1. 22 May, 2018 7 commits
    • Shahed Shaikh's avatar
      qed: Fix mask for physical address in ILT entry · fdd13dd3
      Shahed Shaikh authored
      ILT entry requires 12 bit right shifted physical address.
      Existing mask for ILT entry of physical address i.e.
      ILT_ENTRY_PHY_ADDR_MASK is not sufficient to handle 64bit
      address because upper 8 bits of 64 bit address were getting
      masked which resulted in completer abort error on
      PCIe bus due to invalid address.
      
      Fix that mask to handle 64bit physical address.
      
      Fixes: fe56b9e6 ("qed: Add module with basic common support")
      Signed-off-by: default avatarShahed Shaikh <shahed.shaikh@cavium.com>
      Signed-off-by: default avatarAriel Elior <ariel.elior@cavium.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      fdd13dd3
    • Eric Dumazet's avatar
      ipmr: properly check rhltable_init() return value · 66fb3325
      Eric Dumazet authored
      commit 8fb472c0 ("ipmr: improve hash scalability")
      added a call to rhltable_init() without checking its return value.
      
      This problem was then later copied to IPv6 and factorized in commit
      0bbbf0e7 ("ipmr, ip6mr: Unite creation of new mr_table")
      
      kasan: CONFIG_KASAN_INLINE enabled
      kasan: GPF could be caused by NULL-ptr deref or user memory access
      general protection fault: 0000 [#1] SMP KASAN
      Dumping ftrace buffer:
         (ftrace buffer empty)
      Modules linked in:
      CPU: 1 PID: 31552 Comm: syz-executor7 Not tainted 4.17.0-rc5+ #60
      Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
      RIP: 0010:rht_key_hashfn include/linux/rhashtable.h:277 [inline]
      RIP: 0010:__rhashtable_lookup include/linux/rhashtable.h:630 [inline]
      RIP: 0010:rhltable_lookup include/linux/rhashtable.h:716 [inline]
      RIP: 0010:mr_mfc_find_parent+0x2ad/0xbb0 net/ipv4/ipmr_base.c:63
      RSP: 0018:ffff8801826aef70 EFLAGS: 00010203
      RAX: 0000000000000001 RBX: 0000000000000001 RCX: ffffc90001ea0000
      RDX: 0000000000000079 RSI: ffffffff8661e859 RDI: 000000000000000c
      RBP: ffff8801826af1c0 R08: ffff8801b2212000 R09: ffffed003b5e46c2
      R10: ffffed003b5e46c2 R11: ffff8801daf23613 R12: dffffc0000000000
      R13: ffff8801826af198 R14: ffff8801cf8225c0 R15: ffff8801826af658
      FS:  00007ff7fa732700(0000) GS:ffff8801daf00000(0000) knlGS:0000000000000000
      CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
      CR2: 00000003ffffff9c CR3: 00000001b0210000 CR4: 00000000001406e0
      DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
      DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
      Call Trace:
       ip6mr_cache_find_parent net/ipv6/ip6mr.c:981 [inline]
       ip6mr_mfc_delete+0x1fe/0x6b0 net/ipv6/ip6mr.c:1221
       ip6_mroute_setsockopt+0x15c6/0x1d70 net/ipv6/ip6mr.c:1698
       do_ipv6_setsockopt.isra.9+0x422/0x4660 net/ipv6/ipv6_sockglue.c:163
       ipv6_setsockopt+0xbd/0x170 net/ipv6/ipv6_sockglue.c:922
       rawv6_setsockopt+0x59/0x140 net/ipv6/raw.c:1060
       sock_common_setsockopt+0x9a/0xe0 net/core/sock.c:3039
       __sys_setsockopt+0x1bd/0x390 net/socket.c:1903
       __do_sys_setsockopt net/socket.c:1914 [inline]
       __se_sys_setsockopt net/socket.c:1911 [inline]
       __x64_sys_setsockopt+0xbe/0x150 net/socket.c:1911
       do_syscall_64+0x1b1/0x800 arch/x86/entry/common.c:287
       entry_SYSCALL_64_after_hwframe+0x49/0xbe
      
      Fixes: 8fb472c0 ("ipmr: improve hash scalability")
      Fixes: 0bbbf0e7 ("ipmr, ip6mr: Unite creation of new mr_table")
      Signed-off-by: default avatarEric Dumazet <edumazet@google.com>
      Cc: Nikolay Aleksandrov <nikolay@cumulusnetworks.com>
      Cc: Yuval Mintz <yuvalm@mellanox.com>
      Reported-by: default avatarsyzbot <syzkaller@googlegroups.com>
      Acked-by: default avatarNikolay Aleksandrov <nikolay@cumulusnetworks.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      66fb3325
    • Alexey Kodanev's avatar
      dccp: don't free ccid2_hc_tx_sock struct in dccp_disconnect() · 2677d206
      Alexey Kodanev authored
      Syzbot reported the use-after-free in timer_is_static_object() [1].
      
      This can happen because the structure for the rto timer (ccid2_hc_tx_sock)
      is removed in dccp_disconnect(), and ccid2_hc_tx_rto_expire() can be
      called after that.
      
      The report [1] is similar to the one in commit 120e9dab ("dccp:
      defer ccid_hc_tx_delete() at dismantle time"). And the fix is the same,
      delay freeing ccid2_hc_tx_sock structure, so that it is freed in
      dccp_sk_destruct().
      
      [1]
      
      ==================================================================
      BUG: KASAN: use-after-free in timer_is_static_object+0x80/0x90
      kernel/time/timer.c:607
      Read of size 8 at addr ffff8801bebb5118 by task syz-executor2/25299
      
      CPU: 1 PID: 25299 Comm: syz-executor2 Not tainted 4.17.0-rc5+ #54
      Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
      Google 01/01/2011
      Call Trace:
        <IRQ>
        __dump_stack lib/dump_stack.c:77 [inline]
        dump_stack+0x1b9/0x294 lib/dump_stack.c:113
        print_address_description+0x6c/0x20b mm/kasan/report.c:256
        kasan_report_error mm/kasan/report.c:354 [inline]
        kasan_report.cold.7+0x242/0x2fe mm/kasan/report.c:412
        __asan_report_load8_noabort+0x14/0x20 mm/kasan/report.c:433
        timer_is_static_object+0x80/0x90 kernel/time/timer.c:607
        debug_object_activate+0x2d9/0x670 lib/debugobjects.c:508
        debug_timer_activate kernel/time/timer.c:709 [inline]
        debug_activate kernel/time/timer.c:764 [inline]
        __mod_timer kernel/time/timer.c:1041 [inline]
        mod_timer+0x4d3/0x13b0 kernel/time/timer.c:1102
        sk_reset_timer+0x22/0x60 net/core/sock.c:2742
        ccid2_hc_tx_rto_expire+0x587/0x680 net/dccp/ccids/ccid2.c:147
        call_timer_fn+0x230/0x940 kernel/time/timer.c:1326
        expire_timers kernel/time/timer.c:1363 [inline]
        __run_timers+0x79e/0xc50 kernel/time/timer.c:1666
        run_timer_softirq+0x4c/0x70 kernel/time/timer.c:1692
        __do_softirq+0x2e0/0xaf5 kernel/softirq.c:285
        invoke_softirq kernel/softirq.c:365 [inline]
        irq_exit+0x1d1/0x200 kernel/softirq.c:405
        exiting_irq arch/x86/include/asm/apic.h:525 [inline]
        smp_apic_timer_interrupt+0x17e/0x710 arch/x86/kernel/apic/apic.c:1052
        apic_timer_interrupt+0xf/0x20 arch/x86/entry/entry_64.S:863
        </IRQ>
      ...
      Allocated by task 25374:
        save_stack+0x43/0xd0 mm/kasan/kasan.c:448
        set_track mm/kasan/kasan.c:460 [inline]
        kasan_kmalloc+0xc4/0xe0 mm/kasan/kasan.c:553
        kasan_slab_alloc+0x12/0x20 mm/kasan/kasan.c:490
        kmem_cache_alloc+0x12e/0x760 mm/slab.c:3554
        ccid_new+0x25b/0x3e0 net/dccp/ccid.c:151
        dccp_hdlr_ccid+0x27/0x150 net/dccp/feat.c:44
        __dccp_feat_activate+0x184/0x270 net/dccp/feat.c:344
        dccp_feat_activate_values+0x3a7/0x819 net/dccp/feat.c:1538
        dccp_create_openreq_child+0x472/0x610 net/dccp/minisocks.c:128
        dccp_v4_request_recv_sock+0x12c/0xca0 net/dccp/ipv4.c:408
        dccp_v6_request_recv_sock+0x125d/0x1f10 net/dccp/ipv6.c:415
        dccp_check_req+0x455/0x6a0 net/dccp/minisocks.c:197
        dccp_v4_rcv+0x7b8/0x1f3f net/dccp/ipv4.c:841
        ip_local_deliver_finish+0x2e3/0xd80 net/ipv4/ip_input.c:215
        NF_HOOK include/linux/netfilter.h:288 [inline]
        ip_local_deliver+0x1e1/0x720 net/ipv4/ip_input.c:256
        dst_input include/net/dst.h:450 [inline]
        ip_rcv_finish+0x81b/0x2200 net/ipv4/ip_input.c:396
        NF_HOOK include/linux/netfilter.h:288 [inline]
        ip_rcv+0xb70/0x143d net/ipv4/ip_input.c:492
        __netif_receive_skb_core+0x26f5/0x3630 net/core/dev.c:4592
        __netif_receive_skb+0x2c/0x1e0 net/core/dev.c:4657
        process_backlog+0x219/0x760 net/core/dev.c:5337
        napi_poll net/core/dev.c:5735 [inline]
        net_rx_action+0x7b7/0x1930 net/core/dev.c:5801
        __do_softirq+0x2e0/0xaf5 kernel/softirq.c:285
      
      Freed by task 25374:
        save_stack+0x43/0xd0 mm/kasan/kasan.c:448
        set_track mm/kasan/kasan.c:460 [inline]
        __kasan_slab_free+0x11a/0x170 mm/kasan/kasan.c:521
        kasan_slab_free+0xe/0x10 mm/kasan/kasan.c:528
        __cache_free mm/slab.c:3498 [inline]
        kmem_cache_free+0x86/0x2d0 mm/slab.c:3756
        ccid_hc_tx_delete+0xc3/0x100 net/dccp/ccid.c:190
        dccp_disconnect+0x130/0xc66 net/dccp/proto.c:286
        dccp_close+0x3bc/0xe60 net/dccp/proto.c:1045
        inet_release+0x104/0x1f0 net/ipv4/af_inet.c:427
        inet6_release+0x50/0x70 net/ipv6/af_inet6.c:460
        sock_release+0x96/0x1b0 net/socket.c:594
        sock_close+0x16/0x20 net/socket.c:1149
        __fput+0x34d/0x890 fs/file_table.c:209
        ____fput+0x15/0x20 fs/file_table.c:243
        task_work_run+0x1e4/0x290 kernel/task_work.c:113
        tracehook_notify_resume include/linux/tracehook.h:191 [inline]
        exit_to_usermode_loop+0x2bd/0x310 arch/x86/entry/common.c:166
        prepare_exit_to_usermode arch/x86/entry/common.c:196 [inline]
        syscall_return_slowpath arch/x86/entry/common.c:265 [inline]
        do_syscall_64+0x6ac/0x800 arch/x86/entry/common.c:290
        entry_SYSCALL_64_after_hwframe+0x49/0xbe
      
      The buggy address belongs to the object at ffff8801bebb4cc0
        which belongs to the cache ccid2_hc_tx_sock of size 1240
      The buggy address is located 1112 bytes inside of
        1240-byte region [ffff8801bebb4cc0, ffff8801bebb5198)
      The buggy address belongs to the page:
      page:ffffea0006faed00 count:1 mapcount:0 mapping:ffff8801bebb41c0
      index:0xffff8801bebb5240 compound_mapcount: 0
      flags: 0x2fffc0000008100(slab|head)
      raw: 02fffc0000008100 ffff8801bebb41c0 ffff8801bebb5240 0000000100000003
      raw: ffff8801cdba3138 ffffea0007634120 ffff8801cdbaab40 0000000000000000
      page dumped because: kasan: bad access detected
      ...
      ==================================================================
      
      Reported-by: syzbot+5d47e9ec91a6f15dbd6f@syzkaller.appspotmail.com
      Signed-off-by: default avatarAlexey Kodanev <alexey.kodanev@oracle.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      2677d206
    • Wenwen Wang's avatar
      isdn: eicon: fix a missing-check bug · 6009d1fe
      Wenwen Wang authored
      In divasmain.c, the function divas_write() firstly invokes the function
      diva_xdi_open_adapter() to open the adapter that matches with the adapter
      number provided by the user, and then invokes the function diva_xdi_write()
      to perform the write operation using the matched adapter. The two functions
      diva_xdi_open_adapter() and diva_xdi_write() are located in diva.c.
      
      In diva_xdi_open_adapter(), the user command is copied to the object 'msg'
      from the userspace pointer 'src' through the function pointer 'cp_fn',
      which eventually calls copy_from_user() to do the copy. Then, the adapter
      number 'msg.adapter' is used to find out a matched adapter from the
      'adapter_queue'. A matched adapter will be returned if it is found.
      Otherwise, NULL is returned to indicate the failure of the verification on
      the adapter number.
      
      As mentioned above, if a matched adapter is returned, the function
      diva_xdi_write() is invoked to perform the write operation. In this
      function, the user command is copied once again from the userspace pointer
      'src', which is the same as the 'src' pointer in diva_xdi_open_adapter() as
      both of them are from the 'buf' pointer in divas_write(). Similarly, the
      copy is achieved through the function pointer 'cp_fn', which finally calls
      copy_from_user(). After the successful copy, the corresponding command
      processing handler of the matched adapter is invoked to perform the write
      operation.
      
      It is obvious that there are two copies here from userspace, one is in
      diva_xdi_open_adapter(), and one is in diva_xdi_write(). Plus, both of
      these two copies share the same source userspace pointer, i.e., the 'buf'
      pointer in divas_write(). Given that a malicious userspace process can race
      to change the content pointed by the 'buf' pointer, this can pose potential
      security issues. For example, in the first copy, the user provides a valid
      adapter number to pass the verification process and a valid adapter can be
      found. Then the user can modify the adapter number to an invalid number.
      This way, the user can bypass the verification process of the adapter
      number and inject inconsistent data.
      
      This patch reuses the data copied in
      diva_xdi_open_adapter() and passes it to diva_xdi_write(). This way, the
      above issues can be avoided.
      Signed-off-by: default avatarWenwen Wang <wang6495@umn.edu>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      6009d1fe
    • Fabio Estevam's avatar
      net: fec: Add a SPDX identifier · 1f508124
      Fabio Estevam authored
      Currently there is no license information in the header of
      this file.
      
      The MODULE_LICENSE field contains ("GPL"), which means
      GNU Public License v2 or later, so add a corresponding
      SPDX license identifier.
      Signed-off-by: default avatarFabio Estevam <fabio.estevam@nxp.com>
      Acked-by: default avatarFugang Duan <fugang.duan@nxp.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      1f508124
    • Fabio Estevam's avatar
      net: fec: ptp: Switch to SPDX identifier · 9fcca5ef
      Fabio Estevam authored
      Adopt the SPDX license identifier headers to ease license compliance
      management.
      Signed-off-by: default avatarFabio Estevam <fabio.estevam@nxp.com>
      Acked-by: default avatarFugang Duan <fugang.duan@nxp.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      9fcca5ef
    • Xin Long's avatar
      sctp: fix the issue that flags are ignored when using kernel_connect · 644fbdea
      Xin Long authored
      Now sctp uses inet_dgram_connect as its proto_ops .connect, and the flags
      param can't be passed into its proto .connect where this flags is really
      needed.
      
      sctp works around it by getting flags from socket file in __sctp_connect.
      It works for connecting from userspace, as inherently the user sock has
      socket file and it passes f_flags as the flags param into the proto_ops
      .connect.
      
      However, the sock created by sock_create_kern doesn't have a socket file,
      and it passes the flags (like O_NONBLOCK) by using the flags param in
      kernel_connect, which calls proto_ops .connect later.
      
      So to fix it, this patch defines a new proto_ops .connect for sctp,
      sctp_inet_connect, which calls __sctp_connect() directly with this
      flags param. After this, the sctp's proto .connect can be removed.
      
      Note that sctp_inet_connect doesn't need to do some checks that are not
      needed for sctp, which makes thing better than with inet_dgram_connect.
      Suggested-by: default avatarMarcelo Ricardo Leitner <marcelo.leitner@gmail.com>
      Signed-off-by: default avatarXin Long <lucien.xin@gmail.com>
      Acked-by: default avatarNeil Horman <nhorman@tuxdriver.com>
      Acked-by: default avatarMarcelo Ricardo Leitner <marcelo.leitner@gmail.com>
      Reviewed-by: default avatarMichal Kubecek <mkubecek@suse.cz>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      644fbdea
  2. 21 May, 2018 2 commits
    • Linus Torvalds's avatar
      Merge tag 'mips_fixes_4.17_2' of git://git.kernel.org/pub/scm/linux/kernel/git/jhogan/mips · 6741c4bb
      Linus Torvalds authored
      Pull MIPS fixes from James Hogan:
      
       - fix build with DEBUG_ZBOOT and MACH_JZ4770 (4.16)
      
       - include xilfpga FDT in fitImage and stop generating dtb.o (4.15)
      
       - fix software IO coherence on CM SMP systems (4.8)
      
       - ptrace: Fix PEEKUSR/POKEUSR to o32 FGRs (3.14)
      
       - ptrace: Expose FIR register through FP regset (3.13)
      
       - fix typo in KVM debugfs file name (3.10)
      
      * tag 'mips_fixes_4.17_2' of git://git.kernel.org/pub/scm/linux/kernel/git/jhogan/mips:
        MIPS: Fix ptrace(2) PTRACE_PEEKUSR and PTRACE_POKEUSR accesses to o32 FGRs
        MIPS: xilfpga: Actually include FDT in fitImage
        MIPS: xilfpga: Stop generating useless dtb.o
        KVM: Fix spelling mistake: "cop_unsuable" -> "cop_unusable"
        MIPS: ptrace: Expose FIR register through FP regset
        MIPS: Fix build with DEBUG_ZBOOT and MACH_JZ4770
        MIPS: c-r4k: Fix data corruption related to cache coherence
      6741c4bb
    • Linus Torvalds's avatar
      Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net · 5aef268a
      Linus Torvalds authored
      Pull networking fixes from David Miller:
      
       1) Fix refcounting bug for connections in on-packet scheduling mode of
          IPVS, from Julian Anastasov.
      
       2) Set network header properly in AF_PACKET's packet_snd, from Willem
          de Bruijn.
      
       3) Fix regressions in 3c59x by converting to generic DMA API. It was
          relying upon the hack that the PCI DMA interfaces would accept NULL
          for EISA devices. From Christoph Hellwig.
      
       4) Remove RDMA devices before unregistering netdev in QEDE driver, from
          Michal Kalderon.
      
       5) Use after free in TUN driver ptr_ring usage, from Jason Wang.
      
       6) Properly check for missing netlink attributes in SMC_PNETID
          requests, from Eric Biggers.
      
       7) Set DMA mask before performaing any DMA operations in vmxnet3
          driver, from Regis Duchesne.
      
       8) Fix mlx5 build with SMP=n, from Saeed Mahameed.
      
       9) Classifier fixes in bcm_sf2 driver from Florian Fainelli.
      
      10) Tuntap use after free during release, from Jason Wang.
      
      11) Don't use stack memory in scatterlists in tls code, from Matt
          Mullins.
      
      12) Not fully initialized flow key object in ipv4 routing code, from
          David Ahern.
      
      13) Various packet headroom bug fixes in ip6_gre driver, from Petr
          Machata.
      
      14) Remove queues from XPS maps using correct index, from Amritha
          Nambiar.
      
      15) Fix use after free in sock_diag, from Eric Dumazet.
      
      * git://git.kernel.org/pub/scm/linux/kernel/git/davem/net: (64 commits)
        net: ip6_gre: fix tunnel metadata device sharing.
        cxgb4: fix offset in collecting TX rate limit info
        net: sched: red: avoid hashing NULL child
        sock_diag: fix use-after-free read in __sk_free
        sh_eth: Change platform check to CONFIG_ARCH_RENESAS
        net: dsa: Do not register devlink for unused ports
        net: Fix a bug in removing queues from XPS map
        bpf: fix truncated jump targets on heavy expansions
        bpf: parse and verdict prog attach may race with bpf map update
        bpf: sockmap update rollback on error can incorrectly dec prog refcnt
        net: test tailroom before appending to linear skb
        net: ip6_gre: Fix ip6erspan hlen calculation
        net: ip6_gre: Split up ip6gre_changelink()
        net: ip6_gre: Split up ip6gre_newlink()
        net: ip6_gre: Split up ip6gre_tnl_change()
        net: ip6_gre: Split up ip6gre_tnl_link_config()
        net: ip6_gre: Fix headroom request in ip6erspan_tunnel_xmit()
        net: ip6_gre: Request headroom in __gre6_xmit()
        selftests/bpf: check return value of fopen in test_verifier.c
        erspan: fix invalid erspan version.
        ...
      5aef268a
  3. 20 May, 2018 15 commits
    • Linus Torvalds's avatar
      Linux 4.17-rc6 · 771c577c
      Linus Torvalds authored
      771c577c
    • Linus Torvalds's avatar
      Merge branch 'parisc-4.17-5' of git://git.kernel.org/pub/scm/linux/kernel/git/deller/parisc-linux · 6fd5a36a
      Linus Torvalds authored
      Pull parisc fixlets from Helge Deller:
       "Three small section mismatch fixes, one of them was found by 0-day
        test infrastructure"
      
      * 'parisc-4.17-5' of git://git.kernel.org/pub/scm/linux/kernel/git/deller/parisc-linux:
        parisc: Move ccio_cujo20_fixup() into init section
        parisc: Move setup_profiling_timer() out of init section
        parisc: Move find_pa_parent_type() out of init section
      6fd5a36a
    • Linus Torvalds's avatar
      Merge tag 'for-4.17-rc5-tag' of git://git.kernel.org/pub/scm/linux/kernel/git/kdave/linux · e5e03ad9
      Linus Torvalds authored
      Pull btrfs fixes from David Sterba:
       "We've accumulated some fixes during the last week, some of them were
        in the works for a longer time but there are some newer ones too.
      
        Most of the fixes have a reproducer and fix user visible problems,
        also candidates for stable kernels. They IMHO qualify for a late rc,
        though I did not expect that many"
      
      * tag 'for-4.17-rc5-tag' of git://git.kernel.org/pub/scm/linux/kernel/git/kdave/linux:
        btrfs: fix crash when trying to resume balance without the resume flag
        btrfs: Fix delalloc inodes invalidation during transaction abort
        btrfs: Split btrfs_del_delalloc_inode into 2 functions
        btrfs: fix reading stale metadata blocks after degraded raid1 mounts
        btrfs: property: Set incompat flag if lzo/zstd compression is set
        Btrfs: fix duplicate extents after fsync of file with prealloc extents
        Btrfs: fix xattr loss after power failure
        Btrfs: send, fix invalid access to commit roots due to concurrent snapshotting
      e5e03ad9
    • Linus Torvalds's avatar
      Merge branch 'fixes' of git://git.armlinux.org.uk/~rmk/linux-arm · 132ce5d4
      Linus Torvalds authored
      Pull ARM fixes from Russell King:
      
       - Łukasz Stelmach spotted a couple of issues with the decompressor.
      
       - a couple of kdump fixes found while testing kdump
      
       - replace some perl with shell code
      
       - resolve SIGFPE breakage
      
       - kprobes fixes
      
      * 'fixes' of git://git.armlinux.org.uk/~rmk/linux-arm:
        ARM: fix kill( ,SIGFPE) breakage
        ARM: 8772/1: kprobes: Prohibit kprobes on get_user functions
        ARM: 8771/1: kprobes: Prohibit kprobes on do_undefinstr
        ARM: 8770/1: kprobes: Prohibit probing on optimized_callback
        ARM: 8769/1: kprobes: Fix to use get_kprobe_ctlblk after irq-disabed
        ARM: replace unnecessary perl with sed and the shell $(( )) operator
        ARM: kexec: record parent context registers for non-crash CPUs
        ARM: kexec: fix kdump register saving on panic()
        ARM: 8758/1: decompressor: restore r1 and r2 just before jumping to the kernel
        ARM: 8753/1: decompressor: add a missing parameter to the addruart macro
      132ce5d4
    • Linus Torvalds's avatar
      Merge branch 'x86-urgent-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip · 8a6bd2f4
      Linus Torvalds authored
      Pull x86 fixes from Thomas Gleixner:
       "An unfortunately larger set of fixes, but a large portion is
        selftests:
      
         - Fix the missing clusterid initializaiton for x2apic cluster
           management which caused boot failures due to IPIs being sent to the
           wrong cluster
      
         - Drop TX_COMPAT when a 64bit executable is exec()'ed from a compat
           task
      
         - Wrap access to __supported_pte_mask in __startup_64() where clang
           compile fails due to a non PC relative access being generated.
      
         - Two fixes for 5 level paging fallout in the decompressor:
      
            - Handle GOT correctly for paging_prepare() and
              cleanup_trampoline()
      
            - Fix the page table handling in cleanup_trampoline() to avoid
              page table corruption.
      
         - Stop special casing protection key 0 as this is inconsistent with
           the manpage and also inconsistent with the allocation map handling.
      
         - Override the protection key wen moving away from PROT_EXEC to
           prevent inaccessible memory.
      
         - Fix and update the protection key selftests to address breakage and
           to cover the above issue
      
         - Add a MOV SS self test"
      
      [ Part of the x86 fixes were in the earlier core pull due to dependencies ]
      
      * 'x86-urgent-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip: (21 commits)
        x86/mm: Drop TS_COMPAT on 64-bit exec() syscall
        x86/apic/x2apic: Initialize cluster ID properly
        x86/boot/compressed/64: Fix moving page table out of trampoline memory
        x86/boot/compressed/64: Set up GOT for paging_prepare() and cleanup_trampoline()
        x86/pkeys: Do not special case protection key 0
        x86/pkeys/selftests: Add a test for pkey 0
        x86/pkeys/selftests: Save off 'prot' for allocations
        x86/pkeys/selftests: Fix pointer math
        x86/pkeys: Override pkey when moving away from PROT_EXEC
        x86/pkeys/selftests: Fix pkey exhaustion test off-by-one
        x86/pkeys/selftests: Add PROT_EXEC test
        x86/pkeys/selftests: Factor out "instruction page"
        x86/pkeys/selftests: Allow faults on unknown keys
        x86/pkeys/selftests: Avoid printf-in-signal deadlocks
        x86/pkeys/selftests: Remove dead debugging code, fix dprint_in_signal
        x86/pkeys/selftests: Stop using assert()
        x86/pkeys/selftests: Give better unexpected fault error messages
        x86/selftests: Add mov_to_ss test
        x86/mpx/selftests: Adjust the self-test to fresh distros that export the MPX ABI
        x86/pkeys/selftests: Adjust the self-test to fresh distros that export the pkeys ABI
        ...
      8a6bd2f4
    • Linus Torvalds's avatar
      Merge branch 'timers-urgent-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip · b9aad922
      Linus Torvalds authored
      Pull UP timer fix from Thomas Gleixner:
       "Work around the for_each_cpu() oddity on UP kernels in the tick
        broadcast code which causes boot failures because the CPU0 bit is
        always reported as set independent of the cpumask content"
      
      * 'timers-urgent-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip:
        tick/broadcast: Use for_each_cpu() specially on UP kernels
      b9aad922
    • Linus Torvalds's avatar
      Merge branch 'sched-urgent-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip · 441cab96
      Linus Torvalds authored
      Pull scheduler fixlets from Thomas Gleixner:
       "Three trivial fixlets for the scheduler:
      
         - move print_rt_rq() and print_dl_rq() declarations to the right
           place
      
         - make grub_reclaim() static
      
         - fix the bogus documentation reference in Kconfig"
      
      * 'sched-urgent-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip:
        sched/fair: Fix documentation file path
        sched/deadline: Make the grub_reclaim() function static
        sched/debug: Move the print_rt_rq() and print_dl_rq() declarations to kernel/sched/sched.h
      441cab96
    • Linus Torvalds's avatar
      Merge branch 'ras-urgent-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip · 74cce52f
      Linus Torvalds authored
      Pull RAS fix from Thomas Gleixner:
       "Fix a regression in the new AMD SMCA code which issues an SMP function
        call from the early interrupt disabled region of CPU hotplug. To avoid
        that, use cached block addresses which can be used directly"
      
      * 'ras-urgent-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip:
        x86/MCE/AMD: Cache SMCA MISC block addresses
      74cce52f
    • Linus Torvalds's avatar
      Merge branch 'perf-urgent-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip · 95bcce4d
      Linus Torvalds authored
      Pull perf tooling fixes from Thomas Gleixner:
      
       - fix segfault when processing unknown threads in cs-etm
      
       - fix "perf test inet_pton" on s390 failing due to missing inline
      
       - display all available events on 'perf annotate --stdio'
      
       - add missing newline when parsing an empty BPF program
      
      * 'perf-urgent-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip:
        perf tools: Add missing newline when parsing empty BPF proggie
        perf cs-etm: Remove redundant space
        perf cs-etm: Support unknown_thread in cs_etm_auxtrace
        perf annotate: Display all available events on --stdio
        perf test: "probe libc's inet_pton" fails on s390 due to missing inline
      95bcce4d
    • Linus Torvalds's avatar
      Merge branch 'locking-urgent-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip · 4b65f455
      Linus Torvalds authored
      Pull locking fixes from Thomas Gleixner:
       "Two fixes to address shortcomings of the rwsem/percpu-rwsem lock
        debugging code which emits false positive warnings when the rwsem is
        anonymously locked and unlocked"
      
      * 'locking-urgent-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip:
        locking/percpu-rwsem: Annotate rwsem ownership transfer by setting RWSEM_OWNER_UNKNOWN
        locking/rwsem: Add a new RWSEM_ANONYMOUSLY_OWNED flag
      4b65f455
    • Linus Torvalds's avatar
      Merge branch 'efi-urgent-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip · 056ad121
      Linus Torvalds authored
      Pull EFI fixes from Thomas Gleixner:
      
       - Use explicitely sized type for the romimage pointer in the 32bit EFI
         protocol struct so a 64bit kernel does not expand it to 64bit. Ditto
         for the 64bit struct to avoid the reverse issue on 32bit kernels.
      
       - Handle randomized tex offset correctly in the ARM64 EFI stub to avoid
         unaligned data resulting in stack corruption and other hard to
         diagnose wreckage.
      
      * 'efi-urgent-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip:
        efi/libstub/arm64: Handle randomized TEXT_OFFSET
        efi: Avoid potential crashes, fix the 'struct efi_pci_io_protocol_32' definition for mixed mode
      056ad121
    • Linus Torvalds's avatar
      Merge branch 'core-urgent-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip · 583dbad3
      Linus Torvalds authored
      Pull core fixes from Thomas Gleixner:
      
       - Unbreak the BPF compilation which got broken by the unconditional
         requirement of asm-goto, which is not supported by clang.
      
       - Prevent probing on exception masking instructions in uprobes and
         kprobes to avoid the issues of the delayed exceptions instead of
         having an ugly workaround.
      
       - Prevent a double free_page() in the error path of do_kexec_load()
      
       - A set of objtool updates addressing various issues mostly related to
         switch tables and the noreturn detection for recursive sibling calls
      
       - Header sync for tools.
      
      * 'core-urgent-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip:
        objtool: Detect RIP-relative switch table references, part 2
        objtool: Detect RIP-relative switch table references
        objtool: Support GCC 8 switch tables
        objtool: Support GCC 8's cold subfunctions
        objtool: Fix "noreturn" detection for recursive sibling calls
        objtool, kprobes/x86: Sync the latest <asm/insn.h> header with tools/objtool/arch/x86/include/asm/insn.h
        x86/cpufeature: Guard asm_volatile_goto usage for BPF compilation
        uprobes/x86: Prohibit probing on MOV SS instruction
        kprobes/x86: Prohibit probing on exception masking instructions
        x86/kexec: Avoid double free_page() upon do_kexec_load() failure
      583dbad3
    • William Tu's avatar
      net: ip6_gre: fix tunnel metadata device sharing. · b80d0b93
      William Tu authored
      Currently ip6gre and ip6erspan share single metadata mode device,
      using 'collect_md_tun'.  Thus, when doing:
        ip link add dev ip6gre11 type ip6gretap external
        ip link add dev ip6erspan12 type ip6erspan external
        RTNETLINK answers: File exists
      simply fails due to the 2nd tries to create the same collect_md_tun.
      
      The patch fixes it by adding a separate collect md tunnel device
      for the ip6erspan, 'collect_md_tun_erspan'.  As a result, a couple
      of places need to refactor/split up in order to distinguish ip6gre
      and ip6erspan.
      
      First, move the collect_md check at ip6gre_tunnel_{unlink,link} and
      create separate function {ip6gre,ip6ersapn}_tunnel_{link_md,unlink_md}.
      Then before link/unlink, make sure the link_md/unlink_md is called.
      Finally, a separate ndo_uninit is created for ip6erspan.  Tested it
      using the samples/bpf/test_tunnel_bpf.sh.
      
      Fixes: ef7baf5e ("ip6_gre: add ip6 erspan collect_md mode")
      Signed-off-by: default avatarWilliam Tu <u9012063@gmail.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      b80d0b93
    • Linus Torvalds's avatar
      Merge tag 'armsoc-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/arm/arm-soc · 203ec2fe
      Linus Torvalds authored
      Pull ARM SoC fixes from Olof Johansson:
       "A handful of fixes. I've been queuing them up a bit too long so the
        list is longer than it otherwise would have been spread out across a
        few -rcs.
      
        In general, it's a scattering of fixes across several platforms,
        nothing truly serious enough to point out.
      
        There's a slightly larger batch of them for the Davinci platforms due
        to work to bring them back to life after some time, so there's a
        handful of regressions, some of them going back very far, others more
        recent.
      
        There's also a few patches fixing DT on Renesas platforms since they
        changed some bindings without remaining backwards compatible,
        splitting up describing LVDS as a proper bridge instead of having it
        as part of the display unit.
      
        We could push for them to be backwards compatible with old device
        trees, but it's likely to regress eventually if nobody's actually
        using said compatibility"
      
      * tag 'armsoc-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/arm/arm-soc: (36 commits)
        ARM: davinci: board-dm646x-evm: set VPIF capture card name
        ARM: davinci: board-dm646x-evm: pass correct I2C adapter id for VPIF
        ARM: davinci: dm646x: fix timer interrupt generation
        ARM: keystone: fix platform_domain_notifier array overrun
        arm64: dts: exynos: Fix interrupt type for I2S1 device on Exynos5433
        ARM: dts: imx51-zii-rdu1: fix touchscreen bindings
        firmware: arm_scmi: Use after free in scmi_create_protocol_device()
        ARM: dts: cygnus: fix irq type for arm global timer
        Revert "ARM: dts: logicpd-som-lv: Fix pinmux controller references"
        tee: check shm references are consistent in offset/size
        tee: shm: fix use-after-free via temporarily dropped reference
        ARM: dts: imx7s: Pass the 'fsl,sec-era' property
        ARM: dts: tegra20: Revert "Fix ULPI regression on Tegra20"
        ARM: dts: correct missing "compatible" entry for ti81xx SoCs
        ARM: OMAP1: ams-delta: fix deferred_fiq handler
        arm64: tegra: Make BCM89610 PHY interrupt as active low
        ARM: davinci: fix GPIO lookup for I2C
        ARM: dts: logicpd-som-lv: Fix pinmux controller references
        ARM: dts: logicpd-som-lv: Fix Audio Mute
        ARM: dts: logicpd-som-lv: Fix WL127x Startup Issues
        ...
      203ec2fe
    • Olof Johansson's avatar
      Merge tag 'tegra-for-4.17-fixes-2' of... · 709f490d
      Olof Johansson authored
      Merge tag 'tegra-for-4.17-fixes-2' of git://git.kernel.org/pub/scm/linux/kernel/git/tegra/linux into fixes
      
      arm64: tegra: Device tree fixes for v4.17
      
      This contains a one-line update to the device tree of the Tegra186 P3310
      processor module, fixing the polarity of the PHY interrupt. Originally,
      this was queued to go into v4.18, but the PHY ID matching patch has now
      found its way into v4.17-rc5, which means that the PHY driver will know
      how to identify the PHY on this board and try to use the interrupt. This
      will unfortunately cause networking to break on P3310, hence why I think
      this should go into v4.17.
      
      * tag 'tegra-for-4.17-fixes-2' of git://git.kernel.org/pub/scm/linux/kernel/git/tegra/linux:
        arm64: tegra: Make BCM89610 PHY interrupt as active low
      Signed-off-by: default avatarOlof Johansson <olof@lixom.net>
      709f490d
  4. 19 May, 2018 16 commits
    • Russell King's avatar
      ARM: fix kill( ,SIGFPE) breakage · 92d44a42
      Russell King authored
      Commit 7771c664 ("signal/arm: Document conflicts with SI_USER and
      SIGFPE") broke the siginfo structure for userspace triggered signals,
      causing the strace testsuite to regress.  Fix this by eliminating
      the FPE_FIXME definition (which is at the root of the breakage) and
      use FPE_FLTINV instead for the case where the hardware appears to be
      reporting nonsense.
      
      Fixes: 7771c664 ("signal/arm: Document conflicts with SI_USER and SIGFPE")
      Suggested-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      Signed-off-by: default avatarRussell King <rmk+kernel@armlinux.org.uk>
      92d44a42
    • Linus Torvalds's avatar
      Merge tag 'dmaengine-fix-4.17-rc6' of git://git.infradead.org/users/vkoul/slave-dma · 0b449a44
      Linus Torvalds authored
      Pull dmaengine fix from Vinod Koul:
      
       - qcom bam runtime_pm fix
      
       - email update for Vinod
      
      * tag 'dmaengine-fix-4.17-rc6' of git://git.infradead.org/users/vkoul/slave-dma:
        dmaengine: qcom: bam_dma: check if the runtime pm enabled
        dmaengine: Update email address for Vinod
      0b449a44
    • Linus Torvalds's avatar
      mmap: relax file size limit for regular files · 423913ad
      Linus Torvalds authored
      Commit be83bbf8 ("mmap: introduce sane default mmap limits") was
      introduced to catch problems in various ad-hoc character device drivers
      doing mmap and getting the size limits wrong.  In the process, it used
      "known good" limits for the normal cases of mapping regular files and
      block device drivers.
      
      It turns out that the "s_maxbytes" limit was less "known good" than I
      thought.  In particular, /proc doesn't set it, but exposes one regular
      file to mmap: /proc/vmcore.  As a result, that file got limited to the
      default MAX_INT s_maxbytes value.
      
      This went unnoticed for a while, because apparently the only thing that
      needs it is the s390 kernel zfcpdump, but there might be other tools
      that use this too.
      
      Vasily suggested just changing s_maxbytes for all of /proc, which isn't
      wrong, but makes me nervous at this stage.  So instead, just make the
      new mmap limit always be MAX_LFS_FILESIZE for regular files, which won't
      affect anything else.  It wasn't the regular file case I was worried
      about.
      
      I'd really prefer for maxsize to have been per-inode, but that is not
      how things are today.
      
      Fixes: be83bbf8 ("mmap: introduce sane default mmap limits")
      Reported-by: default avatarVasily Gorbik <gor@linux.ibm.com>
      Cc: Al Viro <viro@zeniv.linux.org.uk>
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      423913ad
    • Borislav Petkov's avatar
      x86/MCE/AMD: Cache SMCA MISC block addresses · 78ce2410
      Borislav Petkov authored
      ... into a global, two-dimensional array and service subsequent reads from
      that cache to avoid rdmsr_on_cpu() calls during CPU hotplug (IPIs with IRQs
      disabled).
      
      In addition, this fixes a KASAN slab-out-of-bounds read due to wrong usage
      of the bank->blocks pointer.
      
      Fixes: 27bd5950 ("x86/mce/AMD: Get address from already initialized block")
      Reported-by: default avatarJohannes Hirte <johannes.hirte@datenkhaos.de>
      Tested-by: default avatarJohannes Hirte <johannes.hirte@datenkhaos.de>
      Signed-off-by: default avatarBorislav Petkov <bp@suse.de>
      Signed-off-by: default avatarThomas Gleixner <tglx@linutronix.de>
      Cc: Yazen Ghannam <yazen.ghannam@amd.com>
      Link: http://lkml.kernel.org/r/20180414004230.GA2033@probook
      78ce2410
    • Masami Hiramatsu's avatar
      ARM: 8772/1: kprobes: Prohibit kprobes on get_user functions · 0d73c3f8
      Masami Hiramatsu authored
      Since do_undefinstr() uses get_user to get the undefined
      instruction, it can be called before kprobes processes
      recursive check. This can cause an infinit recursive
      exception.
      Prohibit probing on get_user functions.
      
      Fixes: 24ba613c ("ARM kprobes: core code")
      Signed-off-by: default avatarMasami Hiramatsu <mhiramat@kernel.org>
      Cc: stable@vger.kernel.org
      Signed-off-by: default avatarRussell King <rmk+kernel@armlinux.org.uk>
      0d73c3f8
    • Masami Hiramatsu's avatar
      ARM: 8771/1: kprobes: Prohibit kprobes on do_undefinstr · eb0146da
      Masami Hiramatsu authored
      Prohibit kprobes on do_undefinstr because kprobes on
      arm is implemented by undefined instruction. This means
      if we probe do_undefinstr(), it can cause infinit
      recursive exception.
      
      Fixes: 24ba613c ("ARM kprobes: core code")
      Signed-off-by: default avatarMasami Hiramatsu <mhiramat@kernel.org>
      Cc: stable@vger.kernel.org
      Signed-off-by: default avatarRussell King <rmk+kernel@armlinux.org.uk>
      eb0146da
    • Masami Hiramatsu's avatar
      ARM: 8770/1: kprobes: Prohibit probing on optimized_callback · 70948c05
      Masami Hiramatsu authored
      Prohibit probing on optimized_callback() because
      it is called from kprobes itself. If we put a kprobes
      on it, that will cause a recursive call loop.
      Mark it NOKPROBE_SYMBOL.
      
      Fixes: 0dc016db ("ARM: kprobes: enable OPTPROBES for ARM 32")
      Signed-off-by: default avatarMasami Hiramatsu <mhiramat@kernel.org>
      Cc: stable@vger.kernel.org
      Signed-off-by: default avatarRussell King <rmk+kernel@armlinux.org.uk>
      70948c05
    • Masami Hiramatsu's avatar
      ARM: 8769/1: kprobes: Fix to use get_kprobe_ctlblk after irq-disabed · 69af7e23
      Masami Hiramatsu authored
      Since get_kprobe_ctlblk() uses smp_processor_id() to access
      per-cpu variable, it hits smp_processor_id sanity check as below.
      
      [    7.006928] BUG: using smp_processor_id() in preemptible [00000000] code: swapper/0/1
      [    7.007859] caller is debug_smp_processor_id+0x20/0x24
      [    7.008438] CPU: 0 PID: 1 Comm: swapper/0 Not tainted 4.16.0-rc1-00192-g4eb17253e4b5 #1
      [    7.008890] Hardware name: Generic DT based system
      [    7.009917] [<c0313f0c>] (unwind_backtrace) from [<c030e6d8>] (show_stack+0x20/0x24)
      [    7.010473] [<c030e6d8>] (show_stack) from [<c0c64694>] (dump_stack+0x84/0x98)
      [    7.010990] [<c0c64694>] (dump_stack) from [<c071ca5c>] (check_preemption_disabled+0x138/0x13c)
      [    7.011592] [<c071ca5c>] (check_preemption_disabled) from [<c071ca80>] (debug_smp_processor_id+0x20/0x24)
      [    7.012214] [<c071ca80>] (debug_smp_processor_id) from [<c03335e0>] (optimized_callback+0x2c/0xe4)
      [    7.013077] [<c03335e0>] (optimized_callback) from [<bf0021b0>] (0xbf0021b0)
      
      To fix this issue, call get_kprobe_ctlblk() right after
      irq-disabled since that disables preemption.
      
      Fixes: 0dc016db ("ARM: kprobes: enable OPTPROBES for ARM 32")
      Signed-off-by: default avatarMasami Hiramatsu <mhiramat@kernel.org>
      Cc: stable@vger.kernel.org
      Signed-off-by: default avatarRussell King <rmk+kernel@armlinux.org.uk>
      69af7e23
    • Russell King's avatar
      ARM: replace unnecessary perl with sed and the shell $(( )) operator · 6cea14f5
      Russell King authored
      You can build a kernel in a cross compiling environment that doesn't
      have perl in the $PATH. Commit 429f7a06 broke that for 32 bit
      ARM. Fix it.
      
      As reported by Stephen Rothwell, it appears that the symbols can be
      either part of the BSS section or absolute symbols depending on the
      binutils version.  When they're an absolute symbol, the $(( ))
      operator errors out and the build fails.  Fix this as well.
      
      Fixes: 429f7a06 ("ARM: decompressor: fix BSS size calculation")
      Reported-by: default avatarRob Landley <rob@landley.net>
      Reported-by: default avatarStephen Rothwell <sfr@canb.auug.org.au>
      Acked-by: default avatarRob Landley <rob@landley.net>
      Signed-off-by: default avatarRussell King <rmk+kernel@armlinux.org.uk>
      6cea14f5
    • Russell King's avatar
      ARM: kexec: record parent context registers for non-crash CPUs · 1c37963b
      Russell King authored
      How we got to machine_crash_nonpanic_core() (iow, from an IPI, etc) is
      not interesting for debugging a crash.  The more interesting context
      is the parent context prior to the IPI being received.
      
      Record the parent context register state rather than the register state
      in machine_crash_nonpanic_core(), which is more relevant to the failing
      condition.
      Signed-off-by: default avatarRussell King <rmk+kernel@armlinux.org.uk>
      1c37963b
    • Russell King's avatar
      ARM: kexec: fix kdump register saving on panic() · 2d7b3c64
      Russell King authored
      When a panic() occurs, the kexec code uses smp_send_stop() to stop
      the other CPUs, but this results in the CPU register state not being
      saved, and gdb is unable to inspect the state of other CPUs.
      
      Commit 0ee59413 ("x86/panic: replace smp_send_stop() with kdump
      friendly version in panic path") addressed the issue on x86, but
      ignored other architectures.  Address the issue on ARM by splitting
      out the crash stop implementation to crash_smp_send_stop() and
      adding the necessary protection.
      Signed-off-by: default avatarRussell King <rmk+kernel@armlinux.org.uk>
      2d7b3c64
    • Łukasz Stelmach's avatar
      ARM: 8758/1: decompressor: restore r1 and r2 just before jumping to the kernel · f2ae9de0
      Łukasz Stelmach authored
      The hypervisor setup before __enter_kernel destroys the value
      sotred in r1. The value needs to be restored just before the jump.
      
      Fixes: 6b52f7bd ("ARM: hyp-stub: Use r1 for the soft-restart address")
      Signed-off-by: default avatarŁukasz Stelmach <l.stelmach@samsung.com>
      Signed-off-by: default avatarRussell King <rmk+kernel@armlinux.org.uk>
      f2ae9de0
    • Łukasz Stelmach's avatar
      ARM: 8753/1: decompressor: add a missing parameter to the addruart macro · e07e3c33
      Łukasz Stelmach authored
      In commit 639da5ee ("ARM: add an extra temp register to the low
      level debugging addruart macro") an additional temporary register was
      added to the addruart macro, but the decompressor code wasn't updated.
      
      Fixes: 639da5ee ("ARM: add an extra temp register to the low level debugging addruart macro")
      Signed-off-by: default avatarŁukasz Stelmach <l.stelmach@samsung.com>
      Signed-off-by: default avatarRussell King <rmk+kernel@armlinux.org.uk>
      e07e3c33
    • Dmitry Safonov's avatar
      x86/mm: Drop TS_COMPAT on 64-bit exec() syscall · acf46020
      Dmitry Safonov authored
      The x86 mmap() code selects the mmap base for an allocation depending on
      the bitness of the syscall. For 64bit sycalls it select mm->mmap_base and
      for 32bit mm->mmap_compat_base.
      
      exec() calls mmap() which in turn uses in_compat_syscall() to check whether
      the mapping is for a 32bit or a 64bit task. The decision is made on the
      following criteria:
      
        ia32    child->thread.status & TS_COMPAT
         x32    child->pt_regs.orig_ax & __X32_SYSCALL_BIT
        ia64    !ia32 && !x32
      
      __set_personality_x32() was dropping TS_COMPAT flag, but
      set_personality_64bit() has kept compat syscall flag making
      in_compat_syscall() return true during the first exec() syscall.
      
      Which in result has user-visible effects, mentioned by Alexey:
      1) It breaks ASAN
      $ gcc -fsanitize=address wrap.c -o wrap-asan
      $ ./wrap32 ./wrap-asan true
      ==1217==Shadow memory range interleaves with an existing memory mapping. ASan cannot proceed correctly. ABORTING.
      ==1217==ASan shadow was supposed to be located in the [0x00007fff7000-0x10007fff7fff] range.
      ==1217==Process memory map follows:
              0x000000400000-0x000000401000   /home/izbyshev/test/gcc/asan-exec-from-32bit/wrap-asan
              0x000000600000-0x000000601000   /home/izbyshev/test/gcc/asan-exec-from-32bit/wrap-asan
              0x000000601000-0x000000602000   /home/izbyshev/test/gcc/asan-exec-from-32bit/wrap-asan
              0x0000f7dbd000-0x0000f7de2000   /lib64/ld-2.27.so
              0x0000f7fe2000-0x0000f7fe3000   /lib64/ld-2.27.so
              0x0000f7fe3000-0x0000f7fe4000   /lib64/ld-2.27.so
              0x0000f7fe4000-0x0000f7fe5000
              0x7fed9abff000-0x7fed9af54000
              0x7fed9af54000-0x7fed9af6b000   /lib64/libgcc_s.so.1
      [snip]
      
      2) It doesn't seem to be great for security if an attacker always knows
      that ld.so is going to be mapped into the first 4GB in this case
      (the same thing happens for PIEs as well).
      
      The testcase:
      $ cat wrap.c
      
      int main(int argc, char *argv[]) {
        execvp(argv[1], &argv[1]);
        return 127;
      }
      
      $ gcc wrap.c -o wrap
      $ LD_SHOW_AUXV=1 ./wrap ./wrap true |& grep AT_BASE
      AT_BASE:         0x7f63b8309000
      AT_BASE:         0x7faec143c000
      AT_BASE:         0x7fbdb25fa000
      
      $ gcc -m32 wrap.c -o wrap32
      $ LD_SHOW_AUXV=1 ./wrap32 ./wrap true |& grep AT_BASE
      AT_BASE:         0xf7eff000
      AT_BASE:         0xf7cee000
      AT_BASE:         0x7f8b9774e000
      
      Fixes: 1b028f78 ("x86/mm: Introduce mmap_compat_base() for 32-bit mmap()")
      Fixes: ada26481 ("x86/mm: Make in_compat_syscall() work during exec")
      Reported-by: default avatarAlexey Izbyshev <izbyshev@ispras.ru>
      Bisected-by: default avatarAlexander Monakov <amonakov@ispras.ru>
      Investigated-by: default avatarAndy Lutomirski <luto@kernel.org>
      Signed-off-by: default avatarDmitry Safonov <dima@arista.com>
      Signed-off-by: default avatarThomas Gleixner <tglx@linutronix.de>
      Reviewed-by: default avatarCyrill Gorcunov <gorcunov@openvz.org>
      Cc: Borislav Petkov <bp@suse.de>
      Cc: Alexander Monakov <amonakov@ispras.ru>
      Cc: Dmitry Safonov <0x7f454c46@gmail.com>
      Cc: stable@vger.kernel.org
      Cc: linux-mm@kvack.org
      Cc: Andy Lutomirski <luto@kernel.org>
      Cc: "H. Peter Anvin" <hpa@zytor.com>
      Cc: Cyrill Gorcunov <gorcunov@openvz.org>
      Cc: "Kirill A. Shutemov" <kirill.shutemov@linux.intel.com>
      Link: https://lkml.kernel.org/r/20180517233510.24996-1-dima@arista.com
      acf46020
    • Josh Poimboeuf's avatar
      objtool: Detect RIP-relative switch table references, part 2 · 7dec80cc
      Josh Poimboeuf authored
      With the following commit:
      
        fd35c88b ("objtool: Support GCC 8 switch tables")
      
      I added a "can't find switch jump table" warning, to stop covering up
      silent failures if add_switch_table() can't find anything.
      
      That warning found yet another bug in the objtool switch table detection
      logic.  For cases 1 and 2 (as described in the comments of
      find_switch_table()), the find_symbol_containing() check doesn't adjust
      the offset for RIP-relative switch jumps.
      
      Incidentally, this bug was already fixed for case 3 with:
      
        6f5ec299 ("objtool: Detect RIP-relative switch table references")
      
      However, that commit missed the fix for cases 1 and 2.
      
      The different cases are now starting to look more and more alike.  So
      fix the bug by consolidating them into a single case, by checking the
      original dynamic jump instruction in the case 3 loop.
      
      This also simplifies the code and makes it more robust against future
      switch table detection issues -- of which I'm sure there will be many...
      
      Switch table detection has been the most fragile area of objtool, by
      far.  I long for the day when we'll have a GCC plugin for annotating
      switch tables.  Linus asked me to delay such a plugin due to the
      flakiness of the plugin infrastructure in older versions of GCC, so this
      rickety code is what we're stuck with for now.  At least the code is now
      a little simpler than it was.
      Reported-by: default avatarkbuild test robot <lkp@intel.com>
      Signed-off-by: default avatarJosh Poimboeuf <jpoimboe@redhat.com>
      Cc: Linus Torvalds <torvalds@linux-foundation.org>
      Cc: Peter Zijlstra <peterz@infradead.org>
      Cc: Thomas Gleixner <tglx@linutronix.de>
      Link: http://lkml.kernel.org/r/f400541613d45689086329432f3095119ffbc328.1526674218.git.jpoimboe@redhat.comSigned-off-by: default avatarIngo Molnar <mingo@kernel.org>
      7dec80cc
    • Mark Rutland's avatar
      efi/libstub/arm64: Handle randomized TEXT_OFFSET · 4f74d72a
      Mark Rutland authored
      When CONFIG_RANDOMIZE_TEXT_OFFSET=y, TEXT_OFFSET is an arbitrary
      multiple of PAGE_SIZE in the interval [0, 2MB).
      
      The EFI stub does not account for the potential misalignment of
      TEXT_OFFSET relative to EFI_KIMG_ALIGN, and produces a randomized
      physical offset which is always a round multiple of EFI_KIMG_ALIGN.
      This may result in statically allocated objects whose alignment exceeds
      PAGE_SIZE to appear misaligned in memory. This has been observed to
      result in spurious stack overflow reports and failure to make use of
      the IRQ stacks, and theoretically could result in a number of other
      issues.
      
      We can OR in the low bits of TEXT_OFFSET to ensure that we have the
      necessary offset (and hence preserve the misalignment of TEXT_OFFSET
      relative to EFI_KIMG_ALIGN), so let's do that.
      Reported-by: default avatarKim Phillips <kim.phillips@arm.com>
      Tested-by: default avatarKim Phillips <kim.phillips@arm.com>
      [ardb: clarify comment and commit log, drop unneeded parens]
      Signed-off-by: default avatarMark Rutland <mark.rutland@arm.com>
      Signed-off-by: default avatarArd Biesheuvel <ard.biesheuvel@linaro.org>
      Cc: Linus Torvalds <torvalds@linux-foundation.org>
      Cc: Peter Zijlstra <peterz@infradead.org>
      Cc: Thomas Gleixner <tglx@linutronix.de>
      Cc: linux-efi@vger.kernel.org
      Fixes: 6f26b367 ("arm64: kaslr: increase randomization granularity")
      Link: http://lkml.kernel.org/r/20180518140841.9731-2-ard.biesheuvel@linaro.orgSigned-off-by: default avatarIngo Molnar <mingo@kernel.org>
      4f74d72a