1. 29 Sep, 2018 9 commits
  2. 28 Sep, 2018 5 commits
  3. 27 Sep, 2018 10 commits
  4. 26 Sep, 2018 4 commits
  5. 25 Sep, 2018 12 commits
    • Christoph Hellwig's avatar
      dma-mapping: add the missing ARCH_HAS_SYNC_DMA_FOR_CPU_ALL declaration · 974c24c5
      Christoph Hellwig authored
      The patch adding the infrastructure failed to actually add the symbol
      declaration, oops..
      
      Fixes: faef8772 ("dma-noncoherent: add a arch_sync_dma_for_cpu_all hook")
      Signed-off-by: default avatarChristoph Hellwig <hch@lst.de>
      Reviewed-by: default avatarPaul Burton <paul.burton@mips.com>
      Acked-by: default avatarFlorian Fainelli <f.fainelli@gmail.com>
      Signed-off-by: default avatarChristoph Hellwig <hch@lst.de>
      974c24c5
    • Parav Pandit's avatar
      RDMA/core: Set right entry state before releasing reference · 5c5702e2
      Parav Pandit authored
      Currently add_modify_gid() for IB link layer has followong issue
      in cache update path.
      
      When GID update event occurs, core releases reference to the GID
      table without updating its state and/or entry pointer.
      
      CPU-0                              CPU-1
      ------                             -----
      ib_cache_update()                    IPoIB ULP
         add_modify_gid()                   [..]
            put_gid_entry()
            refcnt = 0, but
            state = valid,
            entry is valid.
            (work item is not yet executed).
                                         ipoib_create_ah()
                                           rdma_create_ah()
                                              rdma_get_gid_attr() <--
                                         	Tries to acquire gid_attr
                                              which has refcnt = 0.
                                         	This is incorrect.
      
      GID entry state and entry pointer is provides the accurate GID enty
      state. Such fields must be updated with rwlock to protect against
      readers and, such fields must be in sane state before refcount can drop
      to zero. Otherwise above race condition can happen leading to
      use-after-free situation.
      
      Following backtrace has been observed when cache update for an IB port
      is triggered while IPoIB ULP is creating an AH.
      
      Therefore, when updating GID entry, first mark a valid entry as invalid
      through state and set the barrier so that no callers can acquired
      the GID entry, followed by release reference to it.
      
      refcount_t: increment on 0; use-after-free.
      WARNING: CPU: 4 PID: 29106 at lib/refcount.c:153 refcount_inc_checked+0x30/0x50
      Workqueue: ib-comp-unb-wq ib_cq_poll_work [ib_core]
      RIP: 0010:refcount_inc_checked+0x30/0x50
      RSP: 0018:ffff8802ad36f600 EFLAGS: 00010082
      RAX: 0000000000000000 RBX: 0000000000000000 RCX: 0000000000000000
      RDX: 0000000000000002 RSI: 0000000000000008 RDI: ffffffff86710100
      RBP: ffff8802d6e60a30 R08: ffffed005d67bf8b R09: ffffed005d67bf8b
      R10: 0000000000000001 R11: ffffed005d67bf8a R12: ffff88027620cee8
      R13: ffff8802d6e60988 R14: ffff8802d6e60a78 R15: 0000000000000202
      FS: 0000000000000000(0000) GS:ffff8802eb200000(0000) knlGS:0000000000000000
      CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
      CR2: 00007f3ab35e5c88 CR3: 00000002ce84a000 CR4: 00000000000006e0
      IPv6: ADDRCONF(NETDEV_CHANGE): ib1: link becomes ready
      Call Trace:
      rdma_get_gid_attr+0x220/0x310 [ib_core]
      ? lock_acquire+0x145/0x3a0
      rdma_fill_sgid_attr+0x32c/0x470 [ib_core]
      rdma_create_ah+0x89/0x160 [ib_core]
      ? rdma_fill_sgid_attr+0x470/0x470 [ib_core]
      ? ipoib_create_ah+0x52/0x260 [ib_ipoib]
      ipoib_create_ah+0xf5/0x260 [ib_ipoib]
      ipoib_mcast_join_complete+0xbbe/0x2540 [ib_ipoib]
      
      Fixes: b150c386 ("IB/core: Introduce GID entry reference counts")
      Signed-off-by: default avatarParav Pandit <parav@mellanox.com>
      Signed-off-by: default avatarLeon Romanovsky <leonro@mellanox.com>
      Signed-off-by: default avatarJason Gunthorpe <jgg@mellanox.com>
      5c5702e2
    • Yishai Hadas's avatar
      IB/mlx5: Destroy the DEVX object upon error flow · e8ef090a
      Yishai Hadas authored
      Upon DEVX object creation the object must be destroyed upon a follows
      error flow.
      
      Fixes: 7efce369 ("IB/mlx5: Add obj create and destroy functionality")
      Signed-off-by: default avatarYishai Hadas <yishaih@mellanox.com>
      Reviewed-by: default avatarArtemy Kovalyov <artemyko@mellanox.com>
      Signed-off-by: default avatarLeon Romanovsky <leonro@mellanox.com>
      Signed-off-by: default avatarJason Gunthorpe <jgg@mellanox.com>
      e8ef090a
    • Mark Bloch's avatar
      IB/uverbs: Free uapi on destroy · a9360abd
      Mark Bloch authored
      Make sure we free struct uverbs_api once we clean the radix tree. It was
      allocated by uverbs_alloc_api().
      
      Fixes: 9ed3e5f4 ("IB/uverbs: Build the specs into a radix tree at runtime")
      Reported-by: default avatarBart Van Assche <bvanassche@acm.org>
      Signed-off-by: default avatarMark Bloch <markb@mellanox.com>
      Signed-off-by: default avatarLeon Romanovsky <leonro@mellanox.com>
      Signed-off-by: default avatarJason Gunthorpe <jgg@mellanox.com>
      a9360abd
    • Greg Kroah-Hartman's avatar
      erge tag 'libnvdimm-fixes-4.19-rc6' of git://git.kernel.org/pub/scm/linux/kernel/git/nvdimm/nvdimm · a3852318
      Greg Kroah-Hartman authored
      Dan writes:
        "libnvdimm/dax for 4.19-rc6
      
        * (2) fixes for the dax error handling updates that were merged for
        v4.19-rc1. My mails to Al have been bouncing recently, so I do not have
        his ack but the uaccess change is of the trivial / obviously correct
        variety. The address_space_operations fixes a regression.
      
        * A filesystem-dax fix to correct the zero page lookup to be compatible
         with non-x86 (mips and s390) architectures."
      
      * tag 'libnvdimm-fixes-4.19-rc6' of git://git.kernel.org/pub/scm/linux/kernel/git/nvdimm/nvdimm:
        device-dax: Add missing address_space_operations
        uaccess: Fix is_source param for check_copy_size() in copy_to_iter_mcsafe()
        filesystem-dax: Fix use of zero page
      a3852318
    • Greg Kroah-Hartman's avatar
      Merge tag 'scsi-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/jejb/scsi · 846e8dd4
      Greg Kroah-Hartman authored
      James writes:
        "SCSI fixes on 20180925
      
         Nine obvious bug fixes mostly in individual drivers.  The target fix
         is of particular importance because it's CVE related."
      
      * tag 'scsi-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/jejb/scsi:
        scsi: sd: don't crash the host on invalid commands
        scsi: ipr: System hung while dlpar adding primary ipr adapter back
        scsi: target: iscsi: Use bin2hex instead of a re-implementation
        scsi: target: iscsi: Use hex2bin instead of a re-implementation
        scsi: lpfc: Synchronize access to remoteport via rport
        scsi: ufs: Disable blk-mq for now
        scsi: sd: Contribute to randomness when running rotational device
        scsi: ibmvscsis: Ensure partition name is properly NUL terminated
        scsi: ibmvscsis: Fix a stringop-overflow warning
      846e8dd4
    • Greg Kroah-Hartman's avatar
      Merge tag 'usb-4.19-rc6' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/usb · bfb0e9b4
      Greg Kroah-Hartman authored
      I wrote:
        "USB fixes for 4.19-rc6
      
         Here are some small USB core and driver fixes for reported issues for
         4.19-rc6.
      
         The most visible is the oops fix for when the USB core is built into the
         kernel that is present in 4.18.  Turns out not many people actually do
         that so it went unnoticed for a while.  The rest is some tiny typec,
         musb, and other core fixes.
      
         All have been in linux-next with no reported issues."
      
      * tag 'usb-4.19-rc6' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/usb:
        usb: typec: mux: Take care of driver module reference counting
        usb: core: safely deal with the dynamic quirk lists
        usb: roles: Take care of driver module reference counting
        USB: handle NULL config in usb_find_alt_setting()
        USB: fix error handling in usb_driver_claim_interface()
        USB: remove LPM management from usb_driver_claim_interface()
        USB: usbdevfs: restore warning for nonsensical flags
        USB: usbdevfs: sanitize flags more
        Revert "usb: cdc-wdm: Fix a sleep-in-atomic-context bug in service_outstanding_interrupt()"
        usb: musb: dsps: do not disable CPPI41 irq in driver teardown
      bfb0e9b4
    • Greg Kroah-Hartman's avatar
      Merge tag 'tty-4.19-rc6' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/tty · ccf791e5
      Greg Kroah-Hartman authored
      I wrote:
        "TTY/Serial driver fixes for 4.19-rc6
      
         Here are a number of small tty and serial driver fixes for reported
         issues for 4.19-rc6.
      
         One should hopefully resolve a much-reported issue that syzbot has found
         in the tty layer.  Although there are still more issues there, getting
         this fixed is nice to see finally happen.
      
         All of these have been in linux-next for a while with no reported
         issues."
      
      * tag 'tty-4.19-rc6' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/tty:
        serial: imx: restore handshaking irq for imx1
        tty: vt_ioctl: fix potential Spectre v1
        tty: Drop tty->count on tty_reopen() failure
        serial: cpm_uart: return immediately from console poll
        tty: serial: lpuart: avoid leaking struct tty_struct
        serial: mvebu-uart: Fix reporting of effective CSIZE to userspace
      ccf791e5
    • Greg Kroah-Hartman's avatar
      Merge tag 'char-misc-4.19-rc6' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/char-misc · fc0c8146
      Greg Kroah-Hartman authored
      Greg (well I), wrote:
        "Char/Misc driver fixes for 4.19-rc6
      
         Here are some soundwire and intel_th (tracing) driver fixes for some
         reported issues.
      
         All of these have been in linux-next for a week with no reported issues."
      
      * tag 'char-misc-4.19-rc6' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/char-misc:
        intel_th: pci: Add Ice Lake PCH support
        intel_th: Fix resource handling for ACPI glue layer
        intel_th: Fix device removal logic
        soundwire: Fix acquiring bus lock twice during master release
        soundwire: Fix incorrect exit after configuring stream
        soundwire: Fix duplicate stream state assignment
      fc0c8146
    • Srikar Dronamraju's avatar
      powerpc/numa: Use associativity if VPHN hcall is successful · 2483ef05
      Srikar Dronamraju authored
      Currently associativity is used to lookup node-id even if the
      preceding VPHN hcall failed. However this can cause CPU to be made
      part of the wrong node, (most likely to be node 0). This is because
      VPHN is not enabled on KVM guests.
      
      With 2ea62630 ("powerpc/topology: Get topology for shared processors at
      boot"), associativity is used to set to the wrong node. Hence KVM
      guest topology is broken.
      
      For example : A 4 node KVM guest before would have reported.
      
        [root@localhost ~]#  numactl -H
        available: 4 nodes (0-3)
        node 0 cpus: 0 1 2 3
        node 0 size: 1746 MB
        node 0 free: 1604 MB
        node 1 cpus: 4 5 6 7
        node 1 size: 2044 MB
        node 1 free: 1765 MB
        node 2 cpus: 8 9 10 11
        node 2 size: 2044 MB
        node 2 free: 1837 MB
        node 3 cpus: 12 13 14 15
        node 3 size: 2044 MB
        node 3 free: 1903 MB
        node distances:
        node   0   1   2   3
          0:  10  40  40  40
          1:  40  10  40  40
          2:  40  40  10  40
          3:  40  40  40  10
      
      Would now report:
      
        [root@localhost ~]# numactl -H
        available: 4 nodes (0-3)
        node 0 cpus: 0 2 3 4 5 6 7 8 9 10 11 12 13 14 15
        node 0 size: 1746 MB
        node 0 free: 1244 MB
        node 1 cpus:
        node 1 size: 2044 MB
        node 1 free: 2032 MB
        node 2 cpus: 1
        node 2 size: 2044 MB
        node 2 free: 2028 MB
        node 3 cpus:
        node 3 size: 2044 MB
        node 3 free: 2032 MB
        node distances:
        node   0   1   2   3
          0:  10  40  40  40
          1:  40  10  40  40
          2:  40  40  10  40
          3:  40  40  40  10
      
      Fix this by skipping associativity lookup if the VPHN hcall failed.
      
      Fixes: 2ea62630 ("powerpc/topology: Get topology for shared processors at boot")
      Signed-off-by: default avatarSrikar Dronamraju <srikar@linux.vnet.ibm.com>
      Signed-off-by: default avatarMichael Ellerman <mpe@ellerman.id.au>
      2483ef05
    • Michael Neuling's avatar
      powerpc/tm: Avoid possible userspace r1 corruption on reclaim · 96dc89d5
      Michael Neuling authored
      Current we store the userspace r1 to PACATMSCRATCH before finally
      saving it to the thread struct.
      
      In theory an exception could be taken here (like a machine check or
      SLB miss) that could write PACATMSCRATCH and hence corrupt the
      userspace r1. The SLB fault currently doesn't touch PACATMSCRATCH, but
      others do.
      
      We've never actually seen this happen but it's theoretically
      possible. Either way, the code is fragile as it is.
      
      This patch saves r1 to the kernel stack (which can't fault) before we
      turn MSR[RI] back on. PACATMSCRATCH is still used but only with
      MSR[RI] off. We then copy r1 from the kernel stack to the thread
      struct once we have MSR[RI] back on.
      Suggested-by: default avatarBreno Leitao <leitao@debian.org>
      Signed-off-by: default avatarMichael Neuling <mikey@neuling.org>
      Signed-off-by: default avatarMichael Ellerman <mpe@ellerman.id.au>
      96dc89d5
    • Michael Neuling's avatar
      powerpc/tm: Fix userspace r13 corruption · cf13435b
      Michael Neuling authored
      When we treclaim we store the userspace checkpointed r13 to a scratch
      SPR and then later save the scratch SPR to the user thread struct.
      
      Unfortunately, this doesn't work as accessing the user thread struct
      can take an SLB fault and the SLB fault handler will write the same
      scratch SPRG that now contains the userspace r13.
      
      To fix this, we store r13 to the kernel stack (which can't fault)
      before we access the user thread struct.
      
      Found by running P8 guest + powervm + disable_1tb_segments + TM. Seen
      as a random userspace segfault with r13 looking like a kernel address.
      Signed-off-by: default avatarMichael Neuling <mikey@neuling.org>
      Reviewed-by: default avatarBreno Leitao <leitao@debian.org>
      Signed-off-by: default avatarMichael Ellerman <mpe@ellerman.id.au>
      cf13435b