1. 21 Jan, 2019 1 commit
    • Andrea Parri's avatar
      tools/memory-model: Model smp_mb__after_unlock_lock() · 5b735eb1
      Andrea Parri authored
      The kernel documents smp_mb__after_unlock_lock() the following way:
      
        "Place this after a lock-acquisition primitive to guarantee that
         an UNLOCK+LOCK pair acts as a full barrier.  This guarantee applies
         if the UNLOCK and LOCK are executed by the same CPU or if the
         UNLOCK and LOCK operate on the same lock variable."
      
      Formalize in LKMM the above guarantee by defining (new) mb-links according
      to the law:
      
        ([M] ; po ; [UL] ; (co | po) ; [LKW] ;
      	fencerel(After-unlock-lock) ; [M])
      
      where the component ([UL] ; co ; [LKW]) identifies "UNLOCK+LOCK pairs on
      the same lock variable" and the component ([UL] ; po ; [LKW]) identifies
      "UNLOCK+LOCK pairs executed by the same CPU".
      
      In particular, the LKMM forbids the following two behaviors (the second
      litmus test below is based on:
      
        Documentation/RCU/Design/Memory-Ordering/Tree-RCU-Memory-Ordering.html
      
      c.f., Section "Tree RCU Grace Period Memory Ordering Building Blocks"):
      
      C after-unlock-lock-same-cpu
      
      (*
       * Result: Never
       *)
      
      {}
      
      P0(spinlock_t *s, spinlock_t *t, int *x, int *y)
      {
      	int r0;
      
      	spin_lock(s);
      	WRITE_ONCE(*x, 1);
      	spin_unlock(s);
      	spin_lock(t);
      	smp_mb__after_unlock_lock();
      	r0 = READ_ONCE(*y);
      	spin_unlock(t);
      }
      
      P1(int *x, int *y)
      {
      	int r0;
      
      	WRITE_ONCE(*y, 1);
      	smp_mb();
      	r0 = READ_ONCE(*x);
      }
      
      exists (0:r0=0 /\ 1:r0=0)
      
      C after-unlock-lock-same-lock-variable
      
      (*
       * Result: Never
       *)
      
      {}
      
      P0(spinlock_t *s, int *x, int *y)
      {
      	int r0;
      
      	spin_lock(s);
      	WRITE_ONCE(*x, 1);
      	r0 = READ_ONCE(*y);
      	spin_unlock(s);
      }
      
      P1(spinlock_t *s, int *y, int *z)
      {
      	int r0;
      
      	spin_lock(s);
      	smp_mb__after_unlock_lock();
      	WRITE_ONCE(*y, 1);
      	r0 = READ_ONCE(*z);
      	spin_unlock(s);
      }
      
      P2(int *z, int *x)
      {
      	int r0;
      
      	WRITE_ONCE(*z, 1);
      	smp_mb();
      	r0 = READ_ONCE(*x);
      }
      
      exists (0:r0=0 /\ 1:r0=0 /\ 2:r0=0)
      Signed-off-by: default avatarAndrea Parri <andrea.parri@amarulasolutions.com>
      Signed-off-by: default avatarPaul E. McKenney <paulmck@linux.ibm.com>
      Cc: Akira Yokosawa <akiyks@gmail.com>
      Cc: Alan Stern <stern@rowland.harvard.edu>
      Cc: Boqun Feng <boqun.feng@gmail.com>
      Cc: Daniel Lustig <dlustig@nvidia.com>
      Cc: David Howells <dhowells@redhat.com>
      Cc: Jade Alglave <j.alglave@ucl.ac.uk>
      Cc: Linus Torvalds <torvalds@linux-foundation.org>
      Cc: Luc Maranget <luc.maranget@inria.fr>
      Cc: Nicholas Piggin <npiggin@gmail.com>
      Cc: Peter Zijlstra <peterz@infradead.org>
      Cc: Thomas Gleixner <tglx@linutronix.de>
      Cc: Will Deacon <will.deacon@arm.com>
      Cc: linux-arch@vger.kernel.org
      Cc: parri.andrea@gmail.com
      Link: http://lkml.kernel.org/r/20181203230451.28921-1-paulmck@linux.ibm.comSigned-off-by: default avatarIngo Molnar <mingo@kernel.org>
      5b735eb1
  2. 18 Jan, 2019 4 commits
    • Linus Torvalds's avatar
      Merge tag 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/rdma/rdma · d7393226
      Linus Torvalds authored
      Pull rdma fixes frfom Jason Gunthorpe:
       "Not much so far. We have the usual batch of bugs and two fixes to code
        merged this cycle:
      
         - Restore valgrind support for the ioctl verbs interface merged this
           window, and fix a missed error code on an error path from that
           conversion
      
         - A user reported crash on obsolete mthca hardware
      
         - pvrdma was using the wrong command opcode toward the hypervisor
      
         - NULL pointer crash regression when dumping rdma-cm over netlink
      
         - Be conservative about exposing the global rkey"
      
      * tag 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/rdma/rdma:
        RDMA/uverbs: Mark ioctl responses with UVERBS_ATTR_F_VALID_OUTPUT
        RDMA/mthca: Clear QP objects during their allocation
        RDMA/vmw_pvrdma: Return the correct opcode when creating WR
        RDMA/cma: Add cm_id restrack resource based on kernel or user cm_id type
        RDMA/nldev: Don't expose unsafe global rkey to regular user
        RDMA/uverbs: Fix post send success return value in case of error
      d7393226
    • Linus Torvalds's avatar
      Merge tag 'drm-fixes-2019-01-18' of git://anongit.freedesktop.org/drm/drm · 1092a94f
      Linus Torvalds authored
      Pull drm fixes from Dave Airlie:
       "The rc3 fixes are a bit scattered:
      
         - meson, sun4i and rockchip all had missing of_node_put.
      
         - qxl and virtio both were advertising dma-buf to userspace when they
           really shouldn't have.
      
        Otherwise:
      
        meson:
         - modesetting regression fix
      
        i915 GVT:
         - one cmd parser failure fix
         - region cleanup fix in vGPU destroy
      
        amdgpu:
         - KFD fixes for arm64 mixed APU/DGPU
         - vega12 powerplay fix
         - raven DC fixes
         - freesync fix"
      
      * tag 'drm-fixes-2019-01-18' of git://anongit.freedesktop.org/drm/drm:
        drm/amd/display: Detach backlight from stream
        drm/sun4i: backend: add missing of_node_puts
        Revert "drm/amdgpu: validate user pitch alignment"
        Revert "drm/amdgpu: validate user GEM object size"
        drm/meson: Fix atomic mode switching regression
        drm/i915/gvt: Fix mmap range check
        drm/i915/gvt: free VFIO region space in vgpu detach
        drm/amd/display: Fix disabled cursor on top screen edge
        drm/amd/display: fix warning on raven hotplug
        drm/amd/display: fix PME notification not working in RV desktop
        drm/amd/display: Only get the connector state for VRR when toggled
        drm/amd/display: Pack DMCU iRAM alignment
        drm/amd/powerplay: run acg btc for Vega12
        drm/amdkfd: Don't assign dGPUs to APU topology devices
        drm/amdkfd: Allow building KFD on ARM64 (v2)
        drm/meson: add missing of_node_put
        drm/virtio: drop prime import/export callbacks
        drm/qxl: drop prime import/export callbacks
        drm/i915/gvt: Allow F_CMD_ACCESS on mmio 0x21f0
        drm/rockchip: add missing of_node_put
      1092a94f
    • Linus Torvalds's avatar
      Merge tag 'led-fix-for-5.0-rc3' of... · 2451f371
      Linus Torvalds authored
      Merge tag 'led-fix-for-5.0-rc3' of git://git.kernel.org/pub/scm/linux/kernel/git/j.anaszewski/linux-leds
      
      Pull LED fix from Jacek Anaszewski.
      
      * tag 'led-fix-for-5.0-rc3' of git://git.kernel.org/pub/scm/linux/kernel/git/j.anaszewski/linux-leds:
        leds: lp5523: fix a missing check of return value of lp55xx_read
      2451f371
    • Linus Torvalds's avatar
      Merge tag 'hwmon-for-v5.0-rc3' of... · 0a2fbed8
      Linus Torvalds authored
      Merge tag 'hwmon-for-v5.0-rc3' of git://git.kernel.org/pub/scm/linux/kernel/git/groeck/linux-staging
      
      Pull hwmon fixes from Guenter Roeck:
       "Minor fixes/regressions"
      
      * tag 'hwmon-for-v5.0-rc3' of git://git.kernel.org/pub/scm/linux/kernel/git/groeck/linux-staging:
        hwmon: (tmp421) Correct the misspelling of the tmp442 compatible attribute in OF device ID table
        hwmon: (occ) Fix potential integer overflow
        hwmon: (lm80) Fix missing unlock on error in set_fan_div()
        hwmon: (nct6775) Enable IO mapping for NCT6797D and NCT6798D
        hwmon: (nct6775) Fix chip ID for NCT6798D
      0a2fbed8
  3. 17 Jan, 2019 18 commits
  4. 16 Jan, 2019 11 commits
  5. 15 Jan, 2019 6 commits
    • Julia Lawall's avatar
      drm/sun4i: backend: add missing of_node_puts · 4bb0e6d7
      Julia Lawall authored
      The device node iterators perform an of_node_get on each
      iteration, so a jump out of the loop requires an of_node_put.
      
      Remote and port also have augmented reference counts, so drop them
      on each iteration and at the end of the function, respectively.
      Remote is only used for the address it contains, not for the
      contents of that address, so the reference count can be dropped
      immediately.
      
      The semantic patch that fixes the first part of this problem is
      as follows (http://coccinelle.lip6.fr):
      
      // <smpl>
      @@
      expression root,e;
      local idexpression child;
      iterator name for_each_child_of_node;
      @@
      
       for_each_available_child_of_node(root, child) {
         ... when != of_node_put(child)
             when != e = child
      +  of_node_put(child);
      ?  break;
         ...
      }
      ... when != child
      // </smpl>
      Signed-off-by: default avatarJulia Lawall <Julia.Lawall@lip6.fr>
      Signed-off-by: default avatarMaxime Ripard <maxime.ripard@bootlin.com>
      Link: https://patchwork.freedesktop.org/patch/msgid/1547369264-24831-5-git-send-email-Julia.Lawall@lip6.fr
      4bb0e6d7
    • Tycho Andersen's avatar
      seccomp: fix UAF in user-trap code · a811dc61
      Tycho Andersen authored
      On the failure path, we do an fput() of the listener fd if the filter fails
      to install (e.g. because of a TSYNC race that's lost, or if the thread is
      killed, etc.). fput() doesn't actually release the fd, it just ads it to a
      work queue. Then the thread proceeds to free the filter, even though the
      listener struct file has a reference to it.
      
      To fix this, on the failure path let's set the private data to null, so we
      know in ->release() to ignore the filter.
      
      Reported-by: syzbot+981c26489b2d1c6316ba@syzkaller.appspotmail.com
      Fixes: 6a21cc50 ("seccomp: add a return code to trap to userspace")
      Signed-off-by: default avatarTycho Andersen <tycho@tycho.ws>
      Acked-by: default avatarKees Cook <keescook@chromium.org>
      Signed-off-by: default avatarJames Morris <james.morris@microsoft.com>
      a811dc61
    • Linus Torvalds's avatar
      Merge tag 'trace-v5.0-rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/rostedt/linux-trace · 7939f8be
      Linus Torvalds authored
      Pull tracing fix from Steven Rostedt:
       "Andrea Righi fixed a NULL pointer dereference in trace_kprobe_create()
      
        It is possible to trigger a NULL pointer dereference by writing an
        incorrectly formatted string to the krpobe_events file"
      
      * tag 'trace-v5.0-rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/rostedt/linux-trace:
        tracing/kprobes: Fix NULL pointer dereference in trace_kprobe_create()
      7939f8be
    • Linus Torvalds's avatar
      Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net · e8746440
      Linus Torvalds authored
      Pull networking fixes from David Miller:
      
       1) Fix regression in multi-SKB responses to RTM_GETADDR, from Arthur
          Gautier.
      
       2) Fix ipv6 frag parsing in openvswitch, from Yi-Hung Wei.
      
       3) Unbounded recursion in ipv4 and ipv6 GUE tunnels, from Stefano
          Brivio.
      
       4) Use after free in hns driver, from Yonglong Liu.
      
       5) icmp6_send() needs to handle the case of NULL skb, from Eric
          Dumazet.
      
       6) Missing rcu read lock in __inet6_bind() when operating on mapped
          addresses, from David Ahern.
      
       7) Memory leak in tipc-nl_compat_publ_dump(), from Gustavo A. R. Silva.
      
       8) Fix PHY vs r8169 module loading ordering issues, from Heiner
          Kallweit.
      
       9) Fix bridge vlan memory leak, from Ido Schimmel.
      
      10) Dev refcount leak in AF_PACKET, from Jason Gunthorpe.
      
      11) Infoleak in ipv6_local_error(), flow label isn't completely
          initialized. From Eric Dumazet.
      
      12) Handle mv88e6390 errata, from Andrew Lunn.
      
      13) Making vhost/vsock CID hashing consistent, from Zha Bin.
      
      14) Fix lack of UMH cleanup when it unexpectedly exits, from Taehee Yoo.
      
      15) Bridge forwarding must clear skb->tstamp, from Paolo Abeni.
      
      * git://git.kernel.org/pub/scm/linux/kernel/git/davem/net: (87 commits)
        bnxt_en: Fix context memory allocation.
        bnxt_en: Fix ring checking logic on 57500 chips.
        mISDN: hfcsusb: Use struct_size() in kzalloc()
        net: clear skb->tstamp in bridge forwarding path
        net: bpfilter: disallow to remove bpfilter module while being used
        net: bpfilter: restart bpfilter_umh when error occurred
        net: bpfilter: use cleanup callback to release umh_info
        umh: add exit routine for UMH process
        isdn: i4l: isdn_tty: Fix some concurrency double-free bugs
        vhost/vsock: fix vhost vsock cid hashing inconsistent
        net: stmmac: Prevent RX starvation in stmmac_napi_poll()
        net: stmmac: Fix the logic of checking if RX Watchdog must be enabled
        net: stmmac: Check if CBS is supported before configuring
        net: stmmac: dwxgmac2: Only clear interrupts that are active
        net: stmmac: Fix PCI module removal leak
        tools/bpf: fix bpftool map dump with bitfields
        tools/bpf: test btf bitfield with >=256 struct member offset
        bpf: fix bpffs bitfield pretty print
        net: ethernet: mediatek: fix warning in phy_start_aneg
        tcp: change txhash on SYN-data timeout
        ...
      e8746440
    • Andrea Righi's avatar
      tracing/kprobes: Fix NULL pointer dereference in trace_kprobe_create() · 8b05a3a7
      Andrea Righi authored
      It is possible to trigger a NULL pointer dereference by writing an
      incorrectly formatted string to krpobe_events (trying to create a
      kretprobe omitting the symbol).
      
      Example:
      
       echo "r:event_1 " >> /sys/kernel/debug/tracing/kprobe_events
      
      That triggers this:
      
       BUG: unable to handle kernel NULL pointer dereference at 0000000000000000
       #PF error: [normal kernel read fault]
       PGD 0 P4D 0
       Oops: 0000 [#1] SMP PTI
       CPU: 6 PID: 1757 Comm: bash Not tainted 5.0.0-rc1+ #125
       Hardware name: Dell Inc. XPS 13 9370/0F6P3V, BIOS 1.5.1 08/09/2018
       RIP: 0010:kstrtoull+0x2/0x20
       Code: 28 00 00 00 75 17 48 83 c4 18 5b 41 5c 5d c3 b8 ea ff ff ff eb e1 b8 de ff ff ff eb da e8 d6 36 bb ff 66 0f 1f 44 00 00 31 c0 <80> 3f 2b 55 48 89 e5 0f 94 c0 48 01 c7 e8 5c ff ff ff 5d c3 66 2e
       RSP: 0018:ffffb5d482e57cb8 EFLAGS: 00010246
       RAX: 0000000000000000 RBX: 0000000000000001 RCX: ffffffff82b12720
       RDX: ffffb5d482e57cf8 RSI: 0000000000000000 RDI: 0000000000000000
       RBP: ffffb5d482e57d70 R08: ffffa0c05e5a7080 R09: ffffa0c05e003980
       R10: 0000000000000000 R11: 0000000040000000 R12: ffffa0c04fe87b08
       R13: 0000000000000001 R14: 000000000000000b R15: ffffa0c058d749e1
       FS:  00007f137c7f7740(0000) GS:ffffa0c05e580000(0000) knlGS:0000000000000000
       CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
       CR2: 0000000000000000 CR3: 0000000497d46004 CR4: 00000000003606e0
       Call Trace:
        ? trace_kprobe_create+0xb6/0x840
        ? _cond_resched+0x19/0x40
        ? _cond_resched+0x19/0x40
        ? __kmalloc+0x62/0x210
        ? argv_split+0x8f/0x140
        ? trace_kprobe_create+0x840/0x840
        ? trace_kprobe_create+0x840/0x840
        create_or_delete_trace_kprobe+0x11/0x30
        trace_run_command+0x50/0x90
        trace_parse_run_command+0xc1/0x160
        probes_write+0x10/0x20
        __vfs_write+0x3a/0x1b0
        ? apparmor_file_permission+0x1a/0x20
        ? security_file_permission+0x31/0xf0
        ? _cond_resched+0x19/0x40
        vfs_write+0xb1/0x1a0
        ksys_write+0x55/0xc0
        __x64_sys_write+0x1a/0x20
        do_syscall_64+0x5a/0x120
        entry_SYSCALL_64_after_hwframe+0x44/0xa9
      
      Fix by doing the proper argument checks in trace_kprobe_create().
      
      Cc: Ingo Molnar <mingo@redhat.com>
      Link: https://lore.kernel.org/lkml/20190111095108.b79a2ee026185cbd62365977@kernel.org
      Link: http://lkml.kernel.org/r/20190111060113.GA22841@xps-13
      Fixes: 6212dd29 ("tracing/kprobes: Use dyn_event framework for kprobe events")
      Acked-by: default avatarMasami Hiramatsu <mhiramat@kernel.org>
      Signed-off-by: default avatarAndrea Righi <righi.andrea@gmail.com>
      Signed-off-by: default avatarMasami Hiramatsu <mhiramat@kernel.org>
      Signed-off-by: default avatarSteven Rostedt (VMware) <rostedt@goodmis.org>
      8b05a3a7
    • Michel Dänzer's avatar
      Revert "drm/amdgpu: validate user pitch alignment" · 92b0730e
      Michel Dänzer authored
      The check turned out to be too strict in some cases.
      Reviewed-by: default avatarAlex Deucher <alexander.deucher@amd.com>
      Signed-off-by: default avatarMichel Dänzer <michel.daenzer@amd.com>
      Signed-off-by: default avatarAlex Deucher <alexander.deucher@amd.com>
      92b0730e