                        (inlined) spu_queue_setup
                        (inlined) handle_exec_unit
      	 [0000000010c61eb4] spu_mdesc_scan+0x1f4/0x460 [n2_crypto]
      	 [0000000010c62b80] n2_mau_probe+0x100/0x220 [n2_crypto]
      	 [000000000084b174] platform_drv_probe+0x34/0xc0
      
      Cc: <stable@vger.kernel.org>
      Signed-off-by: default avatarJan Engelhardt <jengelh@inai.de>
      Acked-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarHerbert Xu <herbert@gondor.apana.org.au>
      203f4500
    • Jonathan Cameron's avatar
      crypto: af_alg - Fix race around ctx->rcvused by making it atomic_t · af955bf1
      Jonathan Cameron authored
      This variable was increased and decreased without any protection.
      Result was an occasional misscount and negative wrap around resulting
      in false resource allocation failures.
      
      Fixes: 7d2c3f54 ("crypto: af_alg - remove locking in async callback")
      Signed-off-by: default avatarJonathan Cameron <Jonathan.Cameron@huawei.com>
      Reviewed-by: default avatarStephan Mueller <smueller@chronox.de>
      Signed-off-by: default avatarHerbert Xu <herbert@gondor.apana.org.au>
      af955bf1
    • Eric Biggers's avatar
      crypto: chacha20poly1305 - validate the digest size · e57121d0
      Eric Biggers authored
      If the rfc7539 template was instantiated with a hash algorithm with
      digest size larger than 16 bytes (POLY1305_DIGEST_SIZE), then the digest
      overran the 'tag' buffer in 'struct chachapoly_req_ctx', corrupting the
      subsequent memory, including 'cryptlen'.  This caused a crash during
      crypto_skcipher_decrypt().
      
      Fix it by, when instantiating the template, requiring that the
      underlying hash algorithm has the digest size expected for Poly1305.
      
      Reproducer:
      
          #include <linux/if_alg.h>
          #include <sys/socket.h>
          #include <unistd.h>
      
          int main()
          {
                  int algfd, reqfd;
                  struct sockaddr_alg addr = {
                          .salg_type = "aead",
                          .salg_name = "rfc7539(chacha20,sha256)",
                  };
                  unsigned char buf[32] = { 0 };
      
                  algfd = socket(AF_ALG, SOCK_SEQPACKET, 0);
                  bind(algfd, (void *)&addr, sizeof(addr));
                  setsockopt(algfd, SOL_ALG, ALG_SET_KEY, buf, sizeof(buf));
                  reqfd = accept(algfd, 0, 0);
                  write(reqfd, buf, 16);
                  read(reqfd, buf, 16);
          }
      Reported-by: default avatarsyzbot <syzkaller@googlegroups.com>
      Fixes: 71ebc4d1 ("crypto: chacha20poly1305 - Add a ChaCha20-Poly1305 AEAD construction, RFC7539")
      Cc: <stable@vger.kernel.org> # v4.2+
      Signed-off-by: default avatarEric Biggers <ebiggers@google.com>
      Signed-off-by: default avatarHerbert Xu <herbert@gondor.apana.org.au>
      e57121d0
    • Arnd Bergmann's avatar
      crypto: chelsio - select CRYPTO_GF128MUL · d042566d
      Arnd Bergmann authored
      Without the gf128mul library support, we can run into a link
      error:
      
      drivers/crypto/chelsio/chcr_algo.o: In function `chcr_update_tweak':
      chcr_algo.c:(.text+0x7e0): undefined reference to `gf128mul_x8_ble'
      
      This adds a Kconfig select statement for it, next to the ones we
      already have.
      
      Cc: <stable@vger.kernel.org>
      Fixes: b8fd1f41 ("crypto: chcr - Add ctr mode and process large sg entries for cipher")
      Signed-off-by: default avatarArnd Bergmann <arnd@arndb.de>
      Signed-off-by: default avatarHerbert Xu <herbert@gondor.apana.org.au>
      d042566d
  3. 11 Dec, 2017 5 commits
    • Stephan Mueller's avatar
      crypto: af_alg - fix race accessing cipher request · d53c5135
      Stephan Mueller authored
      When invoking an asynchronous cipher operation, the invocation of the
      callback may be performed before the subsequent operations in the
      initial code path are invoked. The callback deletes the cipher request
      data structure which implies that after the invocation of the
      asynchronous cipher operation, this data structure must not be accessed
      any more.
      
      The setting of the return code size with the request data structure must
      therefore be moved before the invocation of the asynchronous cipher
      operation.
      
      Fixes: e870456d ("crypto: algif_skcipher - overhaul memory management")
      Fixes: d887c52d ("crypto: algif_aead - overhaul memory management")
      Reported-by: default avatarsyzbot <syzkaller@googlegroups.com>
      Cc: <stable@vger.kernel.org> # v4.14+
      Signed-off-by: default avatarStephan Mueller <smueller@chronox.de>
      Acked-by: default avatarJonathan Cameron <Jonathan.Cameron@huawei.com>
      Signed-off-by: default avatarHerbert Xu <herbert@gondor.apana.org.au>
      d53c5135
    • Sebastian Andrzej Siewior's avatar
      crypto: mcryptd - protect the per-CPU queue with a lock · 9abffc6f
      Sebastian Andrzej Siewior authored
      mcryptd_enqueue_request() grabs the per-CPU queue struct and protects
      access to it with disabled preemption. Then it schedules a worker on the
      same CPU. The worker in mcryptd_queue_worker() guards access to the same
      per-CPU variable with disabled preemption.
      
      If we take CPU-hotplug into account then it is possible that between
      queue_work_on() and the actual invocation of the worker the CPU goes
      down and the worker will be scheduled on _another_ CPU. And here the
      preempt_disable() protection does not work anymore. The easiest thing is
      to add a spin_lock() to guard access to the list.
      
      Another detail: mcryptd_queue_worker() is not processing more than
      MCRYPTD_BATCH invocation in a row. If there are still items left, then
      it will invoke queue_work() to proceed with more later. *I* would
      suggest to simply drop that check because it does not use a system
      workqueue and the workqueue is already marked as "CPU_INTENSIVE". And if
      preemption is required then the scheduler should do it.
      However if queue_work() is used then the work item is marked as CPU
      unbound. That means it will try to run on the local CPU but it may run
      on another CPU as well. Especially with CONFIG_DEBUG_WQ_FORCE_RR_CPU=y.
      Again, the preempt_disable() won't work here but lock which was
      introduced will help.
      In order to keep work-item on the local CPU (and avoid RR) I changed it
      to queue_work_on().
      
      Cc: stable@vger.kernel.org
      Signed-off-by: default avatarSebastian Andrzej Siewior <bigeasy@linutronix.de>
      Signed-off-by: default avatarHerbert Xu <herbert@gondor.apana.org.au>
      9abffc6f
    • Stephan Mueller's avatar
      crypto: af_alg - wait for data at beginning of recvmsg · 11edb555
      Stephan Mueller authored
      The wait for data is a non-atomic operation that can sleep and therefore
      potentially release the socket lock. The release of the socket lock
      allows another thread to modify the context data structure. The waiting
      operation for new data therefore must be called at the beginning of
      recvmsg. This prevents a race condition where checks of the members of
      the context data structure are performed by recvmsg while there is a
      potential for modification of these values.
      
      Fixes: e870456d ("crypto: algif_skcipher - overhaul memory management")
      Fixes: d887c52d ("crypto: algif_aead - overhaul memory management")
      Reported-by: default avatarsyzbot <syzkaller@googlegroups.com>
      Cc: <stable@vger.kernel.org> # v4.14+
      Signed-off-by: default avatarStephan Mueller <smueller@chronox.de>
      Signed-off-by: default avatarHerbert Xu <herbert@gondor.apana.org.au>
      11edb555
    • Eric Biggers's avatar
      crypto: skcipher - set walk.iv for zero-length inputs · 2b4f27c3
      Eric Biggers authored
      All the ChaCha20 algorithms as well as the ARM bit-sliced AES-XTS
      algorithms call skcipher_walk_virt(), then access the IV (walk.iv)
      before checking whether any bytes need to be processed (walk.nbytes).
      
      But if the input is empty, then skcipher_walk_virt() doesn't set the IV,
      and the algorithms crash trying to use the uninitialized IV pointer.
      
      Fix it by setting the IV earlier in skcipher_walk_virt().  Also fix it
      for the AEAD walk functions.
      
      This isn't a perfect solution because we can't actually align the IV to
      ->cra_alignmask unless there are bytes to process, for one because the
      temporary buffer for the aligned IV is freed by skcipher_walk_done(),
      which is only called when there are bytes to process.  Thus, algorithms
      that require aligned IVs will still need to avoid accessing the IV when
      walk.nbytes == 0.  Still, many algorithms/architectures are fine with
      IVs having any alignment, and even for those that aren't, a misaligned
      pointer bug is much less severe than an uninitialized pointer bug.
      
      This change also matches the behavior of the older blkcipher_walk API.
      
      Fixes: 0cabf2af ("crypto: skcipher - Fix crash on zero-length input")
      Reported-by: default avatarsyzbot <syzkaller@googlegroups.com>
      Cc: <stable@vger.kernel.org> # v4.14+
      Signed-off-by: default avatarEric Biggers <ebiggers@google.com>
      Signed-off-by: default avatarHerbert Xu <herbert@gondor.apana.org.au>
      2b4f27c3
    • Linus Torvalds's avatar
      Linux 4.15-rc3 · 50c4c4e2
      Linus Torvalds authored
      50c4c4e2
  4. 10 Dec, 2017 9 commits
    • Jeff Layton's avatar
      hpfs: don't bother with the i_version counter or f_version · 98087c05
      Jeff Layton authored
      HPFS does not set SB_I_VERSION and does not use the i_version counter
      internally.
      Signed-off-by: default avatarJeff Layton <jlayton@redhat.com>
      Signed-off-by: default avatarMikulas Patocka <mikulas@twibright.com>
      Reviewed-by: default avatarMikulas Patocka <mikulas@twibright.com>
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      98087c05
    • Jiri Slaby's avatar
      futex: futex_wake_op, fix sign_extend32 sign bits · d70ef228
      Jiri Slaby authored
      sign_extend32 counts the sign bit parameter from 0, not from 1.  So we
      have to use "11" for 12th bit, not "12".
      
      This mistake means we have not allowed negative op and cmp args since
      commit 30d6e0a4 ("futex: Remove duplicated code and fix undefined
      behaviour") till now.
      
      Fixes: 30d6e0a4 ("futex: Remove duplicated code and fix undefined behaviour")
      Signed-off-by: default avatarJiri Slaby <jslaby@suse.cz>
      Cc: Ingo Molnar <mingo@redhat.com>
      Cc: Peter Zijlstra <peterz@infradead.org>
      Cc: Darren Hart <dvhart@infradead.org>
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      d70ef228
    • Linus Torvalds's avatar
      Merge tag 'for-4.15-rc3-tag' of git://git.kernel.org/pub/scm/linux/kernel/git/kdave/linux · 51090c5d
      Linus Torvalds authored
      Pull btrfs fixes from David Sterba:
       "This contains a few fixes (error handling, quota leak, FUA vs
        nobarrier mount option).
      
        There's one one worth mentioning separately - an off-by-one fix that
        leads to overwriting first byte of an adjacent page with 0, out of
        bounds of the memory allocated by an ioctl. This is under a privileged
        part of the ioctl, can be triggerd in some subvolume layouts"
      
      * tag 'for-4.15-rc3-tag' of git://git.kernel.org/pub/scm/linux/kernel/git/kdave/linux:
        btrfs: Fix possible off-by-one in btrfs_search_path_in_tree
        Btrfs: disable FUA if mounted with nobarrier
        btrfs: fix missing error return in btrfs_drop_snapshot
        btrfs: handle errors while updating refcounts in update_ref_for_cow
        btrfs: Fix quota reservation leak on preallocated files
      51090c5d
    • Linus Torvalds's avatar
      Merge tag 'armsoc-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/arm/arm-soc · 9c02e060
      Linus Torvalds authored
      Pull ARM SoC fixes from Olof Johansson:
      
       - A revert of all SCPI changes from the 4.15 merge window. They had
         regressions on the Amlogic platforms, and the submaintainer isn't
         around to fix these bugs due to vacation, etc. So we agreed to revert
         and revisit in next release cycle.
      
       - A series fixing a number of bugs for ARM CCN interconnect, around
         module unload, smp_processor_id() in preemptable context, and fixing
         some memory allocation failure checks.
      
       - A handful of devicetree fixes for different platforms, fixing
         warnings and errors that were previously ignored by the compiler.
      
       - The usual set of mostly minor fixes for different platforms.
      
      * tag 'armsoc-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/arm/arm-soc: (42 commits)
        ARM64: dts: meson-gx: fix UART pclk clock name
        ARM: omap2: hide omap3_save_secure_ram on non-OMAP3 builds
        arm: dts: nspire: Add missing #phy-cells to usb-nop-xceiv
        ARM: dts: Fix dm814x missing phy-cells property
        ARM: dts: Fix elm interrupt compiler warning
        bus: arm-ccn: fix module unloading Error: Removing state 147 which has instances left.
        bus: arm-cci: Fix use of smp_processor_id() in preemptible context
        bus: arm-ccn: Fix use of smp_processor_id() in preemptible context
        bus: arm-ccn: Simplify code
        bus: arm-ccn: Check memory allocation failure
        bus: arm-ccn: constify attribute_group structures.
        firmware: arm_scpi: Revert updates made during v4.15 merge window
        arm: dts: marvell: Add missing #phy-cells to usb-nop-xceiv
        arm64: dts: sort vendor subdirectories in Makefile alphabetically
        meson-gx-socinfo: Fix package id parsing
        ARM: meson: fix spelling mistake: "Couln't" -> "Couldn't"
        ARM: dts: meson: fix the memory region of the GPIO interrupt controller
        ARM: dts: meson: correct the sort order for the the gpio_intc node
        MAINTAINERS: exclude other Socionext SoC DT files from ARM/UNIPHIER entry
        arm64: dts: uniphier: remove unnecessary interrupt-parent
        ...
      9c02e060
    • Linus Torvalds's avatar
      Merge tag 'for-linus' of git://git.kernel.org/pub/scm/virt/kvm/kvm · c465fc11
      Linus Torvalds authored
      Pull KVM fixes from Radim Krčmář:
       "ARM:
         - A number of issues in the vgic discovered using SMATCH
         - A bit one-off calculation in out stage base address mask (32-bit
           and 64-bit)
         - Fixes to single-step debugging instructions that trap for other
           reasons such as MMMIO aborts
         - Printing unavailable hyp mode as error
         - Potential spinlock deadlock in the vgic
         - Avoid calling vgic vcpu free more than once
         - Broken bit calculation for big endian systems
      
       s390:
         - SPDX tags
         - Fence storage key accesses from problem state
         - Make sure that irq_state.flags is not used in the future
      
        x86:
         - Intercept port 0x80 accesses to prevent host instability (CVE)
         - Use userspace FPU context for guest FPU (mainly an optimization
           that fixes a double use of kernel FPU)
         - Do not leak one page per module load
         - Flush APIC page address cache from MMU invalidation notifiers"
      
      * tag 'for-linus' of git://git.kernel.org/pub/scm/virt/kvm/kvm: (28 commits)
        KVM: x86: fix APIC page invalidation
        KVM: s390: Fix skey emulation permission check
        KVM: s390: mark irq_state.flags as non-usable
        KVM: s390: Remove redundant license text
        KVM: s390: add SPDX identifiers to the remaining files
        KVM: VMX: fix page leak in hardware_setup()
        KVM: VMX: remove I/O port 0x80 bypass on Intel hosts
        x86,kvm: remove KVM emulator get_fpu / put_fpu
        x86,kvm: move qemu/guest FPU switching out to vcpu_run
        KVM: arm/arm64: Fix broken GICH_ELRSR big endian conversion
        KVM: arm/arm64: kvm_arch_destroy_vm cleanups
        KVM: arm/arm64: Fix spinlock acquisition in vgic_set_owner
        kvm: arm: don't treat unavailable HYP mode as an error
        KVM: arm/arm64: Avoid attempting to load timer vgic state without a vgic
        kvm: arm64: handle single-step of hyp emulated mmio instructions
        kvm: arm64: handle single-step during SError exceptions
        kvm: arm64: handle single-step of userspace mmio instructions
        kvm: arm64: handle single-stepping trapped instructions
        KVM: arm/arm64: debug: Introduce helper for single-step
        arm: KVM: Fix VTTBR_BADDR_MASK BUG_ON off-by-one
        ...
      c465fc11
    • Olof Johansson's avatar
      Merge branch 'fixes' into for-next · 8be0b988
      Olof Johansson authored
      * fixes:
        ARM64: dts: meson-gx: fix UART pclk clock name
        ARM: dts: Fix dm814x missing phy-cells property
        ARM: dts: Fix elm interrupt compiler warning
        bus: arm-ccn: fix module unloading Error: Removing state 147 which has instances left.
        bus: arm-cci: Fix use of smp_processor_id() in preemptible context
        bus: arm-ccn: Fix use of smp_processor_id() in preemptible context
        bus: arm-ccn: Simplify code
        bus: arm-ccn: Check memory allocation failure
        bus: arm-ccn: constify attribute_group structures.
        meson-gx-socinfo: Fix package id parsing
        ARM: meson: fix spelling mistake: "Couln't" -> "Couldn't"
        ARM: dts: meson: fix the memory region of the GPIO interrupt controller
        ARM: dts: meson: correct the sort order for the the gpio_intc node
      8be0b988
    • Olof Johansson's avatar
      Merge tag 'amlogic-fixes-1' of... · ce39882e
      Olof Johansson authored
      Merge tag 'amlogic-fixes-1' of git://git.kernel.org/pub/scm/linux/kernel/git/khilman/linux-amlogic into fixes
      
      Amlogic fixes for v4.15-rc
      - GPIO interrupt fixes
      - socinfo fix for GX series
      - fix typo
      
      * tag 'amlogic-fixes-1' of git://git.kernel.org/pub/scm/linux/kernel/git/khilman/linux-amlogic:
        ARM64: dts: meson-gx: fix UART pclk clock name
        meson-gx-socinfo: Fix package id parsing
        ARM: meson: fix spelling mistake: "Couln't" -> "Couldn't"
        ARM: dts: meson: fix the memory region of the GPIO interrupt controller
        ARM: dts: meson: correct the sort order for the the gpio_intc node
      Signed-off-by: default avatarOlof Johansson <olof@lixom.net>
      ce39882e
    • Olof Johansson's avatar
      Merge tag 'ccn/fixes-for-4.15' of git://git.linaro.org/people/pawel.moll/linux into fixes · 3dda7f63
      Olof Johansson authored
      bus: ARM CCN and CCI PMU driver fixes
      
      This is a bunch of fixes CCN and (guest starring this time) CCI drivers.
      
      * Check for potential of failed allocation for the driver name string
      * Manage CPU ID properly at allocation (both CCN and CCI)
      * Fix module unload warnings related to objects release order
      * Small improvements like using allocating printfs and proper
        attributes constification
      
      The one fixing potential issues have been cc-ed to stable.
      
      * tag 'ccn/fixes-for-4.15' of git://git.linaro.org/people/pawel.moll/linux:
        bus: arm-ccn: fix module unloading Error: Removing state 147 which has instances left.
        bus: arm-cci: Fix use of smp_processor_id() in preemptible context
        bus: arm-ccn: Fix use of smp_processor_id() in preemptible context
        bus: arm-ccn: Simplify code
        bus: arm-ccn: Check memory allocation failure
        bus: arm-ccn: constify attribute_group structures.
      Signed-off-by: default avatarOlof Johansson <olof@lixom.net>
      3dda7f63
    • Olof Johansson's avatar
      Merge tag 'omap-for-v4.15/fixes-dt-warnings' of... · 69b8df5d
      Olof Johansson authored
      Merge tag 'omap-for-v4.15/fixes-dt-warnings' of git://git.kernel.org/pub/scm/linux/kernel/git/tmlind/linux-omap into fixes
      
      Two fixes for dts compiler warnings
      
      These recently started showing up with better dtc checks being
      introduced.
      
      * tag 'omap-for-v4.15/fixes-dt-warnings' of git://git.kernel.org/pub/scm/linux/kernel/git/tmlind/linux-omap:
        ARM: dts: Fix dm814x missing phy-cells property
        ARM: dts: Fix elm interrupt compiler warning
      Signed-off-by: default avatarOlof Johansson <olof@lixom.net>
      69b8df5d
  5. 09 Dec, 2017 1 commit
  6. 08 Dec, 2017 14 commits
    • Michal Hocko's avatar
      kmemcheck: rip it out for real · f335195a
      Michal Hocko authored
      Commit 4675ff05 ("kmemcheck: rip it out") has removed the code but
      for some reason SPDX header stayed in place.  This looks like a rebase
      mistake in the mmotm tree or the merge mistake.  Let's drop those
      leftovers as well.
      Signed-off-by: default avatarMichal Hocko <mhocko@suse.com>
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      f335195a
    • Linus Torvalds's avatar
      Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net · e9ef1fe3
      Linus Torvalds authored
      Pull networking fixes from David Miller:
      
       1) CAN fixes from Martin Kelly (cancel URBs properly in all the CAN usb
          drivers).
      
       2) Revert returning -EEXIST from __dev_alloc_name() as this propagates
          to userspace and broke some apps. From Johannes Berg.
      
       3) Fix conn memory leaks and crashes in TIPC, from Jon Malloc and Cong
          Wang.
      
       4) Gianfar MAC can't do EEE so don't advertise it by default, from
          Claudiu Manoil.
      
       5) Relax strict netlink attribute validation, but emit a warning. From
          David Ahern.
      
       6) Fix regression in checksum offload of thunderx driver, from Florian
          Westphal.
      
       7) Fix UAPI bpf issues on s390, from Hendrik Brueckner.
      
       8) New card support in iwlwifi, from Ihab Zhaika.
      
       9) BBR congestion control bug fixes from Neal Cardwell.
      
      10) Fix port stats in nfp driver, from Pieter Jansen van Vuuren.
      
      11) Fix leaks in qualcomm rmnet, from Subash Abhinov Kasiviswanathan.
      
      12) Fix DMA API handling in sh_eth driver, from Thomas Petazzoni.
      
      13) Fix spurious netpoll warnings in bnxt_en, from Calvin Owens.
      
      * git://git.kernel.org/pub/scm/linux/kernel/git/davem/net: (67 commits)
        net: mvpp2: fix the RSS table entry offset
        tcp: evaluate packet losses upon RTT change
        tcp: fix off-by-one bug in RACK
        tcp: always evaluate losses in RACK upon undo
        tcp: correctly test congestion state in RACK
        bnxt_en: Fix sources of spurious netpoll warnings
        tcp_bbr: reset long-term bandwidth sampling on loss recovery undo
        tcp_bbr: reset full pipe detection on loss recovery undo
        tcp_bbr: record "full bw reached" decision in new full_bw_reached bit
        sfc: pass valid pointers from efx_enqueue_unwind
        gianfar: Disable EEE autoneg by default
        tcp: invalidate rate samples during SACK reneging
        can: peak/pcie_fd: fix potential bug in restarting tx queue
        can: usb_8dev: cancel urb on -EPIPE and -EPROTO
        can: kvaser_usb: cancel urb on -EPIPE and -EPROTO
        can: esd_usb2: cancel urb on -EPIPE and -EPROTO
        can: ems_usb: cancel urb on -EPIPE and -EPROTO
        can: mcba_usb: cancel urb on -EPROTO
        usbnet: fix alignment for frames with no ethernet header
        tcp: use current time in tcp_rcv_space_adjust()
        ...
      e9ef1fe3
    • Linus Torvalds's avatar
      Merge tag 'media/v4.15-2' of git://git.kernel.org/pub/scm/linux/kernel/git/mchehab/linux-media · 77071bc6
      Linus Torvalds authored
      Pull media fixes from Mauro Carvalho Chehab:
      
       "A series of fixes for the media subsytem:
      
         - The largest amount of fixes in this series is with regards to
           comments that aren't kernel-doc, but start with "/**".
      
           A new check added for 4.15 makes it to produce a *huge* amount of
           new warnings (I'm compiling here with W=1). Most of the patches in
           this series fix those.
      
           No code changes - just comment changes at the source files
      
         - rc: some fixed in order to better handle RC repetition codes
      
         - v4l-async: use the v4l2_dev from the root notifier when matching
           sub-devices
      
         - v4l2-fwnode: Check subdev count after checking port
      
         - ov 13858 and et8ek8: compilation fix with randconfigs
      
         - usbtv: a trivial new USB ID addition
      
         - dibusb-common: don't do DMA on stack on firmware load
      
         - imx274: Fix error handling, add MAINTAINERS entry
      
         - sir_ir: detect presence of port"
      
      * tag 'media/v4.15-2' of git://git.kernel.org/pub/scm/linux/kernel/git/mchehab/linux-media: (50 commits)
        media: imx274: Fix error handling, add MAINTAINERS entry
        media: v4l: async: use the v4l2_dev from the root notifier when matching sub-devices
        media: v4l2-fwnode: Check subdev count after checking port
        media: et8ek8: select V4L2_FWNODE
        media: ov13858: Select V4L2_FWNODE
        media: rc: partial revert of "media: rc: per-protocol repeat period"
        media: dvb: i2c transfers over usb cannot be done from stack
        media: dvb-frontends: complete kernel-doc markups
        media: docs: add documentation for frontend attach info
        media: dvb_frontends: fix kernel-doc macros
        media: drivers: remove "/**" from non-kernel-doc comments
        media: lm3560: add a missing kernel-doc parameter
        media: rcar_jpu: fix two kernel-doc markups
        media: vsp1: add a missing kernel-doc parameter
        media: soc_camera: fix a kernel-doc markup
        media: mt2063: fix some kernel-doc warnings
        media: radio-wl1273: fix a parameter name at kernel-doc macro
        media: s3c-camif: add missing description at s3c_camif_find_format()
        media: mtk-vpu: add description for wdt fields at struct mtk_vpu
        media: vdec: fix some kernel-doc warnings
        ...
      77071bc6
    • Linus Torvalds's avatar
      Merge tag 'drm-fixes-for-v4.15-rc3' of git://people.freedesktop.org/~airlied/linux · 4066aa72
      Linus Torvalds authored
      Pull drm fixes from Dave Airlie:
       "This pull is a bit larger than I'd like but a large bunch of it is
        license fixes, AMD wanted to fix the licenses for a bunch of files
        that were missing them,
      
       Otherwise a bunch of TTM regression fix since the hugepage support,
       some i915 and gvt fixes, a core connector free in a safe context fix,
       and one bridge fix"
      
      * tag 'drm-fixes-for-v4.15-rc3' of git://people.freedesktop.org/~airlied/linux: (26 commits)
        drm/bridge: analogix dp: Fix runtime PM state in get_modes() callback
        Revert "drm/i915: Display WA #1133 WaFbcSkipSegments:cnl, glk"
        drm/vc4: Fix false positive WARN() backtrace on refcount_inc() usage
        drm/i915: Call i915_gem_init_userptr() before taking struct_mutex
        drm/exynos: remove unnecessary function declaration
        drm/exynos: remove unnecessary descrptions
        drm/exynos: gem: Drop NONCONTIG flag for buffers allocated without IOMMU
        drm/exynos: Fix dma-buf import
        drm/ttm: swap consecutive allocated pooled pages v4
        drm: safely free connectors from connector_iter
        drm/i915/gvt: set max priority for gvt context
        drm/i915/gvt: Don't mark vgpu context as inactive when preempted
        drm/i915/gvt: Limit read hw reg to active vgpu
        drm/i915/gvt: Export intel_gvt_render_mmio_to_ring_id()
        drm/i915/gvt: Emulate PCI expansion ROM base address register
        drm/ttm: swap consecutive allocated cached pages v3
        drm/ttm: roundup the shrink request to prevent skip huge pool
        drm/ttm: add page order support in ttm_pages_put
        drm/ttm: add set_pages_wb for handling page order more than zero
        drm/ttm: add page order in page pool
        ...
      4066aa72
    • Linus Torvalds's avatar
      Merge tag 'md/4.15-rc2' of git://git.kernel.org/pub/scm/linux/kernel/git/shli/md · 7267212c
      Linus Torvalds authored
      Pull md fixes from Shaohua Li:
       "Some MD fixes.
      
        The notable one is a raid5-cache deadlock bug with dm-raid, others are
        not significant"
      
      * tag 'md/4.15-rc2' of git://git.kernel.org/pub/scm/linux/kernel/git/shli/md:
        md/raid1/10: add missed blk plug
        md: limit mdstat resync progress to max_sectors
        md/r5cache: move mddev_lock() out of r5c_journal_mode_set()
        md/raid5: correct degraded calculation in raid5_error
      7267212c
    • Linus Torvalds's avatar
      Merge tag 'devicetree-fixes-for-4.15-part2' of... · 78d9b048
      Linus Torvalds authored
      Merge tag 'devicetree-fixes-for-4.15-part2' of git://git.kernel.org/pub/scm/linux/kernel/git/robh/linux
      
      Pull DeviceTree fixes from Rob Herring:
       "Another set of DT fixes:
      
         - Fixes from overlay code rework. A trifecta of fixes to the locking,
           an out of bounds access, and a memory leak in of_overlay_apply()
      
         - Clean-up at25 eeprom binding document
      
         - Remove leading '0x' in unit-addresses from binding docs"
      
      * tag 'devicetree-fixes-for-4.15-part2' of git://git.kernel.org/pub/scm/linux/kernel/git/robh/linux:
        of: overlay: Make node skipping in init_overlay_changeset() clearer
        of: overlay: Fix out-of-bounds write in init_overlay_changeset()
        of: overlay: Fix (un)locking in of_overlay_apply()
        of: overlay: Fix memory leak in of_overlay_apply() error path
        dt-bindings: eeprom: at25: Document device-specific compatible values
        dt-bindings: eeprom: at25: Grammar s/are can/can/
        dt-bindings: Remove leading 0x from bindings notation
        of: overlay: Remove else after goto
        of: Spelling s/changset/changeset/
        of: unittest: Remove bogus overlay mutex release from overlay_data_add()
      78d9b048
    • Linus Torvalds's avatar
      Merge tag 'for_linus' of git://git.kernel.org/pub/scm/linux/kernel/git/mst/vhost · 900add27
      Linus Torvalds authored
      Pull virtio bugfixes from Michael Tsirkin:
       "A couple of minor bugfixes"
      
      * tag 'for_linus' of git://git.kernel.org/pub/scm/linux/kernel/git/mst/vhost:
        virtio_net: fix return value check in receive_mergeable()
        virtio_mmio: add cleanup for virtio_mmio_remove
        virtio_mmio: add cleanup for virtio_mmio_probe
      900add27
    • Linus Torvalds's avatar
      Merge tag 'for-linus-4.15-rc3-tag' of git://git.kernel.org/pub/scm/linux/kernel/git/xen/tip · 32abeb09
      Linus Torvalds authored
      Pull xen fixes from Juergen Gross:
       "Just two small fixes for the new pvcalls frontend driver"
      
      * tag 'for-linus-4.15-rc3-tag' of git://git.kernel.org/pub/scm/linux/kernel/git/xen/tip:
        xen/pvcalls: Fix a check in pvcalls_front_remove()
        xen/pvcalls: check for xenbus_read() errors
      32abeb09
    • Linus Torvalds's avatar
      Merge tag 'powerpc-4.15-4' of git://git.kernel.org/pub/scm/linux/kernel/git/powerpc/linux · d90696ed
      Linus Torvalds authored
      Pull powerpc fixes from Michael Ellerman:
      
       "One notable fix for kexec on Power9, where we were not clearing MMU
        PID properly which sometimes leads to hangs. Finally debugged to a
        root cause by Nick.
      
        A revert of a patch which tried to rework our panic handling to get
        more output on the console, but inadvertently broke reporting the
        panic to the hypervisor, which apparently people care about.
      
        Then a fix for an oops in the PMU code, and finally some s/%p/%px/ in
        xmon.
      
        Thanks to: David Gibson, Nicholas Piggin, Ravi Bangoria"
      
      * tag 'powerpc-4.15-4' of git://git.kernel.org/pub/scm/linux/kernel/git/powerpc/linux:
        powerpc/xmon: Don't print hashed pointers in xmon
        powerpc/64s: Initialize ISAv3 MMU registers before setting partition table
        Revert "powerpc: Do not call ppc_md.panic in fadump panic notifier"
        powerpc/perf: Fix oops when grouping different pmu events
      d90696ed
    • David S. Miller's avatar
      Merge tag 'linux-can-fixes-for-4.15-20171208' of... · fd29117a
      David S. Miller authored
      Merge tag 'linux-can-fixes-for-4.15-20171208' of git://git.kernel.org/pub/scm/linux/kernel/git/mkl/linux-can
      
      Marc Kleine-Budde says:
      
      ====================
      pull-request: can 2017-12-08
      
      this is a pull request of 6 patches for net/master.
      
      Martin Kelly provides 5 patches for various USB based CAN drivers, that
      properly cancel the URBs on adapter unplug, so that the driver doesn't
      end up in an endless loop. Stephane Grosjean provides a patch to restart
      the tx queue if zero length packages are transmitted.
      ====================
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      fd29117a
    • David S. Miller's avatar
      Merge tag 'wireless-drivers-for-davem-2017-12-08' of... · 03afb6e4
      David S. Miller authored
      Merge tag 'wireless-drivers-for-davem-2017-12-08' of git://git.kernel.org/pub/scm/linux/kernel/git/kvalo/wireless-drivers
      
      Kalle Valo says:
      
      ====================
      wireless-drivers fixes for 4.15
      
      Second set of fixes for 4.15. This time a lot of iwlwifi patches and
      two brcmfmac patches. Most important here are the MIC and IVC fixes
      for iwlwifi to unbreak 9000 series.
      
      iwlwifi
      
      * fix rate-scaling to not start lowest possible rate
      
      * fix the TX queue hang detection for AP/GO modes
      
      * fix the TX queue hang timeout in monitor interfaces
      
      * fix packet injection
      
      * remove a wrong error message when dumping PCI registers
      
      * fix race condition with RF-kill
      
      * tell mac80211 when the MIC has been stripped (9000 series)
      
      * tell mac80211 when the IVC has been stripped (9000 series)
      
      * add 2 new PCI IDs, one for 9000 and one for 22000
      
      * fix a queue hang due during a P2P Remain-on-Channel operation
      
      brcmfmac
      
      * fix a race which sometimes caused a crash during sdio unbind
      
      * fix a kernel-doc related build error
      ====================
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      03afb6e4
    • Antoine Tenart's avatar
      net: mvpp2: fix the RSS table entry offset · 8a7b741e
      Antoine Tenart authored
      The macro used to access or set an RSS table entry was using an offset
      of 8, while it should use an offset of 0. This lead to wrongly configure
      the RSS table, not accessing the right entries.
      
      Fixes: 1d7d15d7 ("net: mvpp2: initialize the RSS tables")
      Signed-off-by: default avatarAntoine Tenart <antoine.tenart@free-electrons.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      8a7b741e
    • David S. Miller's avatar
      Merge branch 'tcp-RACK-loss-recovery-bug-fixes' · b7e445a1
      David S. Miller authored
      Yuchung Cheng says:
      
      ====================
      tcp: RACK loss recovery bug fixes
      
      This patch set has four minor bug fixes in TCP RACK loss recovery.
      ====================
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      b7e445a1
    • Yuchung Cheng's avatar
      tcp: evaluate packet losses upon RTT change · 6065fd0d
      Yuchung Cheng authored
      RACK skips an ACK unless it advances the most recently delivered
      TX timestamp (rack.mstamp). Since RACK also uses the most recent
      RTT to decide if a packet is lost, RACK should still run the
      loss detection whenever the most recent RTT changes. For example,
      an ACK that does not advance the timestamp but triggers the cwnd
      undo due to reordering, would then use the most recent (higher)
      RTT measurement to detect further losses.
      Signed-off-by: default avatarYuchung Cheng <ycheng@google.com>
      Reviewed-by: default avatarNeal Cardwell <ncardwell@google.com>
      Reviewed-by: default avatarPriyaranjan Jha <priyarjha@google.com>
      Reviewed-by: default avatarEric Dumazet <edumazet@google.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      6065fd0d