1. 30 Dec, 2018 5 commits
  2. 29 Dec, 2018 13 commits
    • David S. Miller's avatar
      Merge git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf · f7d18ef6
      David S. Miller authored
      Pablo Neira Ayuso says:
      
      ====================
      Netfilter fixes for net
      
      The following patchset contains Netfilter fixes for net, specifically
      fixes for the nf_conncount infrastructure which is causing troubles
      since 5c789e13 ("netfilter: nf_conncount: Add list lock and gc
      worker, and RCU for init tree search"). Patches aim to simplify this
      infrastructure while fixing up the problems:
      
      1) Use fixed size CONNCOUNT_SLOTS in nf_conncount, from Shawn Bohrer.
      
      2) Incorrect signedness in age calculation from find_or_evict(),
         from Florian Westphal.
      
      3) Proper locking for the garbage collector workqueue callback,
         first make a patch to count how many nodes can be collected
         without holding locks, then grab lock and release them. Also
         from Florian.
      
      4) Restart node lookup from the insertion path, after releasing nodes
         via packet path garbage collection. Shawn Bohrer described a scenario
         that may result in inserting a connection in an already dead list
         node. Patch from Florian.
      
      5) Merge lookup and add function to avoid a hold release and re-grab.
         From Florian.
      
      6) Be safe and iterate over the node lists under the spinlock.
      
      7) Speculative list nodes removal via garbage collection, check if
         list node got a connection while it was scheduled for deletion
         via gc.
      
      8) Accidental argument swap in find_next_bit() that leads to more
         frequent scheduling of the workqueue. From Florian Westphal.
      ====================
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      f7d18ef6
    • Scott Wood's avatar
      fsl/fman: Use GFP_ATOMIC in {memac,tgec}_add_hash_mac_address() · 0d9c9a23
      Scott Wood authored
      These functions are called from atomic context:
      
      [    9.150239] BUG: sleeping function called from invalid context at /home/scott/git/linux/mm/slab.h:421
      [    9.158159] in_atomic(): 1, irqs_disabled(): 0, pid: 4432, name: ip
      [    9.163128] CPU: 8 PID: 4432 Comm: ip Not tainted 4.20.0-rc2-00169-g63d86876 #29
      [    9.163130] Call Trace:
      [    9.170701] [c0000002e899a980] [c0000000009c1068] .dump_stack+0xa8/0xec (unreliable)
      [    9.177140] [c0000002e899aa10] [c00000000007a7b4] .___might_sleep+0x138/0x164
      [    9.184440] [c0000002e899aa80] [c0000000001d5bac] .kmem_cache_alloc_trace+0x238/0x30c
      [    9.191216] [c0000002e899ab40] [c00000000065ea1c] .memac_add_hash_mac_address+0x104/0x198
      [    9.199464] [c0000002e899abd0] [c00000000065a788] .set_multi+0x1c8/0x218
      [    9.206242] [c0000002e899ac80] [c0000000006615ec] .dpaa_set_rx_mode+0xdc/0x17c
      [    9.213544] [c0000002e899ad00] [c00000000083d2b0] .__dev_set_rx_mode+0x80/0xd4
      [    9.219535] [c0000002e899ad90] [c00000000083d334] .dev_set_rx_mode+0x30/0x54
      [    9.225271] [c0000002e899ae10] [c00000000083d4a0] .__dev_open+0x148/0x1c8
      [    9.230751] [c0000002e899aeb0] [c00000000083d934] .__dev_change_flags+0x19c/0x1e0
      [    9.230755] [c0000002e899af60] [c00000000083d9a4] .dev_change_flags+0x2c/0x80
      [    9.242752] [c0000002e899aff0] [c0000000008554ec] .do_setlink+0x350/0xf08
      [    9.248228] [c0000002e899b170] [c000000000857ad0] .rtnl_newlink+0x588/0x7e0
      [    9.253965] [c0000002e899b740] [c000000000852424] .rtnetlink_rcv_msg+0x3e0/0x498
      [    9.261440] [c0000002e899b820] [c000000000884790] .netlink_rcv_skb+0x134/0x14c
      [    9.267607] [c0000002e899b8e0] [c000000000851840] .rtnetlink_rcv+0x18/0x2c
      [    9.274558] [c0000002e899b950] [c000000000883c8c] .netlink_unicast+0x214/0x318
      [    9.281163] [c0000002e899ba00] [c000000000884220] .netlink_sendmsg+0x348/0x444
      [    9.287076] [c0000002e899bae0] [c00000000080d13c] .sock_sendmsg+0x2c/0x54
      [    9.287080] [c0000002e899bb50] [c0000000008106c0] .___sys_sendmsg+0x2d0/0x2d8
      [    9.298375] [c0000002e899bd30] [c000000000811a80] .__sys_sendmsg+0x5c/0xb0
      [    9.303939] [c0000002e899be20] [c0000000000006b0] system_call+0x60/0x6c
      Signed-off-by: default avatarScott Wood <oss@buserror.net>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      0d9c9a23
    • Jia-Ju Bai's avatar
      isdn: hisax: hfc_pci: Fix a possible concurrency use-after-free bug in HFCPCI_l1hw() · 7418e652
      Jia-Ju Bai authored
      In drivers/isdn/hisax/hfc_pci.c, the functions hfcpci_interrupt() and
      HFCPCI_l1hw() may be concurrently executed.
      
      HFCPCI_l1hw()
        line 1173: if (!cs->tx_skb)
      
      hfcpci_interrupt()
        line 942: spin_lock_irqsave();
        line 1066: dev_kfree_skb_irq(cs->tx_skb);
      
      Thus, a possible concurrency use-after-free bug may occur
      in HFCPCI_l1hw().
      
      To fix these bugs, the calls to spin_lock_irqsave() and
      spin_unlock_irqrestore() are added in HFCPCI_l1hw(), to protect the
      access to cs->tx_skb.
      Signed-off-by: default avatarJia-Ju Bai <baijiaju1990@gmail.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      7418e652
    • Yunsheng Lin's avatar
      ethtool: check the return value of get_regs_len · f9fc54d3
      Yunsheng Lin authored
      The return type for get_regs_len in struct ethtool_ops is int,
      the hns3 driver may return error when failing to get the regs
      len by sending cmd to firmware.
      Signed-off-by: default avatarYunsheng Lin <linyunsheng@huawei.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      f9fc54d3
    • Florian Westphal's avatar
      netfilter: nf_conncount: fix argument order to find_next_bit · a0072320
      Florian Westphal authored
      Size and 'next bit' were swapped, this bug could cause worker to
      reschedule itself even if system was idle.
      
      Fixes: 5c789e13 ("netfilter: nf_conncount: Add list lock and gc worker, and RCU for init tree search")
      Reviewed-by: default avatarShawn Bohrer <sbohrer@cloudflare.com>
      Signed-off-by: default avatarFlorian Westphal <fw@strlen.de>
      Signed-off-by: default avatarPablo Neira Ayuso <pablo@netfilter.org>
      a0072320
    • Pablo Neira Ayuso's avatar
      netfilter: nf_conncount: speculative garbage collection on empty lists · c80f10bc
      Pablo Neira Ayuso authored
      Instead of removing a empty list node that might be reintroduced soon
      thereafter, tentatively place the empty list node on the list passed to
      tree_nodes_free(), then re-check if the list is empty again before erasing
      it from the tree.
      
      [ Florian: rebase on top of pending nf_conncount fixes ]
      
      Fixes: 5c789e13 ("netfilter: nf_conncount: Add list lock and gc worker, and RCU for init tree search")
      Reviewed-by: default avatarShawn Bohrer <sbohrer@cloudflare.com>
      Signed-off-by: default avatarFlorian Westphal <fw@strlen.de>
      Signed-off-by: default avatarPablo Neira Ayuso <pablo@netfilter.org>
      c80f10bc
    • Pablo Neira Ayuso's avatar
      netfilter: nf_conncount: move all list iterations under spinlock · 2f971a8f
      Pablo Neira Ayuso authored
      Two CPUs may race to remove a connection from the list, the existing
      conn->dead will result in a use-after-free. Use the per-list spinlock to
      protect list iterations.
      
      As all accesses to the list now happen while holding the per-list lock,
      we no longer need to delay free operations with rcu.
      
      Joint work with Florian.
      
      Fixes: 5c789e13 ("netfilter: nf_conncount: Add list lock and gc worker, and RCU for init tree search")
      Reviewed-by: default avatarShawn Bohrer <sbohrer@cloudflare.com>
      Signed-off-by: default avatarFlorian Westphal <fw@strlen.de>
      Signed-off-by: default avatarPablo Neira Ayuso <pablo@netfilter.org>
      2f971a8f
    • Florian Westphal's avatar
      netfilter: nf_conncount: merge lookup and add functions · df4a9025
      Florian Westphal authored
      'lookup' is always followed by 'add'.
      Merge both and make the list-walk part of nf_conncount_add().
      
      This also avoids one unneeded unlock/re-lock pair.
      
      Extra care needs to be taken in count_tree, as we only hold rcu
      read lock, i.e. we can only insert to an existing tree node after
      acquiring its lock and making sure it has a nonzero count.
      
      As a zero count should be rare, just fall back to insert_tree()
      (which acquires tree lock).
      
      This issue and its solution were pointed out by Shawn Bohrer
      during patch review.
      Reviewed-by: default avatarShawn Bohrer <sbohrer@cloudflare.com>
      Signed-off-by: default avatarFlorian Westphal <fw@strlen.de>
      Signed-off-by: default avatarPablo Neira Ayuso <pablo@netfilter.org>
      df4a9025
    • Florian Westphal's avatar
      netfilter: nf_conncount: restart search when nodes have been erased · e8cfb372
      Florian Westphal authored
      Shawn Bohrer reported a following crash:
       |RIP: 0010:rb_erase+0xae/0x360
       [..]
       Call Trace:
        nf_conncount_destroy+0x59/0xc0 [nf_conncount]
        cleanup_match+0x45/0x70 [ip_tables]
        ...
      
      Shawn tracked this down to bogus 'parent' pointer:
      Problem is that when we insert a new node, then there is a chance that
      the 'parent' that we found was also passed to tree_nodes_free() (because
      that node was empty) for erase+free.
      
      Instead of trying to be clever and detect when this happens, restart
      the search if we have evicted one or more nodes.  To prevent frequent
      restarts, do not perform gc on the second round.
      
      Also, unconditionally schedule the gc worker.
      The condition
      
        gc_count > ARRAY_SIZE(gc_nodes))
      
      cannot be true unless tree grows very large, as the height of the tree
      will be low even with hundreds of nodes present.
      
      Fixes: 5c789e13 ("netfilter: nf_conncount: Add list lock and gc worker, and RCU for init tree search")
      Reported-by: default avatarShawn Bohrer <sbohrer@cloudflare.com>
      Reviewed-by: default avatarShawn Bohrer <sbohrer@cloudflare.com>
      Signed-off-by: default avatarFlorian Westphal <fw@strlen.de>
      Signed-off-by: default avatarPablo Neira Ayuso <pablo@netfilter.org>
      e8cfb372
    • Florian Westphal's avatar
      netfilter: nf_conncount: split gc in two phases · f7fcc98d
      Florian Westphal authored
      The lockless workqueue garbage collector can race with packet path
      garbage collector to delete list nodes, as it calls tree_nodes_free()
      with the addresses of nodes that might have been free'd already from
      another cpu.
      
      To fix this, split gc into two phases.
      
      One phase to perform gc on the connections: From a locking perspective,
      this is the same as count_tree(): we hold rcu lock, but we do not
      change the tree, we only change the nodes' contents.
      
      The second phase acquires the tree lock and reaps empty nodes.
      This avoids a race condition of the garbage collection vs.  packet path:
      If a node has been free'd already, the second phase won't find it anymore.
      
      This second phase is, from locking perspective, same as insert_tree().
      
      The former only modifies nodes (list content, count), latter modifies
      the tree itself (rb_erase or rb_insert).
      
      Fixes: 5c789e13 ("netfilter: nf_conncount: Add list lock and gc worker, and RCU for init tree search")
      Reviewed-by: default avatarShawn Bohrer <sbohrer@cloudflare.com>
      Signed-off-by: default avatarFlorian Westphal <fw@strlen.de>
      Signed-off-by: default avatarPablo Neira Ayuso <pablo@netfilter.org>
      f7fcc98d
    • Florian Westphal's avatar
      netfilter: nf_conncount: don't skip eviction when age is negative · 4cd273bb
      Florian Westphal authored
      age is signed integer, so result can be negative when the timestamps
      have a large delta.  In this case we want to discard the entry.
      
      Instead of using age >= 2 || age < 0, just make it unsigned.
      
      Fixes: b36e4523 ("netfilter: nf_conncount: fix garbage collection confirm race")
      Reviewed-by: default avatarShawn Bohrer <sbohrer@cloudflare.com>
      Signed-off-by: default avatarFlorian Westphal <fw@strlen.de>
      Signed-off-by: default avatarPablo Neira Ayuso <pablo@netfilter.org>
      4cd273bb
    • Shawn Bohrer's avatar
      netfilter: nf_conncount: replace CONNCOUNT_LOCK_SLOTS with CONNCOUNT_SLOTS · c78e7818
      Shawn Bohrer authored
      Most of the time these were the same value anyway, but when
      CONFIG_LOCKDEP was enabled we would use a smaller number of locks to
      reduce overhead.  Unfortunately having two values is confusing and not
      worth the complexity.
      
      This fixes a bug where tree_gc_worker() would only GC up to
      CONNCOUNT_LOCK_SLOTS trees which meant when CONFIG_LOCKDEP was enabled
      not all trees would be GCed by tree_gc_worker().
      
      Fixes: 5c789e13 ("netfilter: nf_conncount: Add list lock and gc worker, and RCU for init tree search")
      Signed-off-by: default avatarFlorian Westphal <fw@strlen.de>
      Signed-off-by: default avatarShawn Bohrer <sbohrer@cloudflare.com>
      Signed-off-by: default avatarPablo Neira Ayuso <pablo@netfilter.org>
      c78e7818
    • Kangjie Lu's avatar
      netfilter: nf_tables: fix a missing check of nla_put_failure · eb895086
      Kangjie Lu authored
      If nla_nest_start() may fail. The fix checks its return value and goes
      to nla_put_failure if it fails.
      Signed-off-by: default avatarKangjie Lu <kjlu@umn.edu>
      Signed-off-by: default avatarPablo Neira Ayuso <pablo@netfilter.org>
      eb895086
  3. 28 Dec, 2018 13 commits
  4. 27 Dec, 2018 9 commits
    • Linus Torvalds's avatar
      Merge branch 'linus' of git://git.kernel.org/pub/scm/linux/kernel/git/herbert/crypto-2.6 · b71acb0e
      Linus Torvalds authored
      Pull crypto updates from Herbert Xu:
       "API:
         - Add 1472-byte test to tcrypt for IPsec
         - Reintroduced crypto stats interface with numerous changes
         - Support incremental algorithm dumps
      
        Algorithms:
         - Add xchacha12/20
         - Add nhpoly1305
         - Add adiantum
         - Add streebog hash
         - Mark cts(cbc(aes)) as FIPS allowed
      
        Drivers:
         - Improve performance of arm64/chacha20
         - Improve performance of x86/chacha20
         - Add NEON-accelerated nhpoly1305
         - Add SSE2 accelerated nhpoly1305
         - Add AVX2 accelerated nhpoly1305
         - Add support for 192/256-bit keys in gcmaes AVX
         - Add SG support in gcmaes AVX
         - ESN for inline IPsec tx in chcr
         - Add support for CryptoCell 703 in ccree
         - Add support for CryptoCell 713 in ccree
         - Add SM4 support in ccree
         - Add SM3 support in ccree
         - Add support for chacha20 in caam/qi2
         - Add support for chacha20 + poly1305 in caam/jr
         - Add support for chacha20 + poly1305 in caam/qi2
         - Add AEAD cipher support in cavium/nitrox"
      
      * 'linus' of git://git.kernel.org/pub/scm/linux/kernel/git/herbert/crypto-2.6: (130 commits)
        crypto: skcipher - remove remnants of internal IV generators
        crypto: cavium/nitrox - Fix build with !CONFIG_DEBUG_FS
        crypto: salsa20-generic - don't unnecessarily use atomic walk
        crypto: skcipher - add might_sleep() to skcipher_walk_virt()
        crypto: x86/chacha - avoid sleeping under kernel_fpu_begin()
        crypto: cavium/nitrox - Added AEAD cipher support
        crypto: mxc-scc - fix build warnings on ARM64
        crypto: api - document missing stats member
        crypto: user - remove unused dump functions
        crypto: chelsio - Fix wrong error counter increments
        crypto: chelsio - Reset counters on cxgb4 Detach
        crypto: chelsio - Handle PCI shutdown event
        crypto: chelsio - cleanup:send addr as value in function argument
        crypto: chelsio - Use same value for both channel in single WR
        crypto: chelsio - Swap location of AAD and IV sent in WR
        crypto: chelsio - remove set but not used variable 'kctx_len'
        crypto: ux500 - Use proper enum in hash_set_dma_transfer
        crypto: ux500 - Use proper enum in cryp_set_dma_transfer
        crypto: aesni - Add scatter/gather avx stubs, and use them in C
        crypto: aesni - Introduce partial block macro
        ..
      b71acb0e
    • Linus Torvalds's avatar
      Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net-next · e0c38a4d
      Linus Torvalds authored
      Pull networking updates from David Miller:
      
       1) New ipset extensions for matching on destination MAC addresses, from
          Stefano Brivio.
      
       2) Add ipv4 ttl and tos, plus ipv6 flow label and hop limit offloads to
          nfp driver. From Stefano Brivio.
      
       3) Implement GRO for plain UDP sockets, from Paolo Abeni.
      
       4) Lots of work from Michał Mirosław to eliminate the VLAN_TAG_PRESENT
          bit so that we could support the entire vlan_tci value.
      
       5) Rework the IPSEC policy lookups to better optimize more usecases,
          from Florian Westphal.
      
       6) Infrastructure changes eliminating direct manipulation of SKB lists
          wherever possible, and to always use the appropriate SKB list
          helpers. This work is still ongoing...
      
       7) Lots of PHY driver and state machine improvements and
          simplifications, from Heiner Kallweit.
      
       8) Various TSO deferral refinements, from Eric Dumazet.
      
       9) Add ntuple filter support to aquantia driver, from Dmitry Bogdanov.
      
      10) Batch dropping of XDP packets in tuntap, from Jason Wang.
      
      11) Lots of cleanups and improvements to the r8169 driver from Heiner
          Kallweit, including support for ->xmit_more. This driver has been
          getting some much needed love since he started working on it.
      
      12) Lots of new forwarding selftests from Petr Machata.
      
      13) Enable VXLAN learning in mlxsw driver, from Ido Schimmel.
      
      14) Packed ring support for virtio, from Tiwei Bie.
      
      15) Add new Aquantia AQtion USB driver, from Dmitry Bezrukov.
      
      16) Add XDP support to dpaa2-eth driver, from Ioana Ciocoi Radulescu.
      
      17) Implement coalescing on TCP backlog queue, from Eric Dumazet.
      
      18) Implement carrier change in tun driver, from Nicolas Dichtel.
      
      19) Support msg_zerocopy in UDP, from Willem de Bruijn.
      
      20) Significantly improve garbage collection of neighbor objects when
          the table has many PERMANENT entries, from David Ahern.
      
      21) Remove egdev usage from nfp and mlx5, and remove the facility
          completely from the tree as it no longer has any users. From Oz
          Shlomo and others.
      
      22) Add a NETDEV_PRE_CHANGEADDR so that drivers can veto the change and
          therefore abort the operation before the commit phase (which is the
          NETDEV_CHANGEADDR event). From Petr Machata.
      
      23) Add indirect call wrappers to avoid retpoline overhead, and use them
          in the GRO code paths. From Paolo Abeni.
      
      24) Add support for netlink FDB get operations, from Roopa Prabhu.
      
      25) Support bloom filter in mlxsw driver, from Nir Dotan.
      
      26) Add SKB extension infrastructure. This consolidates the handling of
          the auxiliary SKB data used by IPSEC and bridge netfilter, and is
          designed to support the needs to MPTCP which could be integrated in
          the future.
      
      27) Lots of XDP TX optimizations in mlx5 from Tariq Toukan.
      
      * git://git.kernel.org/pub/scm/linux/kernel/git/davem/net-next: (1845 commits)
        net: dccp: fix kernel crash on module load
        drivers/net: appletalk/cops: remove redundant if statement and mask
        bnx2x: Fix NULL pointer dereference in bnx2x_del_all_vlans() on some hw
        net/net_namespace: Check the return value of register_pernet_subsys()
        net/netlink_compat: Fix a missing check of nla_parse_nested
        ieee802154: lowpan_header_create check must check daddr
        net/mlx4_core: drop useless LIST_HEAD
        mlxsw: spectrum: drop useless LIST_HEAD
        net/mlx5e: drop useless LIST_HEAD
        iptunnel: Set tun_flags in the iptunnel_metadata_reply from src
        net/mlx5e: fix semicolon.cocci warnings
        staging: octeon: fix build failure with XFRM enabled
        net: Revert recent Spectre-v1 patches.
        can: af_can: Fix Spectre v1 vulnerability
        packet: validate address length if non-zero
        nfc: af_nfc: Fix Spectre v1 vulnerability
        phonet: af_phonet: Fix Spectre v1 vulnerability
        net: core: Fix Spectre v1 vulnerability
        net: minor cleanup in skb_ext_add()
        net: drop the unused helper skb_ext_get()
        ...
      e0c38a4d
    • Linus Torvalds's avatar
      Merge tag 'modules-for-v4.21' of git://git.kernel.org/pub/scm/linux/kernel/git/jeyu/linux · 7f9f852c
      Linus Torvalds authored
      Pull modules updates from Jessica Yu:
      
       - Some modules-related kallsyms cleanups and a kallsyms fix for ARM.
      
       - Include keys from the secondary keyring in module signature
         verification.
      
      * tag 'modules-for-v4.21' of git://git.kernel.org/pub/scm/linux/kernel/git/jeyu/linux:
        ARM: module: Fix function kallsyms on Thumb-2
        module: Overwrite st_size instead of st_info
        module: make it clearer when we're handling kallsyms symbols vs exported symbols
        modsign: use all trusted keys to verify module signature
      7f9f852c
    • Linus Torvalds's avatar
      Merge branch 'next-general' of git://git.kernel.org/pub/scm/linux/kernel/git/jmorris/linux-security · 3f03bf93
      Linus Torvalds authored
      Pull general security subsystem updates from James Morris:
       "The main changes here are Paul Gortmaker's removal of unneccesary
        module.h infrastructure"
      
      * 'next-general' of git://git.kernel.org/pub/scm/linux/kernel/git/jmorris/linux-security:
        security: integrity: partial revert of make ima_main explicitly non-modular
        security: fs: make inode explicitly non-modular
        security: audit and remove any unnecessary uses of module.h
        security: integrity: make evm_main explicitly non-modular
        keys: remove needless modular infrastructure from ecryptfs_format
        security: integrity: make ima_main explicitly non-modular
        tomoyo: fix small typo
      3f03bf93
    • Linus Torvalds's avatar
      Merge tag 'selinux-pr-20181224' of git://git.kernel.org/pub/scm/linux/kernel/git/pcmoore/selinux · fb2a624d
      Linus Torvalds authored
      Pull selinux patches from Paul Moore:
       "I already used my best holiday pull request lines in the audit pull
        request, so this one is going to be a bit more boring, sorry about
        that. To make up for this, we do have a birthday of sorts to
        celebrate: SELinux turns 18 years old this December. Perhaps not the
        most exciting thing in the world for most people, but I think it's
        safe to say that anyone reading this email doesn't exactly fall into
        the "most people" category.
      
        Back to business and the pull request itself:
      
        Ondrej has five patches in this pull request and I lump them into
        three categories: one patch to always allow submounts (using similar
        logic to elsewhere in the kernel), one to fix some issues with the
        SELinux policydb, and the others to cleanup and improve the SELinux
        sidtab.
      
        The other patches from Alexey and Petr and trivial fixes that are
        adequately described in their respective subject lines.
      
        With this last pull request of the year, I want to thank everyone who
        has contributed patches, testing, and reviews to the SELinux project
        this year, and the past 18 years. Like any good open source effort,
        SELinux is only as good as the community which supports it, and I'm
        very happy that we have the community we do - thank you all!"
      
      * tag 'selinux-pr-20181224' of git://git.kernel.org/pub/scm/linux/kernel/git/pcmoore/selinux:
        selinux: overhaul sidtab to fix bug and improve performance
        selinux: use separate table for initial SID lookup
        selinux: make "selinux_policycap_names[]" const char *
        selinux: always allow mounting submounts
        selinux: refactor sidtab conversion
        Documentation: Update SELinux reference policy URL
        selinux: policydb - fix byte order and alignment issues
      fb2a624d
    • Linus Torvalds's avatar
      Merge tag 'audit-pr-20181224' of git://git.kernel.org/pub/scm/linux/kernel/git/pcmoore/audit · 047ce6d3
      Linus Torvalds authored
      Pull audit updates from Paul Moore:
       "In the finest of holiday of traditions, I have a number of gifts to
        share today. While most of them are re-gifts from others, unlike the
        typical re-gift, these are things you will want in and around your
        tree; I promise.
      
        This pull request is perhaps a bit larger than our typical PR, but
        most of it comes from Jan's rework of audit's fanotify code; a very
        welcome improvement. We ran this through our normal regression tests,
        as well as some newly created stress tests and everything looks good.
      
        Richard added a few patches, mostly cleaning up a few things and and
        shortening some of the audit records that we send to userspace; a
        change the userspace folks are quite happy about.
      
        Finally YueHaibing and I kick in a few patches to simplify things a
        bit and make the code less prone to errors.
      
        Lastly, I want to say thanks one more time to everyone who has
        contributed patches, testing, and code reviews for the audit subsystem
        over the past year. The project is what it is due to your help and
        contributions - thank you"
      
      * tag 'audit-pr-20181224' of git://git.kernel.org/pub/scm/linux/kernel/git/pcmoore/audit: (22 commits)
        audit: remove duplicated include from audit.c
        audit: shorten PATH cap values when zero
        audit: use current whenever possible
        audit: minimize our use of audit_log_format()
        audit: remove WATCH and TREE config options
        audit: use session_info helper
        audit: localize audit_log_session_info prototype
        audit: Use 'mark' name for fsnotify_mark variables
        audit: Replace chunk attached to mark instead of replacing mark
        audit: Simplify locking around untag_chunk()
        audit: Drop all unused chunk nodes during deletion
        audit: Guarantee forward progress of chunk untagging
        audit: Allocate fsnotify mark independently of chunk
        audit: Provide helper for dropping mark's chunk reference
        audit: Remove pointless check in insert_hash()
        audit: Factor out chunk replacement code
        audit: Make hash table insertion safe against concurrent lookups
        audit: Embed key into chunk
        audit: Fix possible tagging failures
        audit: Fix possible spurious -ENOSPC error
        ...
      047ce6d3
    • Linus Torvalds's avatar
      Merge tag 'printk-for-4.21' of git://git.kernel.org/pub/scm/linux/kernel/git/pmladek/printk · a3b5c106
      Linus Torvalds authored
      Pull printk updates from Petr Mladek:
      
       - Keep spinlocks busted until the end of panic()
      
       - Fix races between calculating number of messages that would fit into
         user space buffers, filling the buffers, and switching printk.time
         parameter
      
       - Some code clean up
      
      * tag 'printk-for-4.21' of git://git.kernel.org/pub/scm/linux/kernel/git/pmladek/printk:
        printk: Remove print_prefix() calls with NULL buffer.
        printk: fix printk_time race.
        printk: Make printk_emit() local function.
        panic: avoid deadlocks in re-entrant console drivers
      a3b5c106
    • Linus Torvalds's avatar
      Merge tag 'gcc-plugins-v4.21-rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/kees/linux · c6f1b355
      Linus Torvalds authored
      Pull gcc-plugins update from Kees Cook:
       "Both arm and arm64 are gaining per-task stack canaries (to match x86),
        but arm is being done with a gcc plugin, hence it going through the
        gcc-plugins tree.
      
        New gcc-plugin:
      
         - Enable per-task stack protector for ARM (Ard Biesheuvel)"
      
      * tag 'gcc-plugins-v4.21-rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/kees/linux:
        ARM: smp: add support for per-task stack canaries
      c6f1b355
    • Linus Torvalds's avatar
      Merge tag 'pstore-v4.21-rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/kees/linux · c06e9ef6
      Linus Torvalds authored
      Pull pstore updates from Kees Cook:
       "Improvements and refactorings:
      
         - Improve compression handling
      
         - Refactor argument handling during initialization
      
         - Avoid needless locking for saner EFI backend handling
      
         - Add more kern-doc and improve debugging output"
      
      * tag 'pstore-v4.21-rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/kees/linux:
        pstore/ram: Avoid NULL deref in ftrace merging failure path
        pstore: Convert buf_lock to semaphore
        pstore: Fix bool initialization/comparison
        pstore/ram: Do not treat empty buffers as valid
        pstore/ram: Simplify ramoops_get_next_prz() arguments
        pstore: Map PSTORE_TYPE_* to strings
        pstore: Replace open-coded << with BIT()
        pstore: Improve and update some comments and status output
        pstore/ram: Add kern-doc for struct persistent_ram_zone
        pstore/ram: Report backend assignments with finer granularity
        pstore/ram: Standardize module name in ramoops
        pstore: Avoid duplicate call of persistent_ram_zap()
        pstore: Remove needless lock during console writes
        pstore: Do not use crash buffer for decompression
      c06e9ef6