1. 22 Feb, 2018 2 commits
    • Eric Biggers's avatar
      PKCS#7: fix certificate blacklisting · 29f4a67c
      Eric Biggers authored
      If there is a blacklisted certificate in a SignerInfo's certificate
      chain, then pkcs7_verify_sig_chain() sets sinfo->blacklisted and returns
      0.  But, pkcs7_verify() fails to handle this case appropriately, as it
      actually continues on to the line 'actual_ret = 0;', indicating that the
      SignerInfo has passed verification.  Consequently, PKCS#7 signature
      verification ignores the certificate blacklist.
      
      Fix this by not considering blacklisted SignerInfos to have passed
      verification.
      
      Also fix the function comment with regards to when 0 is returned.
      
      Fixes: 03bb7931 ("PKCS#7: Handle blacklisted certificates")
      Cc: <stable@vger.kernel.org> # v4.12+
      Signed-off-by: default avatarEric Biggers <ebiggers@google.com>
      Signed-off-by: default avatarDavid Howells <dhowells@redhat.com>
      29f4a67c
    • Eric Biggers's avatar
      PKCS#7: fix certificate chain verification · 971b42c0
      Eric Biggers authored
      When pkcs7_verify_sig_chain() is building the certificate chain for a
      SignerInfo using the certificates in the PKCS#7 message, it is passing
      the wrong arguments to public_key_verify_signature().  Consequently,
      when the next certificate is supposed to be used to verify the previous
      certificate, the next certificate is actually used to verify itself.
      
      An attacker can use this bug to create a bogus certificate chain that
      has no cryptographic relationship between the beginning and end.
      
      Fortunately I couldn't quite find a way to use this to bypass the
      overall signature verification, though it comes very close.  Here's the
      reasoning: due to the bug, every certificate in the chain beyond the
      first actually has to be self-signed (where "self-signed" here refers to
      the actual key and signature; an attacker might still manipulate the
      certificate fields such that the self_signed flag doesn't actually get
      set, and thus the chain doesn't end immediately).  But to pass trust
      validation (pkcs7_validate_trust()), either the SignerInfo or one of the
      certificates has to actually be signed by a trusted key.  Since only
      self-signed certificates can be added to the chain, the only way for an
      attacker to introduce a trusted signature is to include a self-signed
      trusted certificate.
      
      But, when pkcs7_validate_trust_one() reaches that certificate, instead
      of trying to verify the signature on that certificate, it will actually
      look up the corresponding trusted key, which will succeed, and then try
      to verify the *previous* certificate, which will fail.  Thus, disaster
      is narrowly averted (as far as I could tell).
      
      Fixes: 6c2dc5ae ("X.509: Extract signature digest and make self-signed cert checks earlier")
      Cc: <stable@vger.kernel.org> # v4.7+
      Signed-off-by: default avatarEric Biggers <ebiggers@google.com>
      Signed-off-by: default avatarDavid Howells <dhowells@redhat.com>
      971b42c0
  2. 20 Feb, 2018 1 commit
  3. 19 Feb, 2018 9 commits
    • Linus Torvalds's avatar
      Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net · 79c0ef3e
      Linus Torvalds authored
      Pull networking fixes from David Miller:
      
       1) Prevent index integer overflow in ptr_ring, from Jason Wang.
      
       2) Program mvpp2 multicast filter properly, from Mikulas Patocka.
      
       3) The bridge brport attribute file is write only and doesn't have a
          ->show() method, don't blindly invoke it. From Xin Long.
      
       4) Inverted mask used in genphy_setup_forced(), from Ingo van Lil.
      
       5) Fix multiple definition issue with if_ether.h UAPI header, from
          Hauke Mehrtens.
      
       6) Fix GFP_KERNEL usage in atomic in RDS protocol code, from Sowmini
          Varadhan.
      
       7) Revert XDP redirect support from thunderx driver, it is not
          implemented properly. From Jesper Dangaard Brouer.
      
       8) Fix missing RTNL protection across some tipc operations, from Ying
          Xue.
      
       9) Return the correct IV bytes in the TLS getsockopt code, from Boris
          Pismenny.
      
      10) Take tclassid into consideration properly when doing FIB rule
          matching. From Stefano Brivio.
      
      11) cxgb4 device needs more PCI VPD quirks, from Casey Leedom.
      
      12) TUN driver doesn't align frags properly, and we can end up doing
          unaligned atomics on misaligned metadata. From Eric Dumazet.
      
      13) Fix various crashes found using DEBUG_PREEMPT in rmnet driver, from
          Subash Abhinov Kasiviswanathan.
      
      * git://git.kernel.org/pub/scm/linux/kernel/git/davem/net: (56 commits)
        tg3: APE heartbeat changes
        mlxsw: spectrum_router: Do not unconditionally clear route offload indication
        net: qualcomm: rmnet: Fix possible null dereference in command processing
        net: qualcomm: rmnet: Fix warning seen with 64 bit stats
        net: qualcomm: rmnet: Fix crash on real dev unregistration
        sctp: remove the left unnecessary check for chunk in sctp_renege_events
        rxrpc: Work around usercopy check
        tun: fix tun_napi_alloc_frags() frag allocator
        udplite: fix partial checksum initialization
        skbuff: Fix comment mis-spelling.
        dn_getsockoptdecnet: move nf_{get/set}sockopt outside sock lock
        PCI/cxgb4: Extend T3 PCI quirk to T4+ devices
        cxgb4: fix trailing zero in CIM LA dump
        cxgb4: free up resources of pf 0-3
        fib_semantics: Don't match route with mismatching tclassid
        NFC: llcp: Limit size of SDP URI
        tls: getsockopt return record sequence number
        tls: reset the crypto info if copy_from_user fails
        tls: retrun the correct IV in getsockopt
        docs: segmentation-offloads.txt: add SCTP info
        ...
      79c0ef3e
    • Jacek Anaszewski's avatar
      MAINTAINERS: Remove Richard Purdie from LED maintainers · a988681d
      Jacek Anaszewski authored
      Richard has been inactive on the linux-leds list for a long time.
      After email discussion we agreed on removing him from
      the LED maintainers, which will better reflect the actual status.
      Acked-by: default avatarRichard Purdie <rpurdie@rpsys.net>
      Signed-off-by: default avatarJacek Anaszewski <jacek.anaszewski@gmail.com>
      a988681d
    • Prashant Sreedharan's avatar
      tg3: APE heartbeat changes · 506b0a39
      Prashant Sreedharan authored
      In ungraceful host shutdown or driver crash case BMC connectivity is
      lost. APE firmware is missing the driver state in this
      case to keep the BMC connectivity alive.
      This patch has below change to address this issue.
      
      Heartbeat mechanism with APE firmware. This heartbeat mechanism
      is needed to notify the APE firmware about driver state.
      
      This patch also has the change in wait time for APE event from
      1ms to 20ms as there can be some delay in getting response.
      
      v2: Drop inline keyword as per David suggestion.
      Signed-off-by: default avatarPrashant Sreedharan <prashant.sreedharan@broadcom.com>
      Signed-off-by: default avatarSatish Baddipadige <satish.baddipadige@broadcom.com>
      Signed-off-by: default avatarSiva Reddy Kallam <siva.kallam@broadcom.com>
      Acked-by: default avatarMichael Chan <michael.chan@broadcom.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      506b0a39
    • Ido Schimmel's avatar
      mlxsw: spectrum_router: Do not unconditionally clear route offload indication · d1c95af3
      Ido Schimmel authored
      When mlxsw replaces (or deletes) a route it removes the offload
      indication from the replaced route. This is problematic for IPv4 routes,
      as the offload indication is stored in the fib_info which is usually
      shared between multiple routes.
      
      Instead of unconditionally clearing the offload indication, only clear
      it if no other route is using the fib_info.
      
      Fixes: 3984d1a8 ("mlxsw: spectrum_router: Provide offload indication using nexthop flags")
      Signed-off-by: default avatarIdo Schimmel <idosch@mellanox.com>
      Reported-by: default avatarAlexander Petrovskiy <alexpe@mellanox.com>
      Tested-by: default avatarAlexander Petrovskiy <alexpe@mellanox.com>
      Signed-off-by: default avatarJiri Pirko <jiri@mellanox.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      d1c95af3
    • David S. Miller's avatar
      Merge branch 'qualcomm-rmnet-Fix-issues-with-CONFIG_DEBUG_PREEMPT-enabled' · cae69256
      David S. Miller authored
      Subash Abhinov Kasiviswanathan says:
      
      ====================
      net: qualcomm: rmnet: Fix issues with CONFIG_DEBUG_PREEMPT enabled
      
      Patch 1 and 2 fixes issues identified when CONFIG_DEBUG_PREEMPT was
      enabled. These involve APIs which were called in invalid contexts.
      
      Patch 3 is a null derefence fix identified by code inspection.
      ====================
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      cae69256
    • Subash Abhinov Kasiviswanathan's avatar
      net: qualcomm: rmnet: Fix possible null dereference in command processing · f57bbaae
      Subash Abhinov Kasiviswanathan authored
      If a command packet with invalid mux id is received, the packet would
      not have a valid endpoint. This invalid endpoint maybe dereferenced
      leading to a crash. Identified by manual code inspection.
      
      Fixes: 3352e6c4 ("net: qualcomm: rmnet: Convert the muxed endpoint to hlist")
      Signed-off-by: default avatarSubash Abhinov Kasiviswanathan <subashab@codeaurora.org>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      f57bbaae
    • Subash Abhinov Kasiviswanathan's avatar
      net: qualcomm: rmnet: Fix warning seen with 64 bit stats · 4dba8bbc
      Subash Abhinov Kasiviswanathan authored
      With CONFIG_DEBUG_PREEMPT enabled, a warning was seen on device
      creation. This occurs due to the incorrect cpu API usage in
      ndo_get_stats64 handler.
      
      BUG: using smp_processor_id() in preemptible [00000000] code: rmnetcli/5743
      caller is debug_smp_processor_id+0x1c/0x24
      Call trace:
      [<ffffff9d48c8967c>] dump_backtrace+0x0/0x2a8
      [<ffffff9d48c89bbc>] show_stack+0x20/0x28
      [<ffffff9d4901fff8>] dump_stack+0xa8/0xe0
      [<ffffff9d490421e0>] check_preemption_disabled+0x104/0x108
      [<ffffff9d49042200>] debug_smp_processor_id+0x1c/0x24
      [<ffffff9d494a36b0>] rmnet_get_stats64+0x64/0x13c
      [<ffffff9d49b014e0>] dev_get_stats+0x68/0xd8
      [<ffffff9d49d58df8>] rtnl_fill_stats+0x54/0x140
      [<ffffff9d49b1f0b8>] rtnl_fill_ifinfo+0x428/0x9cc
      [<ffffff9d49b23834>] rtmsg_ifinfo_build_skb+0x80/0xf4
      [<ffffff9d49b23930>] rtnetlink_event+0x88/0xb4
      [<ffffff9d48cd21b4>] raw_notifier_call_chain+0x58/0x78
      [<ffffff9d49b028a4>] call_netdevice_notifiers_info+0x48/0x78
      [<ffffff9d49b08bf8>] __netdev_upper_dev_link+0x290/0x5e8
      [<ffffff9d49b08fcc>] netdev_master_upper_dev_link+0x3c/0x48
      [<ffffff9d494a2e74>] rmnet_newlink+0xf0/0x1c8
      [<ffffff9d49b23360>] rtnl_newlink+0x57c/0x6c8
      [<ffffff9d49b2355c>] rtnetlink_rcv_msg+0xb0/0x244
      [<ffffff9d49b5230c>] netlink_rcv_skb+0xb4/0xdc
      [<ffffff9d49b204f4>] rtnetlink_rcv+0x34/0x44
      [<ffffff9d49b51af0>] netlink_unicast+0x1ec/0x294
      [<ffffff9d49b51fdc>] netlink_sendmsg+0x320/0x390
      [<ffffff9d49ae6858>] sock_sendmsg+0x54/0x60
      [<ffffff9d49ae91bc>] SyS_sendto+0x1a0/0x1e4
      [<ffffff9d48c83770>] el0_svc_naked+0x24/0x28
      
      Fixes: 192c4b5d ("net: qualcomm: rmnet: Add support for 64 bit stats")
      Signed-off-by: default avatarSubash Abhinov Kasiviswanathan <subashab@codeaurora.org>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      4dba8bbc
    • Subash Abhinov Kasiviswanathan's avatar
      net: qualcomm: rmnet: Fix crash on real dev unregistration · b37f78f2
      Subash Abhinov Kasiviswanathan authored
      With CONFIG_DEBUG_PREEMPT enabled, a crash with the following call
      stack was observed when removing a real dev which had rmnet devices
      attached to it.
      To fix this, remove the netdev_upper link APIs and instead use the
      existing information in rmnet_port and rmnet_priv to get the
      association between real and rmnet devs.
      
      BUG: sleeping function called from invalid context
      in_atomic(): 0, irqs_disabled(): 0, pid: 5762, name: ip
      Preemption disabled at:
      [<ffffff9d49043564>] debug_object_active_state+0xa4/0x16c
      Internal error: Oops - BUG: 0 [#1] PREEMPT SMP
      Modules linked in:
      PC is at ___might_sleep+0x13c/0x180
      LR is at ___might_sleep+0x17c/0x180
      [<ffffff9d48ce0924>] ___might_sleep+0x13c/0x180
      [<ffffff9d48ce09c0>] __might_sleep+0x58/0x8c
      [<ffffff9d49d6253c>] mutex_lock+0x2c/0x48
      [<ffffff9d48ed4840>] kernfs_remove_by_name_ns+0x48/0xa8
      [<ffffff9d48ed6ec8>] sysfs_remove_link+0x30/0x58
      [<ffffff9d49b05840>] __netdev_adjacent_dev_remove+0x14c/0x1e0
      [<ffffff9d49b05914>] __netdev_adjacent_dev_unlink_lists+0x40/0x68
      [<ffffff9d49b08820>] netdev_upper_dev_unlink+0xb4/0x1fc
      [<ffffff9d494a29f0>] rmnet_dev_walk_unreg+0x6c/0xc8
      [<ffffff9d49b00b40>] netdev_walk_all_lower_dev_rcu+0x58/0xb4
      [<ffffff9d494a30fc>] rmnet_config_notify_cb+0xf4/0x134
      [<ffffff9d48cd21b4>] raw_notifier_call_chain+0x58/0x78
      [<ffffff9d49b028a4>] call_netdevice_notifiers_info+0x48/0x78
      [<ffffff9d49b0b568>] rollback_registered_many+0x230/0x3c8
      [<ffffff9d49b0b738>] unregister_netdevice_many+0x38/0x94
      [<ffffff9d49b1e110>] rtnl_delete_link+0x58/0x88
      [<ffffff9d49b201dc>] rtnl_dellink+0xbc/0x1cc
      [<ffffff9d49b2355c>] rtnetlink_rcv_msg+0xb0/0x244
      [<ffffff9d49b5230c>] netlink_rcv_skb+0xb4/0xdc
      [<ffffff9d49b204f4>] rtnetlink_rcv+0x34/0x44
      [<ffffff9d49b51af0>] netlink_unicast+0x1ec/0x294
      [<ffffff9d49b51fdc>] netlink_sendmsg+0x320/0x390
      [<ffffff9d49ae6858>] sock_sendmsg+0x54/0x60
      [<ffffff9d49ae6f94>] ___sys_sendmsg+0x298/0x2b0
      [<ffffff9d49ae98f8>] SyS_sendmsg+0xb4/0xf0
      [<ffffff9d48c83770>] el0_svc_naked+0x24/0x28
      
      Fixes: ceed73a2 ("drivers: net: ethernet: qualcomm: rmnet: Initial implementation")
      Fixes: 60d58f97 ("net: qualcomm: rmnet: Implement bridge mode")
      Signed-off-by: default avatarSubash Abhinov Kasiviswanathan <subashab@codeaurora.org>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      b37f78f2
    • Linus Torvalds's avatar
      Linux 4.16-rc2 · 91ab883e
      Linus Torvalds authored
      91ab883e
  4. 18 Feb, 2018 4 commits
    • Linus Torvalds's avatar
      Merge branch 'x86-urgent-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip · 0e06fb5b
      Linus Torvalds authored
      Pull x86 Kconfig fixes from Thomas Gleixner:
       "Three patchlets to correct HIGHMEM64G and CMPXCHG64 dependencies in
        Kconfig when CPU selections are explicitely set to M586 or M686"
      
      * 'x86-urgent-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip:
        x86/Kconfig: Explicitly enumerate i686-class CPUs in Kconfig
        x86/Kconfig: Exclude i586-class CPUs lacking PAE support from the HIGHMEM64G Kconfig group
        x86/Kconfig: Add missing i586-class CPUs to the X86_CMPXCHG64 Kconfig group
      0e06fb5b
    • Linus Torvalds's avatar
      Merge branch 'perf-urgent-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip · 9ca2c16f
      Linus Torvalds authored
      Pull perf updates from Thomas Gleixner:
       "Perf tool updates and kprobe fixes:
      
         - perf_mmap overwrite mode fixes/overhaul, prep work to get 'perf
           top' using it, making it bearable to use it in large core count
           systems such as Knights Landing/Mill Intel systems (Kan Liang)
      
         - s/390 now uses syscall.tbl, just like x86-64 to generate the
           syscall table id -> string tables used by 'perf trace' (Hendrik
           Brueckner)
      
         - Use strtoull() instead of home grown function (Andy Shevchenko)
      
         - Synchronize kernel ABI headers, v4.16-rc1 (Ingo Molnar)
      
         - Document missing 'perf data --force' option (Sangwon Hong)
      
         - Add perf vendor JSON metrics for ARM Cortex-A53 Processor (William
           Cohen)
      
         - Improve error handling and error propagation of ftrace based
           kprobes so failures when installing kprobes are not silently
           ignored and create disfunctional tracepoints"
      
      * 'perf-urgent-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip: (27 commits)
        kprobes: Propagate error from disarm_kprobe_ftrace()
        kprobes: Propagate error from arm_kprobe_ftrace()
        Revert "tools include s390: Grab a copy of arch/s390/include/uapi/asm/unistd.h"
        perf s390: Rework system call table creation by using syscall.tbl
        perf s390: Grab a copy of arch/s390/kernel/syscall/syscall.tbl
        tools/headers: Synchronize kernel ABI headers, v4.16-rc1
        perf test: Fix test trace+probe_libc_inet_pton.sh for s390x
        perf data: Document missing --force option
        perf tools: Substitute yet another strtoull()
        perf top: Check the latency of perf_top__mmap_read()
        perf top: Switch default mode to overwrite mode
        perf top: Remove lost events checking
        perf hists browser: Add parameter to disable lost event warning
        perf top: Add overwrite fall back
        perf evsel: Expose the perf_missing_features struct
        perf top: Check per-event overwrite term
        perf mmap: Discard legacy interface for mmap read
        perf test: Update mmap read functions for backward-ring-buffer test
        perf mmap: Introduce perf_mmap__read_event()
        perf mmap: Introduce perf_mmap__read_done()
        ...
      9ca2c16f
    • Linus Torvalds's avatar
      Merge branch 'irq-urgent-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip · 2d6c4e40
      Linus Torvalds authored
      Pull irq updates from Thomas Gleixner:
       "A small set of updates mostly for irq chip drivers:
      
         - MIPS GIC fix for spurious, masked interrupts
      
         - fix for a subtle IPI bug in GICv3
      
         - do not probe GICv3 ITSs that are marked as disabled
      
         - multi-MSI support for GICv2m
      
         - various small cleanups"
      
      * 'irq-urgent-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip:
        irqdomain: Re-use DEFINE_SHOW_ATTRIBUTE() macro
        irqchip/bcm: Remove hashed address printing
        irqchip/gic-v2m: Add PCI Multi-MSI support
        irqchip/gic-v3: Ignore disabled ITS nodes
        irqchip/gic-v3: Use wmb() instead of smb_wmb() in gic_raise_softirq()
        irqchip/gic-v3: Change pr_debug message to pr_devel
        irqchip/mips-gic: Avoid spuriously handling masked interrupts
      2d6c4e40
    • Linus Torvalds's avatar
      Merge branch 'core-urgent-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip · 59e47215
      Linus Torvalds authored
      Pull core fix from Thomas Gleixner:
       "A small fix which adds the missing for_each_cpu_wrap() stub for the UP
        case to avoid build failures"
      
      * 'core-urgent-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip:
        cpumask: Make for_each_cpu_wrap() available on UP as well
      59e47215
  5. 17 Feb, 2018 11 commits
    • Linus Torvalds's avatar
      Merge tag 'for-linus-20180217' of git://git.kernel.dk/linux-block · c786427f
      Linus Torvalds authored
      Pull block fixes from Jens Axboe:
      
       - NVMe pull request from Keith, with fixes all over the map for nvme.
         From various folks.
      
       - Classic polling fix, that avoids a latency issue where we still end
         up waiting for an interrupt in some cases. From Nitesh Shetty.
      
       - Comment typo fix from Minwoo Im.
      
      * tag 'for-linus-20180217' of git://git.kernel.dk/linux-block:
        block: fix a typo in comment of BLK_MQ_POLL_STATS_BKTS
        nvme-rdma: fix sysfs invoked reset_ctrl error flow
        nvmet: Change return code of discard command if not supported
        nvme-pci: Fix timeouts in connecting state
        nvme-pci: Remap CMB SQ entries on every controller reset
        nvme: fix the deadlock in nvme_update_formats
        blk: optimization for classic polling
        nvme: Don't use a stack buffer for keep-alive command
        nvme_fc: cleanup io completion
        nvme_fc: correct abort race condition on resets
        nvme: Fix discard buffer overrun
        nvme: delete NVME_CTRL_LIVE --> NVME_CTRL_CONNECTING transition
        nvme-rdma: use NVME_CTRL_CONNECTING state to mark init process
        nvme: rename NVME_CTRL_RECONNECTING state to NVME_CTRL_CONNECTING
      c786427f
    • Linus Torvalds's avatar
      Merge tag 'mmc-v4.16-rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/ulfh/mmc · fa2139ef
      Linus Torvalds authored
      Pull MMC fixes from Ulf Hansson:
      
       - meson-gx: Revert to earlier tuning process
      
       - bcm2835: Don't overwrite max frequency unconditionally
      
      * tag 'mmc-v4.16-rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/ulfh/mmc:
        mmc: bcm2835: Don't overwrite max frequency unconditionally
        Revert "mmc: meson-gx: include tx phase in the tuning process"
      fa2139ef
    • Linus Torvalds's avatar
      Merge tag 'mtd/fixes-for-4.16-rc2' of git://git.infradead.org/linux-mtd · 4b6415f9
      Linus Torvalds authored
      Pull mtd fixes from Boris Brezillon:
      
       - add missing dependency to NAND_MARVELL Kconfig entry
      
       - use the appropriate OOB layout in the VF610 driver
      
      * tag 'mtd/fixes-for-4.16-rc2' of git://git.infradead.org/linux-mtd:
        mtd: nand: MTD_NAND_MARVELL should depend on HAS_DMA
        mtd: nand: vf610: set correct ooblayout
      4b6415f9
    • Linus Torvalds's avatar
      Merge tag 'powerpc-4.16-3' of git://git.kernel.org/pub/scm/linux/kernel/git/powerpc/linux · ee78ad78
      Linus Torvalds authored
      Pull powerpc fixes from Michael Ellerman:
       "The main attraction is a fix for a bug in the new drmem code, which
        was causing an oops on boot on some versions of Qemu.
      
        There's also a fix for XIVE (Power9 interrupt controller) on KVM, as
        well as a few other minor fixes.
      
        Thanks to: Corentin Labbe, Cyril Bur, Cédric Le Goater, Daniel Black,
        Nathan Fontenot, Nicholas Piggin"
      
      * tag 'powerpc-4.16-3' of git://git.kernel.org/pub/scm/linux/kernel/git/powerpc/linux:
        powerpc/pseries: Check for zero filled ibm,dynamic-memory property
        powerpc/pseries: Add empty update_numa_cpu_lookup_table() for NUMA=n
        powerpc/powernv: IMC fix out of bounds memory access at shutdown
        powerpc/xive: Use hw CPU ids when configuring the CPU queues
        powerpc: Expose TSCR via sysfs only on powernv
      ee78ad78
    • Linus Torvalds's avatar
      Merge tag 'arm64-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/arm64/linux · 74688a02
      Linus Torvalds authored
      Pull arm64 fixes from Catalin Marinas:
       "The bulk of this is the pte accessors annotation to READ/WRITE_ONCE
        (we tried to avoid pushing this during the merge window to avoid
        conflicts)
      
         - Updated the page table accessors to use READ/WRITE_ONCE and prevent
           compiler transformation that could lead to an apparent loss of
           coherency
      
         - Enabled branch predictor hardening for the Falkor CPU
      
         - Fix interaction between kpti enabling and KASan causing the
           recursive page table walking to take a significant time
      
         - Fix some sparse warnings"
      
      * tag 'arm64-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/arm64/linux:
        arm64: cputype: Silence Sparse warnings
        arm64: mm: Use READ_ONCE/WRITE_ONCE when accessing page tables
        arm64: proc: Set PTE_NG for table entries to avoid traversing them twice
        arm64: Add missing Falkor part number for branch predictor hardening
      74688a02
    • Linus Torvalds's avatar
      Merge tag 'for-linus-4.16a-rc2-tag' of git://git.kernel.org/pub/scm/linux/kernel/git/xen/tip · f73f047d
      Linus Torvalds authored
      Pull xen fixes from Juergen Gross:
      
       - fixes for the Xen pvcalls frontend driver
      
       - fix for booting Xen pv domains
      
       - fix for the xenbus driver user interface
      
      * tag 'for-linus-4.16a-rc2-tag' of git://git.kernel.org/pub/scm/linux/kernel/git/xen/tip:
        pvcalls-front: wait for other operations to return when release passive sockets
        pvcalls-front: introduce a per sock_mapping refcount
        x86/xen: Calculate __max_logical_packages on PV domains
        xenbus: track caller request id
      f73f047d
    • Stefano Stabellini's avatar
      pvcalls-front: wait for other operations to return when release passive sockets · d1a75e08
      Stefano Stabellini authored
      Passive sockets can have ongoing operations on them, specifically, we
      have two wait_event_interruptable calls in pvcalls_front_accept.
      
      Add two wake_up calls in pvcalls_front_release, then wait for the
      potential waiters to return and release the sock_mapping refcount.
      Signed-off-by: default avatarStefano Stabellini <stefano@aporeto.com>
      Acked-by: default avatarJuergen Gross <jgross@suse.com>
      Signed-off-by: default avatarJuergen Gross <jgross@suse.com>
      d1a75e08
    • Stefano Stabellini's avatar
      pvcalls-front: introduce a per sock_mapping refcount · 64d68718
      Stefano Stabellini authored
      Introduce a per sock_mapping refcount, in addition to the existing
      global refcount. Thanks to the sock_mapping refcount, we can safely wait
      for it to be 1 in pvcalls_front_release before freeing an active socket,
      instead of waiting for the global refcount to be 1.
      Signed-off-by: default avatarStefano Stabellini <stefano@aporeto.com>
      Acked-by: default avatarJuergen Gross <jgross@suse.com>
      Signed-off-by: default avatarJuergen Gross <jgross@suse.com>
      64d68718
    • Prarit Bhargava's avatar
      x86/xen: Calculate __max_logical_packages on PV domains · 63e708f8
      Prarit Bhargava authored
      The kernel panics on PV domains because native_smp_cpus_done() is
      only called for HVM domains.
      
      Calculate __max_logical_packages for PV domains.
      
      Fixes: b4c0a732 ("x86/smpboot: Fix __max_logical_packages estimate")
      Signed-off-by: default avatarPrarit Bhargava <prarit@redhat.com>
      Tested-and-reported-by: default avatarSimon Gaiser <simon@invisiblethingslab.com>
      Cc: Thomas Gleixner <tglx@linutronix.de>
      Cc: Ingo Molnar <mingo@redhat.com>
      Cc: "H. Peter Anvin" <hpa@zytor.com>
      Cc: x86@kernel.org
      Cc: Boris Ostrovsky <boris.ostrovsky@oracle.com>
      Cc: Juergen Gross <jgross@suse.com>
      Cc: Dou Liyang <douly.fnst@cn.fujitsu.com>
      Cc: Prarit Bhargava <prarit@redhat.com>
      Cc: Kate Stewart <kstewart@linuxfoundation.org>
      Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
      Cc: Andy Lutomirski <luto@kernel.org>
      Cc: Andi Kleen <ak@linux.intel.com>
      Cc: Vitaly Kuznetsov <vkuznets@redhat.com>
      Cc: xen-devel@lists.xenproject.org
      Reviewed-by: default avatarBoris Ostrovsky <boris.ostrovsky@oracle.com>
      Signed-off-by: default avatarJuergen Gross <jgross@suse.com>
      63e708f8
    • Joao Martins's avatar
      xenbus: track caller request id · 29fee6ee
      Joao Martins authored
      Commit fd8aa909 ("xen: optimize xenbus driver for multiple concurrent
      xenstore accesses") optimized xenbus concurrent accesses but in doing so
      broke UABI of /dev/xen/xenbus. Through /dev/xen/xenbus applications are in
      charge of xenbus message exchange with the correct header and body. Now,
      after the mentioned commit the replies received by application will no
      longer have the header req_id echoed back as it was on request (see
      specification below for reference), because that particular field is being
      overwritten by kernel.
      
      struct xsd_sockmsg
      {
        uint32_t type;  /* XS_??? */
        uint32_t req_id;/* Request identifier, echoed in daemon's response.  */
        uint32_t tx_id; /* Transaction id (0 if not related to a transaction). */
        uint32_t len;   /* Length of data following this. */
      
        /* Generally followed by nul-terminated string(s). */
      };
      
      Before there was only one request at a time so req_id could simply be
      forwarded back and forth. To allow simultaneous requests we need a
      different req_id for each message thus kernel keeps a monotonic increasing
      counter for this field and is written on every request irrespective of
      userspace value.
      
      Forwarding again the req_id on userspace requests is not a solution because
      we would open the possibility of userspace-generated req_id colliding with
      kernel ones. So this patch instead takes another route which is to
      artificially keep user req_id while keeping the xenbus logic as is. We do
      that by saving the original req_id before xs_send(), use the private kernel
      counter as req_id and then once reply comes and was validated, we restore
      back the original req_id.
      
      Cc: <stable@vger.kernel.org> # 4.11
      Fixes: fd8aa909 ("xen: optimize xenbus driver for multiple concurrent xenstore accesses")
      Reported-by: default avatarBhavesh Davda <bhavesh.davda@oracle.com>
      Signed-off-by: default avatarJoao Martins <joao.m.martins@oracle.com>
      Reviewed-by: default avatarJuergen Gross <jgross@suse.com>
      Signed-off-by: default avatarJuergen Gross <jgross@suse.com>
      29fee6ee
    • Robin Murphy's avatar
      arm64: cputype: Silence Sparse warnings · e1a50de3
      Robin Murphy authored
      Sparse makes a fair bit of noise about our MPIDR mask being implicitly
      long - let's explicitly describe it as such rather than just relying on
      the value forcing automatic promotion.
      Signed-off-by: default avatarRobin Murphy <robin.murphy@arm.com>
      Signed-off-by: default avatarCatalin Marinas <catalin.marinas@arm.com>
      e1a50de3
  6. 16 Feb, 2018 13 commits
    • Xin Long's avatar
      sctp: remove the left unnecessary check for chunk in sctp_renege_events · 9ab2323c
      Xin Long authored
      Commit fb234035 ("sctp: remove the useless check in
      sctp_renege_events") forgot to remove another check for
      chunk in sctp_renege_events.
      
      Dan found this when doing a static check.
      
      This patch is to remove that check, and also to merge
      two checks into one 'if statement'.
      
      Fixes: fb234035 ("sctp: remove the useless check in sctp_renege_events")
      Reported-by: default avatarDan Carpenter <dan.carpenter@oracle.com>
      Signed-off-by: default avatarXin Long <lucien.xin@gmail.com>
      Acked-by: default avatarMarcelo Ricardo Leitner <marcelo.leitner@gmail.com>
      Acked-by: default avatarNeil Horman <nhorman@tuxdriver.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      9ab2323c
    • David Howells's avatar
      rxrpc: Work around usercopy check · a16b8d0c
      David Howells authored
      Due to a check recently added to copy_to_user(), it's now not permitted to
      copy from slab-held data to userspace unless the slab is whitelisted.  This
      affects rxrpc_recvmsg() when it attempts to place an RXRPC_USER_CALL_ID
      control message in the userspace control message buffer.  A warning is
      generated by usercopy_warn() because the source is the copy of the
      user_call_ID retained in the rxrpc_call struct.
      
      Work around the issue by copying the user_call_ID to a variable on the
      stack and passing that to put_cmsg().
      
      The warning generated looks like:
      
      	Bad or missing usercopy whitelist? Kernel memory exposure attempt detected from SLUB object 'dmaengine-unmap-128' (offset 680, size 8)!
      	WARNING: CPU: 0 PID: 1401 at mm/usercopy.c:81 usercopy_warn+0x7e/0xa0
      	...
      	RIP: 0010:usercopy_warn+0x7e/0xa0
      	...
      	Call Trace:
      	 __check_object_size+0x9c/0x1a0
      	 put_cmsg+0x98/0x120
      	 rxrpc_recvmsg+0x6fc/0x1010 [rxrpc]
      	 ? finish_wait+0x80/0x80
      	 ___sys_recvmsg+0xf8/0x240
      	 ? __clear_rsb+0x25/0x3d
      	 ? __clear_rsb+0x15/0x3d
      	 ? __clear_rsb+0x25/0x3d
      	 ? __clear_rsb+0x15/0x3d
      	 ? __clear_rsb+0x25/0x3d
      	 ? __clear_rsb+0x15/0x3d
      	 ? __clear_rsb+0x25/0x3d
      	 ? __clear_rsb+0x15/0x3d
      	 ? finish_task_switch+0xa6/0x2b0
      	 ? trace_hardirqs_on_caller+0xed/0x180
      	 ? _raw_spin_unlock_irq+0x29/0x40
      	 ? __sys_recvmsg+0x4e/0x90
      	 __sys_recvmsg+0x4e/0x90
      	 do_syscall_64+0x7a/0x220
      	 entry_SYSCALL_64_after_hwframe+0x26/0x9b
      Reported-by: default avatarJonathan Billings <jsbillings@jsbillings.org>
      Signed-off-by: default avatarDavid Howells <dhowells@redhat.com>
      Acked-by: default avatarKees Cook <keescook@chromium.org>
      Tested-by: default avatarJonathan Billings <jsbillings@jsbillings.org>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      a16b8d0c
    • Eric Dumazet's avatar
      tun: fix tun_napi_alloc_frags() frag allocator · 43a08e0f
      Eric Dumazet authored
      <Mark Rutland reported>
          While fuzzing arm64 v4.16-rc1 with Syzkaller, I've been hitting a
          misaligned atomic in __skb_clone:
      
              atomic_inc(&(skb_shinfo(skb)->dataref));
      
         where dataref doesn't have the required natural alignment, and the
         atomic operation faults. e.g. i often see it aligned to a single
         byte boundary rather than a four byte boundary.
      
         AFAICT, the skb_shared_info is misaligned at the instant it's
         allocated in __napi_alloc_skb()  __napi_alloc_skb()
      </end of report>
      
      Problem is caused by tun_napi_alloc_frags() using
      napi_alloc_frag() with user provided seg sizes,
      leading to other users of this API getting unaligned
      page fragments.
      
      Since we would like to not necessarily add paddings or alignments to
      the frags that tun_napi_alloc_frags() attaches to the skb, switch to
      another page frag allocator.
      
      As a bonus skb_page_frag_refill() can use GFP_KERNEL allocations,
      meaning that we can not deplete memory reserves as easily.
      
      Fixes: 90e33d45 ("tun: enable napi_gro_frags() for TUN/TAP driver")
      Signed-off-by: default avatarEric Dumazet <edumazet@google.com>
      Reported-by: default avatarMark Rutland <mark.rutland@arm.com>
      Tested-by: default avatarMark Rutland <mark.rutland@arm.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      43a08e0f
    • Alexey Kodanev's avatar
      udplite: fix partial checksum initialization · 15f35d49
      Alexey Kodanev authored
      Since UDP-Lite is always using checksum, the following path is
      triggered when calculating pseudo header for it:
      
        udp4_csum_init() or udp6_csum_init()
          skb_checksum_init_zero_check()
            __skb_checksum_validate_complete()
      
      The problem can appear if skb->len is less than CHECKSUM_BREAK. In
      this particular case __skb_checksum_validate_complete() also invokes
      __skb_checksum_complete(skb). If UDP-Lite is using partial checksum
      that covers only part of a packet, the function will return bad
      checksum and the packet will be dropped.
      
      It can be fixed if we skip skb_checksum_init_zero_check() and only
      set the required pseudo header checksum for UDP-Lite with partial
      checksum before udp4_csum_init()/udp6_csum_init() functions return.
      
      Fixes: ed70fcfc ("net: Call skb_checksum_init in IPv4")
      Fixes: e4f45b7f ("net: Call skb_checksum_init in IPv6")
      Signed-off-by: default avatarAlexey Kodanev <alexey.kodanev@oracle.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      15f35d49
    • David S. Miller's avatar
      skbuff: Fix comment mis-spelling. · da279887
      David S. Miller authored
      'peform' --> 'perform'
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      da279887
    • Paolo Abeni's avatar
      dn_getsockoptdecnet: move nf_{get/set}sockopt outside sock lock · dfec0914
      Paolo Abeni authored
      After commit 3f34cfae ("netfilter: on sockopt() acquire sock lock
      only in the required scope"), the caller of nf_{get/set}sockopt() must
      not hold any lock, but, in such changeset, I forgot to cope with DECnet.
      
      This commit addresses the issue moving the nf call outside the lock,
      in the dn_{get,set}sockopt() with the same schema currently used by
      ipv4 and ipv6. Also moves the unhandled sockopts of the end of the main
      switch statements, to improve code readability.
      Reported-by: default avatarPetr Vandrovec <petr@vandrovec.name>
      BugLink: https://bugzilla.kernel.org/show_bug.cgi?id=198791#c2
      Fixes: 3f34cfae ("netfilter: on sockopt() acquire sock lock only in the required scope")
      Signed-off-by: default avatarPaolo Abeni <pabeni@redhat.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      dfec0914
    • Casey Leedom's avatar
      PCI/cxgb4: Extend T3 PCI quirk to T4+ devices · 7dcf688d
      Casey Leedom authored
      We've run into a problem where our device is attached
      to a Virtual Machine and the use of the new pci_set_vpd_size()
      API doesn't help.  The VM kernel has been informed that
      the accesses are okay, but all of the actual VPD Capability
      Accesses are trapped down into the KVM Hypervisor where it
      goes ahead and imposes the silent denials.
      
      The right idea is to follow the kernel.org
      commit 1c7de2b4 ("PCI: Enable access to non-standard VPD for
      Chelsio devices (cxgb3)") which Alexey Kardashevskiy authored
      to establish a PCI Quirk for our T3-based adapters. This commit
      extends that PCI Quirk to cover Chelsio T4 devices and later.
      
      The advantage of this approach is that the VPD Size gets set early
      in the Base OS/Hypervisor Boot and doesn't require that the cxgb4
      driver even be available in the Base OS/Hypervisor.  Thus PF4 can
      be exported to a Virtual Machine and everything should work.
      
      Fixes: 67e65879 ("cxgb4: Set VPD size so we can read both VPD structures")
      Cc: <stable@vger.kernel.org>  # v4.9+
      Signed-off-by: default avatarCasey Leedom <leedom@chelsio.com>
      Signed-off-by: default avatarArjun Vynipadath <arjun@chelsio.com>
      Signed-off-by: default avatarGanesh Goudar <ganeshgr@chelsio.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      7dcf688d
    • Rahul Lakkireddy's avatar
      cxgb4: fix trailing zero in CIM LA dump · e6f02a4d
      Rahul Lakkireddy authored
      Set correct size of the CIM LA dump for T6.
      
      Fixes: 27887bc7 ("cxgb4: collect hardware LA dumps")
      Signed-off-by: default avatarRahul Lakkireddy <rahul.lakkireddy@chelsio.com>
      Signed-off-by: default avatarGanesh Goudar <ganeshgr@chelsio.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      e6f02a4d
    • Ganesh Goudar's avatar
      cxgb4: free up resources of pf 0-3 · c4e43e14
      Ganesh Goudar authored
      free pf 0-3 resources, commit baf50868 ("cxgb4:
      restructure VF mgmt code") erroneously removed the
      code which frees the pf 0-3 resources, causing the
      probe of pf 0-3 to fail in case of driver reload.
      
      Fixes: baf50868 ("cxgb4: restructure VF mgmt code")
      Signed-off-by: default avatarGanesh Goudar <ganeshgr@chelsio.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      c4e43e14
    • Linus Torvalds's avatar
      Merge tag 'dma-mapping-4.16-2' of git://git.infradead.org/users/hch/dma-mapping · 1e3510b2
      Linus Torvalds authored
      Pull dma-mapping fixes from Christoph Hellwig:
       "A few dma-mapping fixes for the fallout from the changes in rc1"
      
      * tag 'dma-mapping-4.16-2' of git://git.infradead.org/users/hch/dma-mapping:
        powerpc/macio: set a proper dma_coherent_mask
        dma-mapping: fix a comment typo
        dma-direct: comment the dma_direct_free calling convention
        dma-direct: mark as is_phys
        ia64: fix build failure with CONFIG_SWIOTLB
      1e3510b2
    • Stefano Brivio's avatar
      fib_semantics: Don't match route with mismatching tclassid · a8c6db1d
      Stefano Brivio authored
      In fib_nh_match(), if output interface or gateway are passed in
      the FIB configuration, we don't have to check next hops of
      multipath routes to conclude whether we have a match or not.
      
      However, we might still have routes with different realms
      matching the same output interface and gateway configuration,
      and this needs to cause the match to fail. Otherwise the first
      route inserted in the FIB will match, regardless of the realms:
      
       # ip route add 1.1.1.1 dev eth0 table 1234 realms 1/2
       # ip route append 1.1.1.1 dev eth0 table 1234 realms 3/4
       # ip route list table 1234
       1.1.1.1 dev eth0 scope link realms 1/2
       1.1.1.1 dev eth0 scope link realms 3/4
       # ip route del 1.1.1.1 dev ens3 table 1234 realms 3/4
       # ip route list table 1234
       1.1.1.1 dev ens3 scope link realms 3/4
      
      whereas route with realms 3/4 should have been deleted instead.
      
      Explicitly check for fc_flow passed in the FIB configuration
      (this comes from RTA_FLOW extracted by rtm_to_fib_config()) and
      fail matching if it differs from nh_tclassid.
      
      The handling of RTA_FLOW for multipath routes later in
      fib_nh_match() is still needed, as we can have multiple RTA_FLOW
      attributes that need to be matched against the tclassid of each
      next hop.
      
      v2: Check that fc_flow is set before discarding the match, so
          that the user can still select the first matching rule by
          not specifying any realm, as suggested by David Ahern.
      Reported-by: default avatarJianlin Shi <jishi@redhat.com>
      Signed-off-by: default avatarStefano Brivio <sbrivio@redhat.com>
      Acked-by: default avatarDavid Ahern <dsahern@gmail.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      a8c6db1d
    • Kees Cook's avatar
      NFC: llcp: Limit size of SDP URI · fe9c8426
      Kees Cook authored
      The tlv_len is u8, so we need to limit the size of the SDP URI. Enforce
      this both in the NLA policy and in the code that performs the allocation
      and copy, to avoid writing past the end of the allocated buffer.
      
      Fixes: d9b8d8e1 ("NFC: llcp: Service Name Lookup netlink interface")
      Signed-off-by: default avatarKees Cook <keescook@chromium.org>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      fe9c8426
    • Will Deacon's avatar
      arm64: mm: Use READ_ONCE/WRITE_ONCE when accessing page tables · 20a004e7
      Will Deacon authored
      In many cases, page tables can be accessed concurrently by either another
      CPU (due to things like fast gup) or by the hardware page table walker
      itself, which may set access/dirty bits. In such cases, it is important
      to use READ_ONCE/WRITE_ONCE when accessing page table entries so that
      entries cannot be torn, merged or subject to apparent loss of coherence
      due to compiler transformations.
      
      Whilst there are some scenarios where this cannot happen (e.g. pinned
      kernel mappings for the linear region), the overhead of using READ_ONCE
      /WRITE_ONCE everywhere is minimal and makes the code an awful lot easier
      to reason about. This patch consistently uses these macros in the arch
      code, as well as explicitly namespacing pointers to page table entries
      from the entries themselves by using adopting a 'p' suffix for the former
      (as is sometimes used elsewhere in the kernel source).
      Tested-by: default avatarYury Norov <ynorov@caviumnetworks.com>
      Tested-by: default avatarRichard Ruigrok <rruigrok@codeaurora.org>
      Reviewed-by: default avatarMarc Zyngier <marc.zyngier@arm.com>
      Signed-off-by: default avatarWill Deacon <will.deacon@arm.com>
      Signed-off-by: default avatarCatalin Marinas <catalin.marinas@arm.com>
      20a004e7