2
0
mirror of https://github.com/edk2-porting/linux-next.git synced 2024-12-23 04:34:11 +08:00
Commit Graph

811112 Commits

Author SHA1 Message Date
Pavel Shilovsky
3d3003fce8 CIFS: Fix credit calculations in compound mid callback
The current code doesn't do proper accounting for credits
in SMB1 case: it adds one credit per response only if we get
a complete response while it needs to return it unconditionally.
Fix this and also include malformed responses for SMB2+ into
accounting for credits because such responses have Credit
Granted field, thus nothing prevents to get a proper credit
value from them.

Signed-off-by: Pavel Shilovsky <pshilov@microsoft.com>
Reviewed-by: Ronnie Sahlberg <lsahlber@redhat.com>
Signed-off-by: Steve French <stfrench@microsoft.com>
2019-01-24 14:52:06 -06:00
Pavel Shilovsky
ec678eae74 CIFS: Fix credit calculation for encrypted reads with errors
We do need to account for credits received in error responses
to read requests on encrypted sessions.

Cc: <stable@vger.kernel.org>
Signed-off-by: Pavel Shilovsky <pshilov@microsoft.com>
Reviewed-by: Ronnie Sahlberg <lsahlber@redhat.com>
Signed-off-by: Steve French <stfrench@microsoft.com>
2019-01-24 14:52:05 -06:00
Pavel Shilovsky
8004c78c68 CIFS: Fix credits calculations for reads with errors
Currently we mark MID as malformed if we get an error from server
in a read response. This leads to not properly processing credits
in the readv callback. Fix this by marking such a response as
normal received response and process it appropriately.

Cc: <stable@vger.kernel.org>
Signed-off-by: Pavel Shilovsky <pshilov@microsoft.com>
Reviewed-by: Ronnie Sahlberg <lsahlber@redhat.com>
Signed-off-by: Steve French <stfrench@microsoft.com>
2019-01-24 14:52:05 -06:00
Pavel Shilovsky
ef68e83184 CIFS: Do not reconnect TCP session in add_credits()
When executing add_credits() we currently call cifs_reconnect()
if the number of credits is zero and there are no requests in
flight. In this case we may call cifs_reconnect() recursively
twice and cause memory corruption given the following sequence
of functions:

mid1.callback() -> add_credits() -> cifs_reconnect() ->
-> mid2.callback() -> add_credits() -> cifs_reconnect().

Fix this by avoiding to call cifs_reconnect() in add_credits()
and checking for zero credits in the demultiplex thread.

Cc: <stable@vger.kernel.org>
Signed-off-by: Pavel Shilovsky <pshilov@microsoft.com>
Reviewed-by: Ronnie Sahlberg <lsahlber@redhat.com>
Signed-off-by: Steve French <stfrench@microsoft.com>
2019-01-24 14:50:57 -06:00
Thomas Gleixner
b0b2cac7e2 smb3: Cleanup license mess
Precise and non-ambiguous license information is important. The recently
added aegis header file has a SPDX license identifier, which is nice, but
at the same time it has a contradictionary license boiler plate text.

  SPDX-License-Identifier: GPL-2.0

versus

  *   This program is free software;  you can redistribute it and/or modify
  *   it under the terms of the GNU General Public License as published by
  *   the Free Software Foundation; either version 2 of the License, or
  *   (at your option) any later version.

Oh well.

Assuming that the SPDX identifier is correct and according to x86/hyper-v
contributions from Microsoft GPL V2 only is the usual license.

Remove the boiler plate as it is wrong and even if correct it is redundant.

Fixes: eccb4422cf ("smb3: Add ftrace tracepoints for improved SMB3 debugging")
Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
Cc: Steve French <sfrench@samba.org>
Cc: linux-cifs@vger.kernel.org
Signed-off-by: Steve French <stfrench@microsoft.com>
2019-01-24 09:37:33 -06:00
Pavel Shilovsky
acc58d0bab CIFS: Fix possible hang during async MTU reads and writes
When doing MTU i/o we need to leave some credits for
possible reopen requests and other operations happening
in parallel. Currently we leave 1 credit which is not
enough even for reopen only: we need at least 2 credits
if durable handle reconnect fails. Also there may be
other operations at the same time including compounding
ones which require 3 credits at a time each. Fix this
by leaving 8 credits which is big enough to cover most
scenarios.

Was able to reproduce this when server was configured
to give out fewer credits than usual.

The proper fix would be to reconnect a file handle first
and then obtain credits for an MTU request but this leads
to bigger code changes and should happen in other patches.

Cc: <stable@vger.kernel.org>
Signed-off-by: Pavel Shilovsky <pshilov@microsoft.com>
Signed-off-by: Steve French <stfrench@microsoft.com>
2019-01-24 09:37:33 -06:00
Colin Ian King
73aaf920cc cifs: fix memory leak of an allocated cifs_ntsd structure
The call to SMB2_queary_acl can allocate memory to pntsd and also
return a failure via a call to SMB2_query_acl (and then query_info).
This occurs when query_info allocates the structure and then in
query_info the call to smb2_validate_and_copy_iov fails. Currently the
failure just returns without kfree'ing pntsd hence causing a memory
leak.

Currently, *data is allocated if it's not already pointing to a buffer,
so it needs to be kfree'd only if was allocated in query_info, so the
fix adds an allocated flag to track this.  Also set *dlen to zero on
an error just to be safe since *data is kfree'd.

Also set errno to -ENOMEM if the allocation of *data fails.

Signed-off-by: Colin Ian King <colin.king@canonical.com>
Signed-off-by: Steve French <stfrench@microsoft.com>
Reviewed-by: Dan Carpener <dan.carpenter@oracle.com>
2019-01-24 09:37:33 -06:00
Linus Torvalds
30bac164ac Revert "Change mincore() to count "mapped" pages rather than "cached" pages"
This reverts commit 574823bfab.

It turns out that my hope that we could just remove the code that
exposes the cache residency status from mincore() was too optimistic.

There are various random users that want it, and one example would be
the Netflix database cluster maintenance. To quote Josh Snyder:

 "For Netflix, losing accurate information from the mincore syscall
  would lengthen database cluster maintenance operations from days to
  months. We rely on cross-process mincore to migrate the contents of a
  page cache from machine to machine, and across reboots.

  To do this, I wrote and maintain happycache [1], a page cache
  dumper/loader tool. It is quite similar in architecture to pgfincore,
  except that it is agnostic to workload. The gist of happycache's
  operation is "produce a dump of residence status for each page, do
  some operation, then reload exactly the same pages which were present
  before." happycache is entirely dependent on accurate reporting of the
  in-core status of file-backed pages, as accessed by another process.

  We primarily use happycache with Cassandra, which (like Postgres +
  pgfincore) relies heavily on OS page cache to reduce disk accesses.
  Because our workloads never experience a cold page cache, we are able
  to provision hardware for a peak utilization level that is far lower
  than the hypothetical "every query is a cache miss" peak.

  A database warmed by happycache can be ready for service in seconds
  (bounded only by the performance of the drives and the I/O subsystem),
  with no period of in-service degradation. By contrast, putting a
  database in service without a page cache entails a potentially
  unbounded period of degradation (at Netflix, the time to populate a
  single node's cache via natural cache misses varies by workload from
  hours to weeks). If a single node upgrade were to take weeks, then
  upgrading an entire cluster would take months. Since we want to apply
  security upgrades (and other things) on a somewhat tighter schedule,
  we would have to develop more complex solutions to provide the same
  functionality already provided by mincore.

  At the bottom line, happycache is designed to benignly exploit the
  same information leak documented in the paper [2]. I think it makes
  perfect sense to remove cross-process mincore functionality from
  unprivileged users, but not to remove it entirely"

We do have an alternate approach that limits the cache residency
reporting only to processes that have write permissions to the file, so
we can fix the original information leak issue that way.  It involves
_adding_ code rather than removing it, which is sad, but hey, at least
we haven't found any users that would find the restrictions
unacceptable.

So revert the optimistic first approach to make room for that alternate
fix instead.

Reported-by: Josh Snyder <joshs@netflix.com>
Cc: Jiri Kosina <jikos@kernel.org>
Cc: Dominique Martinet <asmadeus@codewreck.org>
Cc: Andy Lutomirski <luto@amacapital.net>
Cc: Dave Chinner <david@fromorbit.com>
Cc: Kevin Easton <kevin@guarana.org>
Cc: Matthew Wilcox <willy@infradead.org>
Cc: Cyril Hrubis <chrubis@suse.cz>
Cc: Vlastimil Babka <vbabka@suse.cz>
Cc: Tejun Heo <tj@kernel.org>
Cc: Kirill A. Shutemov <kirill@shutemov.name>
Cc: Daniel Gruss <daniel@gruss.cc>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
2019-01-24 09:04:37 +13:00
Linus Torvalds
db78144631 I missed the merge window, which wasn't really important at the time
as there was nothing that critical that I had for 5.0.
 
 However, I say that,and then a number of critical fixes come in:
 
   ipmi: fix use-after-free of user->release_barrier.rda
   ipmi: Prevent use-after-free in deliver_response
   ipmi: msghandler: Fix potential Spectre v1 vulnerabilities
 
 which are obvious candidates for 5.0.  Then there is:
 
   ipmi:ssif: Fix handling of multi-part return messages
 
 which is less critical, but it still has some off-by-one things that
 are not great, so it seemed appropriate.  Some machines are broken
 without it.  Then:
 
   ipmi: Don't initialize anything in the core until something uses it
 
 It turns out that using SRCU causes large chunks of memory to be used
 on big iron machines, even if IPMI is never used.  This was causing
 some issues for people on those machines.
 
 Everything here is destined for stable.
 -----BEGIN PGP SIGNATURE-----
 
 iQIzBAABCgAdFiEE/Q1c5nzg9ZpmiCaGYfOMkJGb/4EFAlxIojsACgkQYfOMkJGb
 /4H+pg/+PCgbRVGujXyQsc73zmO4Mfo987bJV/G4U5Xvk4rNFczZ58iyY33LDTjy
 itfFbQQgJSEiVH5rnWOIjwMizhwKbLcXwzhdIBc9qpyPthNZxyU+GcuaAuueV9Hh
 9n5OpwmsHPUfHpaaJbZfUJgQXTqUd3L5PacYfM9kQp4cIHobUzbeM0C1Sl4L3m5g
 XQviOHClDj4bkrGGgXEnpLk+4rstDECX6el1VIF8tmOS+rAOc6SZmTCtaO+eMs7h
 Q1snbW/lW1/92nWiiBYnsKlHb34wumb7Ym3KZl4kR6HFexjkKMK4cRlG2ylddfjV
 vdauaOBz4h3BiujeOiaEAl+l0dB6zBBL7AtDHFsvEOhtB0veX+3y/puWYa6gS7ra
 829d4i5a/Dpci3FnDB9PnxvVbWnU5j56mKpxl7BsILJfw7kahUf5rfoePTfOrOUH
 yZB4e/zYRDT7bX4ZBlVfEzMjb2QT+RVRuMIdZX2ltLlfz8pUT35he0//9INuOedg
 ETm7lnlo6MuUQwbADosAJzVEDf2Z7VKUE495wZBtKa/IlTOZrZqNV9b4lpLQeVLQ
 EnDPz3XxVnGu/hOkv+c6VRJxgXdQExzdR90eHb8yRa9ZbFHghl4biWDbWnqkHIHN
 L4QjFgEMQkdKLg0xyxMJPFs0bljxD2IUyUnTlbN/mhOKm4zZJ4c=
 =qPvR
 -----END PGP SIGNATURE-----

Merge tag 'for-linus-5.0' of git://github.com/cminyard/linux-ipmi

Pull IPMI fixes from Corey Minyard:
 "I missed the merge window, which wasn't really important at the time
  as there was nothing that critical that I had for 5.0.

  However, I say that,and then a number of critical fixes come in:

   - ipmi: fix use-after-free of user->release_barrier.rda
   - ipmi: Prevent use-after-free in deliver_response
   - ipmi: msghandler: Fix potential Spectre v1 vulnerabilities

  which are obvious candidates for 5.0.  Then there is:

   - ipmi:ssif: Fix handling of multi-part return messages

  which is less critical, but it still has some off-by-one things that
  are not great, so it seemed appropriate. Some machines are broken
  without it. Then:

   - ipmi: Don't initialize anything in the core until something uses it

  It turns out that using SRCU causes large chunks of memory to be used
  on big iron machines, even if IPMI is never used. This was causing
  some issues for people on those machines.

  Everything here is destined for stable"

* tag 'for-linus-5.0' of git://github.com/cminyard/linux-ipmi:
  ipmi: Don't initialize anything in the core until something uses it
  ipmi: fix use-after-free of user->release_barrier.rda
  ipmi: Prevent use-after-free in deliver_response
  ipmi: msghandler: Fix potential Spectre v1 vulnerabilities
  ipmi:ssif: Fix handling of multi-part return messages
2019-01-24 09:00:19 +13:00
Linus Torvalds
09c2fe608a s390 update with bug fixes for 5.0-rc4
- Do not claim to run under z/VM if the hypervisor can not be identified
 
  - Fix crashes due to outdated ASCEs in CR1
 
  - Avoid a deadlock in regard to CPU hotplug
 
  - Really fix the vdso mapping issue for compat tasks
 
  - Avoid crash on restart due to an incorrect stack address
 -----BEGIN PGP SIGNATURE-----
 Version: GnuPG v2
 
 iQEcBAABCAAGBQJcSFbpAAoJEDjwexyKj9rg7jgH/17R+vUTBQpK+5EGEJVU6n+D
 fKm3kiQA8LRxvEgLCXn7HLVLOt0EdVesTHhk9C7dm8Vya7eCCbNIvnf61b+9CuVt
 ezqdDAaQDxO5165WwP7RJU3vVfBHZsTGv7ysI/kjHdlWE4DSeDdHx1C0yE67YSCp
 Btl+H3KZx98Ga0Uo0yn8Nmo3D4HFcg9T6KF7OA/3D5jILagbwktKI3+wJcL90LFx
 EomvckGc60MOfvP550wIYu3izpCCbFC00Gir/RX0pmstHOwvITKMss7tnizIEvPu
 NBKO+CenV0MMDzP8xjhWNcziuq9/OdzSeA1Q2vbnP5GVSe5sIrU6c7+QRXkA6uU=
 =EvJV
 -----END PGP SIGNATURE-----

Merge tag 's390-5.0-2' of git://git.kernel.org/pub/scm/linux/kernel/git/s390/linux

Pull s390 fixes from Martin Schwidefsky:

 - Do not claim to run under z/VM if the hypervisor can not be
   identified

 - Fix crashes due to outdated ASCEs in CR1

 - Avoid a deadlock in regard to CPU hotplug

 - Really fix the vdso mapping issue for compat tasks

 - Avoid crash on restart due to an incorrect stack address

* tag 's390-5.0-2' of git://git.kernel.org/pub/scm/linux/kernel/git/s390/linux:
  s390/smp: Fix calling smp_call_ipl_cpu() from ipl CPU
  s390/vdso: correct vdso mapping for compat tasks
  s390/smp: fix CPU hotplug deadlock with CPU rescan
  s390/mm: always force a load of the primary ASCE on context switch
  s390/early: improve machine detection
2019-01-24 08:58:01 +13:00
Corey Minyard
913a89f009 ipmi: Don't initialize anything in the core until something uses it
The IPMI driver was recently modified to use SRCU, but it turns out
this uses a chunk of percpu memory, even if IPMI is never used.

So modify thing to on initialize on the first use.  There was already
code to sort of handle this for handling init races, so piggy back
on top of that, and simplify it in the process.

Signed-off-by: Corey Minyard <cminyard@mvista.com>
Reported-by: Tejun Heo <tj@kernel.org>
Cc: Paul E. McKenney <paulmck@linux.vnet.ibm.com>
Reviewed-by: Paul E. McKenney <paulmck@linux.vnet.ibm.com>
Cc: stable@vger.kernel.org # 4.18
2019-01-23 11:09:32 -06:00
Yang Yingliang
77f8269606 ipmi: fix use-after-free of user->release_barrier.rda
When we do the following test, we got oops in ipmi_msghandler driver
while((1))
do
	service ipmievd restart & service ipmievd restart
done

---------------------------------------------------------------
[  294.230186] Unable to handle kernel paging request at virtual address 0000803fea6ea008
[  294.230188] Mem abort info:
[  294.230190]   ESR = 0x96000004
[  294.230191]   Exception class = DABT (current EL), IL = 32 bits
[  294.230193]   SET = 0, FnV = 0
[  294.230194]   EA = 0, S1PTW = 0
[  294.230195] Data abort info:
[  294.230196]   ISV = 0, ISS = 0x00000004
[  294.230197]   CM = 0, WnR = 0
[  294.230199] user pgtable: 4k pages, 48-bit VAs, pgdp = 00000000a1c1b75a
[  294.230201] [0000803fea6ea008] pgd=0000000000000000
[  294.230204] Internal error: Oops: 96000004 [#1] SMP
[  294.235211] Modules linked in: nls_utf8 isofs rpcrdma ib_iser ib_srpt target_core_mod ib_srp scsi_transport_srp ib_ipoib rdma_ucm ib_umad rdma_cm ib_cm iw_cm dm_mirror dm_region_hash dm_log dm_mod aes_ce_blk crypto_simd cryptd aes_ce_cipher ghash_ce sha2_ce ses sha256_arm64 sha1_ce hibmc_drm hisi_sas_v2_hw enclosure sg hisi_sas_main sbsa_gwdt ip_tables mlx5_ib ib_uverbs marvell ib_core mlx5_core ixgbe ipmi_si mdio hns_dsaf ipmi_devintf ipmi_msghandler hns_enet_drv hns_mdio
[  294.277745] CPU: 3 PID: 0 Comm: swapper/3 Kdump: loaded Not tainted 5.0.0-rc2+ #113
[  294.285511] Hardware name: Huawei TaiShan 2280 /BC11SPCD, BIOS 1.37 11/21/2017
[  294.292835] pstate: 80000005 (Nzcv daif -PAN -UAO)
[  294.297695] pc : __srcu_read_lock+0x38/0x58
[  294.301940] lr : acquire_ipmi_user+0x2c/0x70 [ipmi_msghandler]
[  294.307853] sp : ffff00001001bc80
[  294.311208] x29: ffff00001001bc80 x28: ffff0000117e5000
[  294.316594] x27: 0000000000000000 x26: dead000000000100
[  294.321980] x25: dead000000000200 x24: ffff803f6bd06800
[  294.327366] x23: 0000000000000000 x22: 0000000000000000
[  294.332752] x21: ffff00001001bd04 x20: ffff80df33d19018
[  294.338137] x19: ffff80df33d19018 x18: 0000000000000000
[  294.343523] x17: 0000000000000000 x16: 0000000000000000
[  294.348908] x15: 0000000000000000 x14: 0000000000000002
[  294.354293] x13: 0000000000000000 x12: 0000000000000000
[  294.359679] x11: 0000000000000000 x10: 0000000000100000
[  294.365065] x9 : 0000000000000000 x8 : 0000000000000004
[  294.370451] x7 : 0000000000000000 x6 : ffff80df34558678
[  294.375836] x5 : 000000000000000c x4 : 0000000000000000
[  294.381221] x3 : 0000000000000001 x2 : 0000803fea6ea000
[  294.386607] x1 : 0000803fea6ea008 x0 : 0000000000000001
[  294.391994] Process swapper/3 (pid: 0, stack limit = 0x0000000083087293)
[  294.398791] Call trace:
[  294.401266]  __srcu_read_lock+0x38/0x58
[  294.405154]  acquire_ipmi_user+0x2c/0x70 [ipmi_msghandler]
[  294.410716]  deliver_response+0x80/0xf8 [ipmi_msghandler]
[  294.416189]  deliver_local_response+0x28/0x68 [ipmi_msghandler]
[  294.422193]  handle_one_recv_msg+0x158/0xcf8 [ipmi_msghandler]
[  294.432050]  handle_new_recv_msgs+0xc0/0x210 [ipmi_msghandler]
[  294.441984]  smi_recv_tasklet+0x8c/0x158 [ipmi_msghandler]
[  294.451618]  tasklet_action_common.isra.5+0x88/0x138
[  294.460661]  tasklet_action+0x2c/0x38
[  294.468191]  __do_softirq+0x120/0x2f8
[  294.475561]  irq_exit+0x134/0x140
[  294.482445]  __handle_domain_irq+0x6c/0xc0
[  294.489954]  gic_handle_irq+0xb8/0x178
[  294.497037]  el1_irq+0xb0/0x140
[  294.503381]  arch_cpu_idle+0x34/0x1a8
[  294.510096]  do_idle+0x1d4/0x290
[  294.516322]  cpu_startup_entry+0x28/0x30
[  294.523230]  secondary_start_kernel+0x184/0x1d0
[  294.530657] Code: d538d082 d2800023 8b010c81 8b020021 (c85f7c25)
[  294.539746] ---[ end trace 8a7a880dee570b29 ]---
[  294.547341] Kernel panic - not syncing: Fatal exception in interrupt
[  294.556837] SMP: stopping secondary CPUs
[  294.563996] Kernel Offset: disabled
[  294.570515] CPU features: 0x002,21006008
[  294.577638] Memory Limit: none
[  294.587178] Starting crashdump kernel...
[  294.594314] Bye!

Because the user->release_barrier.rda is freed in ipmi_destroy_user(), but
the refcount is not zero, when acquire_ipmi_user() uses user->release_barrier.rda
in __srcu_read_lock(), it causes oops.
Fix this by calling cleanup_srcu_struct() when the refcount is zero.

Fixes: e86ee2d44b ("ipmi: Rework locking and shutdown for hot remove")
Cc: stable@vger.kernel.org # 4.18
Signed-off-by: Yang Yingliang <yangyingliang@huawei.com>

Signed-off-by: Corey Minyard <cminyard@mvista.com>
2019-01-23 10:44:23 -06:00
Fred Klassen
479d6b39b9 ipmi: Prevent use-after-free in deliver_response
Some IPMI modules (e.g. ibmpex_msg_handler()) will have ipmi_usr_hdlr
handlers that call ipmi_free_recv_msg() directly. This will essentially
kfree(msg), leading to use-after-free.

This does not happen in the ipmi_devintf module, which will queue the
message and run ipmi_free_recv_msg() later.

BUG: KASAN: use-after-free in deliver_response+0x12f/0x1b0
Read of size 8 at addr ffff888a7bf20018 by task ksoftirqd/3/27
CPU: 3 PID: 27 Comm: ksoftirqd/3 Tainted: G           O      4.19.11-amd64-ani99-debug #12.0.1.601133+pv
Hardware name: AppNeta r1000/X11SPW-TF, BIOS 2.1a-AP 09/17/2018
Call Trace:
dump_stack+0x92/0xeb
print_address_description+0x73/0x290
kasan_report+0x258/0x380
deliver_response+0x12f/0x1b0
? ipmi_free_recv_msg+0x50/0x50
deliver_local_response+0xe/0x50
handle_one_recv_msg+0x37a/0x21d0
handle_new_recv_msgs+0x1ce/0x440
...

Allocated by task 9885:
kasan_kmalloc+0xa0/0xd0
kmem_cache_alloc_trace+0x116/0x290
ipmi_alloc_recv_msg+0x28/0x70
i_ipmi_request+0xb4a/0x1640
ipmi_request_settime+0x1b8/0x1e0
...

Freed by task 27:
__kasan_slab_free+0x12e/0x180
kfree+0xe9/0x280
deliver_response+0x122/0x1b0
deliver_local_response+0xe/0x50
handle_one_recv_msg+0x37a/0x21d0
handle_new_recv_msgs+0x1ce/0x440
tasklet_action_common.isra.19+0xc4/0x250
__do_softirq+0x11f/0x51f

Fixes: e86ee2d44b ("ipmi: Rework locking and shutdown for hot remove")
Cc: stable@vger.kernel.org # 4.18
Signed-off-by: Fred Klassen <fklassen@appneta.com>
Signed-off-by: Corey Minyard <cminyard@mvista.com>
2019-01-23 10:44:45 -06:00
Gustavo A. R. Silva
a7102c7461 ipmi: msghandler: Fix potential Spectre v1 vulnerabilities
channel and addr->channel are indirectly controlled by user-space,
hence leading to a potential exploitation of the Spectre variant 1
vulnerability.

These issues were detected with the help of Smatch:

drivers/char/ipmi/ipmi_msghandler.c:1381 ipmi_set_my_address() warn: potential spectre issue 'user->intf->addrinfo' [w] (local cap)
drivers/char/ipmi/ipmi_msghandler.c:1401 ipmi_get_my_address() warn: potential spectre issue 'user->intf->addrinfo' [r] (local cap)
drivers/char/ipmi/ipmi_msghandler.c:1421 ipmi_set_my_LUN() warn: potential spectre issue 'user->intf->addrinfo' [w] (local cap)
drivers/char/ipmi/ipmi_msghandler.c:1441 ipmi_get_my_LUN() warn: potential spectre issue 'user->intf->addrinfo' [r] (local cap)
drivers/char/ipmi/ipmi_msghandler.c:2260 check_addr() warn: potential spectre issue 'intf->addrinfo' [r] (local cap)

Fix this by sanitizing channel and addr->channel before using them to
index user->intf->addrinfo and intf->addrinfo, correspondingly.

Notice that given that speculation windows are large, the policy is
to kill the speculation on the first load and not worry if it can be
completed with a dependent load/store [1].

[1] https://lore.kernel.org/lkml/20180423164740.GY17484@dhcp22.suse.cz/

Cc: stable@vger.kernel.org
Signed-off-by: Gustavo A. R. Silva <gustavo@embeddedor.com>
Signed-off-by: Corey Minyard <cminyard@mvista.com>
2019-01-23 10:44:23 -06:00
Corey Minyard
7d6380cd40 ipmi:ssif: Fix handling of multi-part return messages
The block number was not being compared right, it was off by one
when checking the response.

Some statistics wouldn't be incremented properly in some cases.

Check to see if that middle-part messages always have 31 bytes of
data.

Signed-off-by: Corey Minyard <cminyard@mvista.com>
Cc: stable@vger.kernel.org # 4.4
2019-01-23 10:44:23 -06:00
Linus Torvalds
333478a7eb Merge branch 'for-rc' of git://git.kernel.org/pub/scm/linux/kernel/git/rzhang/linux
Pull thermal management fixes from Zhang Rui:

 - Fix a race condition that sysfs could be accessed before necessary
   initialization in int340x thermal driver. (Aaron Hill)

 - Fix a NULL vs IS_ERR() check in int340x thermal driver. (Dan
   Carpenter)

* 'for-rc' of git://git.kernel.org/pub/scm/linux/kernel/git/rzhang/linux:
  drivers: thermal: int340x_thermal: Fix sysfs race condition
  thermal: int340x_thermal: Fix a NULL vs IS_ERR() check
2019-01-23 16:23:41 +13:00
Linus Torvalds
0b0d4be6b4 This is a sort of random collection of clk fixes that have come in since
the merge window.
 
  - Handful of memory allocation and potentially bad pointer usage fixes
 
  - JSON format was incorrect for clk_dump because it missed a comma
 
  - Two Kconfig fixes, one duplicate and one missing select line
 
  - Compiler warning fix for the VC5 clk driver
 
  - Name and rate fixes for PLLs in the stratix10 driver so it can
    properly detect PLL rates and parents
 -----BEGIN PGP SIGNATURE-----
 
 iQJFBAABCAAvFiEE9L57QeeUxqYDyoaDrQKIl8bklSUFAlxHce8RHHNib3lkQGtl
 cm5lbC5vcmcACgkQrQKIl8bklSUpfxAAxBj9FLNBnfUSg6ZsJzg8rT5BKu3qKqtx
 l0Fzr42J0NqCcWdlqwqJCS6KKsiP5vDmtHwfkdZKDH0veYo8vzZPgGw2gb6WZW7u
 Rc47/z4a1WLpA5A8uLaGzSECNwEwlNbO0hd11CNtRBipEARdC/MH/jMgJMELgNj4
 gu7f/s7Go+1ajvcxI9FRcN+aRoumzUt/3bPoxrITa7rOuK6te55gx0chzmjR+CxX
 TKqJRdSUr19rbSpTTS8LovzpmmIDCCbzNvH4NOFGlz1GJr4k2pF266zBUjqmYkqE
 fVbSwC4qsJlFQqwoal1QOgrCGRnXiQp9L8uwGanw7a3KYtbvb2EqoEwbYb7TPFTH
 eG6NiZ5MfuU3YuDn2AQVMzoRzKB3SWSTUNfEZ91IPUKaOeYg9AzreDgVzXmMhDUG
 AHgjatnXGCT0tzrh0te0XmexSaDS3pt9MOfuNVyEYGSmOZq/795duWs+qKBkgw1c
 qXKMjv435XQSu8ndK/K4d25PSnxbdxti1XXMLBKjMv7Ohkyjwzs1l3P5UD8gqRe4
 uNCIZVYFIxqpMA4+Jc3saM9YUHtA2cAEp9iUnWeeMYm8Ds26taG+Xr3SIIKtDufn
 YG+lTKTXTZsjqYf4p8rQT26RRrVa/ZVwP7A4fl5nkGaJdUi4+qd5uNu/22Zr25DV
 dR2UNiYV4Og=
 =1a7x
 -----END PGP SIGNATURE-----

Merge tag 'clk-fixes-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/clk/linux

Pull clk fixes from Stephen Boyd:
 "This is a sort of random collection of clk fixes that have come in
  since the merge window:

   - Handful of memory allocation and potentially bad pointer usage
     fixes

   - JSON format was incorrect for clk_dump because it missed a comma

   - Two Kconfig fixes, one duplicate and one missing select line

   - Compiler warning fix for the VC5 clk driver

   - Name and rate fixes for PLLs in the stratix10 driver so it can
     properly detect PLL rates and parents"

* tag 'clk-fixes-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/clk/linux:
  clk: socfpga: stratix10: fix naming convention for the fixed-clocks
  clk: socfpga: stratix10: fix rate calculation for pll clocks
  clk: qcom: Select QCOM_GDSC with MSM_GCC_8998
  clk: vc5: Abort clock configuration without upstream clock
  clk: sysfs: fix invalid JSON in clk_dump
  clk: imx: Remove Kconfig duplicate include
  clk: zynqmp: Fix memory allocation in zynqmp_clk_setup
  clk: tegra: dfll: Fix a potential Oop in remove()
  clk: imx: fix potential NULL dereference in imx8qxp_lpcg_clk_probe()
2019-01-23 14:04:22 +13:00
Linus Torvalds
8f45fa2724 linux-kselftest-5.0-rc4
This Kselftest update for Linux 5.0-rc4 consists of fixes to rtc, seccomp
 and other tests.
 -----BEGIN PGP SIGNATURE-----
 
 iQIzBAABCgAdFiEEPZKym/RZuOCGeA/kCwJExA0NQxwFAlxHTz0ACgkQCwJExA0N
 Qxzt9hAAutAJagSuFROtzJN//x7oGQl5v1DnbLERI388vK4a+vL3bEsHh7QRlUbe
 x3mu6PZCQ/kFl5f7mrICuBPRWxSJA4rDVGeLWJlKUKqoB/rW/W1bvCBVPXCO2XMc
 FLxAXDd/bL/NsDOBJUjkk1mHYcfmB8dqPlLZM/ArbZbQLRBKXocTP7VclNtrZmgJ
 vIB3WU+JfgW4Bx8DlkZbiWohe+vazfDYbBoYMmh4OrCwuxOZL0T6cAd3qddCoP/N
 SOpryfCMHN8TX5f3L+BFqkF2vk7EbKRGxVW1bOJ9SXIN1/XCKTp9/VqVrryJ4Dx2
 Hf6YNnoRGGphFErJ+9IRF3qLWxObkHYRWwKL4ZEqkB7VxIHNqpfYO9t5H8lhzFoy
 rhSQM0a9UNoCplKfzsLx5uRGC+/dPPVDCashF6grpqws3nDBIYwTdN3bdtYBkhjL
 V1AYslysX+frxzTtPdRvJI2w8Y7BUjRBjuFkXJxTsfPzyPa/oyIx8QEP1yifTJu4
 4ijfsZbmSoCynCK9ckw7DL2IOLHUrVbr2jldPsbPROo+Vy0nDhILbvbm+bYQXchM
 OmBRnX9NbWLrnI3ZeF4tuKbz1R4Ax/Z1qRWzZoKo9V469l5wSTkYHkZFPcmwNWyo
 vvSSJ0YmtKkLclrT4/GYvL2qVYXAGFy2HV44Ag5S3b+KehkIZFI=
 =xk1L
 -----END PGP SIGNATURE-----

Merge tag 'linux-kselftest-5.0-rc4' of git://git.kernel.org/pub/scm/linux/kernel/git/shuah/linux-kselftest

Pull kselftest fixes from Shuah Khan:
 "Fixes to rtc, seccomp and other tests"

* tag 'linux-kselftest-5.0-rc4' of git://git.kernel.org/pub/scm/linux/kernel/git/shuah/linux-kselftest:
  selftests/seccomp: Abort without user notification support
  selftests: gpio-mockup-chardev: Check asprintf() for error
  selftests: seccomp: use LDLIBS instead of LDFLAGS
  selftests/vm/gup_benchmark.c: match gup struct to kernel
  tools/testing/selftests/x86/unwind_vdso.c: Remove duplicate header
  x86/mpx/selftests: fix spelling mistake "succeded" -> "succeeded"
  selftests: rtc: rtctest: add alarm test on minute boundary
  selftests: rtc: rtctest: fix alarm tests
2019-01-23 14:02:14 +13:00
Linus Torvalds
787a3b4322 Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/hid/hid
Pull HID fixes from Jiri Kosina:

 - descriptor parsing regression fix for devices that have more than 16
   collections, from Peter Hutterer (and followup cleanup from Philipp
   Zabel)

 - quirk for Goodix touchpad

* 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/hid/hid:
  HID: core: simplify active collection tracking
  HID: i2c-hid: Disable runtime PM on Goodix touchpad
  HID: core: replace the collection tree pointers with indices
2019-01-23 07:16:05 +13:00
Linus Torvalds
48b161983a XArray updates for 5.0-rc3
Fix some oversights in the XArray porcelain API:
  - support for m68k's two-byte aligned pointers
  - reserving entries using xa_insert()
  - missing xa_insert_bh() and xa_insert_irq() functions
  - simplify using xa_for_each()
  - use lockdep correctly
  - a few other minor fixes and improvements
 -----BEGIN PGP SIGNATURE-----
 
 iQFIBAABCgAyFiEEejHryeLBw/spnjHrDpNsjXcpgj4FAlxGjXAUHHdpbGx5QGlu
 ZnJhZGVhZC5vcmcACgkQDpNsjXcpgj5L4Qf8DQaaA9aDsZ66CGaxExfxiEMM2SEl
 Ns02XTgVWvXUPI2zHU6oZGBgWOY2jysy688WJZH7FlFJVzHytbZ26ZG6sabVD271
 WQJnjSeZwNnCF0ZJP/mbr6SKkZHOaAxWRgeXJQFPvke58gMxj9w7a2qU5OEBcbS2
 nUCk5LzqQHveH0UYQJJGvKca/p8f2h0Y28+BG5YRWo1ivEDAf6LaD2ItTOv5Jf/4
 lfaW48h/ObBNMaor+0fn8Po5TtP9R8vgBGDt5XRjiTy0yXEq62HwTCHjOydqywTA
 pyEN8zZMtOwDjz9eEm+WPR3bLcOmLK+i0+oRFpM7tNl+iq/i0DCjxpJ+eQ==
 =56qs
 -----END PGP SIGNATURE-----

Merge tag 'xarray-5.0-rc3' of git://git.infradead.org/users/willy/linux-dax

Pull XArray fixes from Matthew Wilcox:
 "Fix some oversights in the XArray porcelain API:

   - support for m68k's two-byte aligned pointers

   - reserving entries using xa_insert()

   - missing xa_insert_bh() and xa_insert_irq() functions

   - simplify using xa_for_each()

   - use lockdep correctly

   - a few other minor fixes and improvements"

* tag 'xarray-5.0-rc3' of git://git.infradead.org/users/willy/linux-dax:
  XArray: Fix an arithmetic error in xa_is_err
  XArray tests: Check mark 2 gets squashed
  XArray: Fix typo in comment
  XArray: Honour reserved entries in xa_insert
  XArray: Permit storing 2-byte-aligned pointers
  XArray: Change xa_for_each iterator
  XArray: Turn xa_init_flags into a static inline
  XArray tests: Add RCU locking
2019-01-22 17:08:30 +13:00
Christoph Hellwig
f8ff6c732d ide: fix a typo in the settings proc file name
Fixes: ec7d9c9ce8 ("ide: replace ->proc_fops with ->proc_show")
Reported-by: kernel test robot <lkp@intel.com>
Signed-off-by: Christoph Hellwig <hch@lst.de>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
2019-01-22 15:08:12 +13:00
Linus Torvalds
52e60b7544 IOMMU Fix for Linux v5.0-rc3
One fix only for now:
 
 	- Fix probe deferral in iommu/of code (broke with recent changes
 	  to iommu_ops->add_device invocation)
 -----BEGIN PGP SIGNATURE-----
 Version: GnuPG v2
 
 iQIcBAABAgAGBQJcRZMlAAoJECvwRC2XARrjk2MQAIvf8Ze/T9xlCG+ouzdrnkfs
 oUeta4cdrfsHc5kk+RPOHSQzPJxYeAGYFQHi2W0Vkh0f7vOj+Cwr/vaMbRQS5I/+
 dfQSj7nwSmLEaGlC2OIzWmJ50Mj4L4M2rV5q8IXQqP5plPM22s7u5p9pJOiNIqhX
 K/EBlA+movhnh3RqrzjJ1Vl5aKl0RQhrl1vJfxgTeoem42f9nWMEflifbddrQsbm
 G12RQdjTVI7w/IVc+xwPPAimhZX2we9MowXmVB7zdVA1MUa3i1rwLYNIkdJ56lRN
 F/OC/WyMIkln8SLP1A2VOb1M7Vkkao2gaSwLw3XP92oxzimQMHHTMalI1C2Pv4/e
 yrrSPzg4A0QadeS68loEOIT/zneGfd4EX3P7J2DysSLrwqkiiE/Ivgn737TcsleW
 xLnknIgkaTx3pxW7p2rZDWPQcQVAk60IOU4o6tSyCwfFVAk4teJxKZF98fyMhmf6
 LR2GPYmXTAdc+s1TVTotYX9/g1InRcPbwOCbnlsPQ/iykYLlF3kn+fAJiliv6bNj
 PZ39B0gLmKPF5jqvnxNeXy94nF5IgGek+tGdmR0j1Y0i3MuvJnqvq09NCnwxXY6I
 SReu1R66C24m4uLkHATTovWBvGJ4sFBPzDl4OpbB248I4cboYcAfaxwbitc7JMf/
 79KXXR3tiNUY1cDmt7u2
 =+93K
 -----END PGP SIGNATURE-----

Merge tag 'iommu-fixes-v5.0-rc3' of git://git.kernel.org/pub/scm/linux/kernel/git/joro/iommu

Pull IOMMU fix from Joerg Roedel:
 "One fix only for now: Fix probe deferral in iommu/of code (broke with
  recent changes to iommu_ops->add_device invocation)"

* tag 'iommu-fixes-v5.0-rc3' of git://git.kernel.org/pub/scm/linux/kernel/git/joro/iommu:
  iommu/of: Fix probe-deferral
2019-01-22 07:27:17 +13:00
Linus Torvalds
57ef300e46 ARC updates for 5.0-rc3
- Perf support for raw events
 
  - boot log printing: return stack, action points
 
  - fix memset to avoid prefetchw bleeding past end of buffer
 
  - do_page_fault fix for mmap_sem held while returning to userspace
 
  - other miscll fixes
 -----BEGIN PGP SIGNATURE-----
 Version: GnuPG v1
 
 iQIcBAABAgAGBQJcRRDDAAoJEGnX8d3iisJeOZEP/RHaQIxZYx4jAIu1oS+2a/oy
 eQ+GHTVDBjIiQdDiXYZ3wKnmqbHSwc92m7JH7VwRTNd6KkW9rLCs7b66FQpio7f6
 SfVQH4C+QP3nBtJH/QQ6dKw90oRQIenyJN+lhaX0HeCQj3nk72RDXffZwpYuDoqQ
 1YX8dcj4DBEEcYbBIExDJd5Uchd0Xs5in7IKeAq7q20BAPZNNjpNM0bt71Bz99c/
 r+t6o0iatnmLm7h5Q40HrjDMQDlFB/nDuvsgGj62IEiyiMIJxGlRaAV5G8SoJKQH
 ZV4gVKgazmkx3Fpl/OUDBCPa0dy2RcZyC/qqhYrEUJT6rQZ+Je/QPQ6vG6OMhIL0
 lhiU6VcRB6mXM7YFuEf8pp1tBHXOxAhjCUXF+DdIMag6F5+jn1DK9I+c+ia1wptt
 ME0L2ytbdU/bWMK0qwU5j/VuKRKSO31Mgi9w9gb8k3/WijLpXKT/slRr9dt+7fke
 7gpm+nzVJ03ImQJduvqkPasdAl+IhgVoPji+zeiJWkSjSO6T9Zvj0eeRA+Gl/ciE
 UlTh334R3SMz+vgfS/Qjy7Fsdkx4lsVqslTs94vq3bh5nlz8fXUNrioTF8BCs4nm
 Y3WWFAWnoFSpE5CjkdRNpaP0iRyFryCuCtL9ed8YBhKLuMkPVJNYFZ5t3NvOXKVA
 7QM8uuNhRLXVsI6WUfxf
 =QMUe
 -----END PGP SIGNATURE-----

Merge tag 'arc-5.0-rc3' of git://git.kernel.org/pub/scm/linux/kernel/git/vgupta/arc

Pull ARC architecture updates from Vineet Gupta:

 - Perf support for raw events

 - boot log printing: return stack, action points

 - fix memset to avoid prefetchw bleeding past end of buffer

 - do_page_fault fix for mmap_sem held while returning to userspace

 - other misc fixes

* tag 'arc-5.0-rc3' of git://git.kernel.org/pub/scm/linux/kernel/git/vgupta/arc:
  ARCv2: lib: memeset: fix doing prefetchw outside of buffer
  ARC: mm: do_page_fault fixes #1: relinquish mmap_sem if signal arrives while handle_mm_fault
  ARC: show_regs: lockdep: re-enable preemption
  ARC: show_regs: lockdep: avoid page allocator...
  ARC: perf: avoid kernel killing where it is possible
  ARC: perf: move HW events mapping to separate function
  ARC: perf: introduce Kernel PMU events support
  ARC: perf: trivial code cleanup
  ARC: perf: map generic branches to correct hardware condition
  ARC: adjust memblock_reserve of kernel memory
  arc: remove redundant kernel-space generic-y
  ARC: fix __ffs return value to avoid build warnings
  ARC: boot log: print Action point details
  ARCv2: boot log: BPU return stack depth
2019-01-22 07:15:58 +13:00
Linus Torvalds
49a57857ae Linux 5.0-rc3 2019-01-21 13:14:44 +13:00
Linus Torvalds
1e556ba3b6 Fixes for pstore/ram
- Fix console ramoops to show the previous boot logs (Sai Prakash Ranjan)
 - Avoid allocation and leak of platform data
 -----BEGIN PGP SIGNATURE-----
 Comment: Kees Cook <kees@outflux.net>
 
 iQJKBAABCgA0FiEEpcP2jyKd1g9yPm4TiXL039xtwCYFAlxE/QYWHGtlZXNjb29r
 QGNocm9taXVtLm9yZwAKCRCJcvTf3G3AJsVXD/94pJsNHogOle3XnZJst/1cV4+R
 KTyQ6QQ1184lI5FPGJliV3veCuKnTY4Q7e5vCl2mzEvds+VRxu2yUm+LFxKVj04W
 yiRNv8Yn3+3eKxNufqLa9ySbsSZyIpoCKQ/20nbC5cNM3r+Gq12GUnDBixtGdl9V
 fB316emIaKR70Qvi9KlfwDTcjh+SWBR2u8L0YsmTaoJkjtaCJhekN3hfya6Wnjf5
 1sj1fCDzteda/Ld0gXoImHPvt0UcHPJDp1+ZhY0ja64QIuoWwDxsisp4X4nS8iFD
 oak9BWRDhRwSzPnyCu8BI3Hc4ayxcBYR/vmBS12LTkIJVdR1CaqfeDYvZexyX04n
 TYZnmPeZ+2R3wzA9aCLjUDEAYNi403sLqIvR99jlrOoiMo+5Bf05TvBG8lND2dQg
 A13854vg9ssxfiuEmvxJTg8SLtcFiqEtrzZhqaLVfuf4cqaN3o0Ed+A0gjZadwwD
 TPxiMh4YEZuw+qszZwyzi7uECKOvJIJeLCL8CApPvihCNFy2vKF5wj58ZizXXmoT
 Orq6DJ1ITx4DTkYIgtiTC9HKDuvNDZ/ncdb5QoqlpoTe01r8GQOzffZ+tD3xRTNc
 8+yAdK0/bTjLVNbFX/Q4dwagh0I8EQSrdw8CmmQs0lsCvfyYTfHz8uPeBQ7rrzeN
 2r1H7a/OKpL/duTkEw==
 =m6sX
 -----END PGP SIGNATURE-----

Merge tag 'pstore-v5.0-rc4' of git://git.kernel.org/pub/scm/linux/kernel/git/kees/linux

Pull pstore fixes from Kees Cook:

 - Fix console ramoops to show the previous boot logs (Sai Prakash
   Ranjan)

 - Avoid allocation and leak of platform data

* tag 'pstore-v5.0-rc4' of git://git.kernel.org/pub/scm/linux/kernel/git/kees/linux:
  pstore/ram: Avoid allocation and leak of platform data
  pstore/ram: Fix console ramoops to show the previous boot logs
2019-01-21 13:12:03 +13:00
Linus Torvalds
dbcfc96193 Bug fixes for gcc-plugins
- Fix ARM per-task stack protector plugin under GCC 9 (Ard Biesheuvel)
 -----BEGIN PGP SIGNATURE-----
 Comment: Kees Cook <kees@outflux.net>
 
 iQJKBAABCgA0FiEEpcP2jyKd1g9yPm4TiXL039xtwCYFAlxE8ucWHGtlZXNjb29r
 QGNocm9taXVtLm9yZwAKCRCJcvTf3G3AJrpKEACiPNVPQv4up+0fFYzVjYgUej4g
 JItPgDwxx/BFTYocvCrqOk++wlduhyheesfSo/VL1u3rSQa9XwIFUvnRMI2befye
 Rs2HqUB5c5tQzVs9Qaqf7d0aMAW06zROC+osI5dcJqKts0nTkRdw0PNhnmKNrkou
 qxXHWUPR2ussagaLnqrJisEuwRgga2nyGqBEWJXPO/qE6llZB+OUfeJ+3VX7QFj6
 PRlenSGs+9nq8yRyKb6+FQJbzxpxAoeNNogRdlG/NMwNMMcs5j81hl3+V1LNQNGt
 hoTE1Wt/qOtwFU/wm2iNj8WKczS1PjDteBsNAuen8yquTKIrBsvu5+J6me6Uw2By
 b5uPs0e9zbLD6U29Y/dX2mzLSR5Rd09/Czv2C8rmC3gU1pK12Zbaq/sXRuDPQrtq
 hShbFxW+eHyl2q8oHmROkjsOJitx0vWW/oHibjcRGpoArl/Pj1Wcz/Jq6KM0FDIU
 PiwT94BEQhDTpssb/7EnHflDWRQ+jX1mN+KF3BjtEtYyNExuMXn5Ec0iWcSq04M7
 gg6nSfEta4P3Bgdr386nufd5qIC9M1gEYpNZTVXaKjMnKKFiGox72/Jo0zQbL9LT
 5hOOn+VN9PCjIMJ8se3lYoe2n1dZLpLzrk0fyRbZ1Ab4HURoGdJJ2PzoEmtOsH73
 TV8lZiS+M+qRQidOhg==
 =q4n8
 -----END PGP SIGNATURE-----

Merge tag 'gcc-plugins-v5.0-rc4' of git://git.kernel.org/pub/scm/linux/kernel/git/kees/linux

Pull gcc-plugins fixes from Kees Cook:
 "Fix ARM per-task stack protector plugin under GCC 9 (Ard Biesheuvel)"

* tag 'gcc-plugins-v5.0-rc4' of git://git.kernel.org/pub/scm/linux/kernel/git/kees/linux:
  gcc-plugins: arm_ssp_per_task_plugin: fix for GCC 9+
  gcc-plugins: arm_ssp_per_task_plugin: sign extend the SP mask
2019-01-21 13:07:03 +13:00
Linus Torvalds
7d0ae236ed Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net
Pull networking fixes from David Miller:

 1) Fix endless loop in nf_tables, from Phil Sutter.

 2) Fix cross namespace ip6_gre tunnel hash list corruption, from
    Olivier Matz.

 3) Don't be too strict in phy_start_aneg() otherwise we might not allow
    restarting auto negotiation. From Heiner Kallweit.

 4) Fix various KMSAN uninitialized value cases in tipc, from Ying Xue.

 5) Memory leak in act_tunnel_key, from Davide Caratti.

 6) Handle chip errata of mv88e6390 PHY, from Andrew Lunn.

 7) Remove linear SKB assumption in fou/fou6, from Eric Dumazet.

 8) Missing udplite rehash callbacks, from Alexey Kodanev.

 9) Log dirty pages properly in vhost, from Jason Wang.

10) Use consume_skb() in neigh_probe() as this is a normal free not a
    drop, from Yang Wei. Likewise in macvlan_process_broadcast().

11) Missing device_del() in mdiobus_register() error paths, from Thomas
    Petazzoni.

12) Fix checksum handling of short packets in mlx5, from Cong Wang.

* git://git.kernel.org/pub/scm/linux/kernel/git/davem/net: (96 commits)
  bpf: in __bpf_redirect_no_mac pull mac only if present
  virtio_net: bulk free tx skbs
  net: phy: phy driver features are mandatory
  isdn: avm: Fix string plus integer warning from Clang
  net/mlx5e: Fix cb_ident duplicate in indirect block register
  net/mlx5e: Fix wrong (zero) TX drop counter indication for representor
  net/mlx5e: Fix wrong error code return on FEC query failure
  net/mlx5e: Force CHECKSUM_UNNECESSARY for short ethernet frames
  tools: bpftool: Cleanup license mess
  bpf: fix inner map masking to prevent oob under speculation
  bpf: pull in pkt_sched.h header for tooling to fix bpftool build
  selftests: forwarding: Add a test case for externally learned FDB entries
  selftests: mlxsw: Test FDB offload indication
  mlxsw: spectrum_switchdev: Do not treat static FDB entries as sticky
  net: bridge: Mark FDB entries that were added by user as such
  mlxsw: spectrum_fid: Update dummy FID index
  mlxsw: pci: Return error on PCI reset timeout
  mlxsw: pci: Increase PCI SW reset timeout
  mlxsw: pci: Ring CQ's doorbell before RDQ's
  MAINTAINERS: update email addresses of liquidio driver maintainers
  ...
2019-01-21 12:52:31 +13:00
Kees Cook
5631e8576a pstore/ram: Avoid allocation and leak of platform data
Yue Hu noticed that when parsing device tree the allocated platform data
was never freed. Since it's not used beyond the function scope, this
switches to using a stack variable instead.

Reported-by: Yue Hu <huyue2@yulong.com>
Fixes: 35da60941e ("pstore/ram: add Device Tree bindings")
Cc: stable@vger.kernel.org
Signed-off-by: Kees Cook <keescook@chromium.org>
2019-01-20 14:44:52 -08:00
Ard Biesheuvel
2c88c742d0 gcc-plugins: arm_ssp_per_task_plugin: fix for GCC 9+
GCC 9 reworks the way the references to the stack canary are
emitted, to prevent the value from being spilled to the stack
before the final comparison in the epilogue, defeating the
purpose, given that the spill slot is under control of the
attacker that we are protecting ourselves from.

Since our canary value address is obtained without accessing
memory (as opposed to pre-v7 code that will obtain it from a
literal pool), it is unlikely (although not guaranteed) that
the compiler will spill the canary value in the same way, so
let's just disable this improvement when building with GCC9+.

Signed-off-by: Ard Biesheuvel <ard.biesheuvel@linaro.org>
Signed-off-by: Kees Cook <keescook@chromium.org>
2019-01-20 14:06:40 -08:00
Ard Biesheuvel
560706d5d2 gcc-plugins: arm_ssp_per_task_plugin: sign extend the SP mask
The ARM per-task stack protector GCC plugin hits an assert in
the compiler in some case, due to the fact the the SP mask
expression is not sign-extended as it should be. So fix that.

Suggested-by: Kugan Vivekanandarajah <kugan.vivekanandarajah@linaro.org>
Signed-off-by: Ard Biesheuvel <ard.biesheuvel@linaro.org>
Signed-off-by: Kees Cook <keescook@chromium.org>
2019-01-20 14:06:40 -08:00
Linus Torvalds
bb617b9b45 virtio, vhost: fixes, cleanups
fixes and cleanups all over the place
 
 Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
 -----BEGIN PGP SIGNATURE-----
 
 iQEcBAABAgAGBQJcPTc7AAoJECgfDbjSjVRpOEgH/Ahdx7VMYJtFsdmoJKiwhB7M
 jRRi9R903V9H87vl1BXy6dutHw+WONJtm6FSZ1ayNWlVmUmWS6vci+IUErr2uDrv
 KSG+dJMQLlF7t1dnLRwlLazvGa4/58+u0J459uKPQ5ckqwV5wXPjUS5Z0xF3ldxM
 Twz6vhYRGKCUc10YZm/WmsjlLROgaNtRya10PzAGVmXPzbCpvJfiojKWJER+Eigq
 JxWynTCm/YvIk824Ls9cDBVkDvb8GPS3blVbFnusR+D3ktvX7vLDPOsErGn4umVS
 nUm3/WiQALB9fKer+SsgcEGVh+fa06KIITK+IBblULmrAIT3CJdJp70UJBjfdTM=
 =DCkE
 -----END PGP SIGNATURE-----

Merge tag 'for_linus' of git://git.kernel.org/pub/scm/linux/kernel/git/mst/vhost

Pull virtio/vhost fixes and cleanups from Michael Tsirkin:
 "Fixes and cleanups all over the place"

* tag 'for_linus' of git://git.kernel.org/pub/scm/linux/kernel/git/mst/vhost:
  vhost/scsi: Use copy_to_iter() to send control queue response
  vhost: return EINVAL if iovecs size does not match the message size
  virtio-balloon: tweak config_changed implementation
  virtio: don't allocate vqs when names[i] = NULL
  virtio_pci: use queue idx instead of array idx to set up the vq
  virtio: document virtio_config_ops restrictions
  virtio: fix virtio_config_ops description
2019-01-21 07:37:16 +13:00
Linus Torvalds
1be969f468 for-5.0-rc2-tag
-----BEGIN PGP SIGNATURE-----
 
 iQIzBAABCgAdFiEE8rQSAMVO+zA4DBdWxWXV+ddtWDsFAlxElHsACgkQxWXV+ddt
 WDsF8Q/6A+l/Ku8D+xSmw+JGXGNroX1V62sxVYWqIgrkYNg6iSMjicqF3aN1bCbR
 LqvOQ5skerrKteNYIPbTTOD5Xp37ccinSeEWEF0ktFkeU1G6yJo7aRsnQlO1sduk
 2PKUOA1/PdeTBiOj1bej/1ybhtIW+d0MaoPtnUCMC8DD/ihfmU332+KC8VmRUYGZ
 4kT1DvKfBOSVz1UTl6OJdWo76crvjz0eGVnH1YG7DoFbpVzAbphHE7+aC/WkHQme
 X5Ux2NtYVMe/0IGAC7kJnj4jCZ1weAdlmvzzagjzGtWdhWgTxntiJ/FVJs9nO8Dm
 G/pVtD8RVjgMkPOWcfw5fdderrBJqjVGgl4VDrDLqjO9OTGNFJs+HgcPRi6Oli28
 sA+HG+U34YzSfKY0L9eAmpkNxMjWywBuXTQIAlMhHNZCL0vZ2K5EYa3dTp9OswAW
 IIcOh/LfZxiomvMvUqQWcRCy5y/b+cYjOjbHwkrw+ewd3IWXVLG8YLMyZI3vnHKu
 /f1xn6KCap9a1cS4LwyK6gzstEugn0MYmnmD/Jx8I1BJFBt55Q31ES6tPHgTmh/d
 QjveRjMkxNCql4h5Hq0+LiXoSoocBmsO0wrs2QrWSx4PBnJsvjySnWr/8GfAOj79
 BhnuQFxbr/BkNyBzvKrjoI+zZnrVm0cBU59lP6PzN75+kQTaIfs=
 =hGlM
 -----END PGP SIGNATURE-----

Merge tag 'for-5.0-rc2-tag' of git://git.kernel.org/pub/scm/linux/kernel/git/kdave/linux

Pull btrfs fixes from David Sterba:
 "A handful of fixes (some of them in testing for a long time):

   - fix some test failures regarding cleanup after transaction abort

   - revert of a patch that could cause a deadlock

   - delayed iput fixes, that can help in ENOSPC situation when there's
     low space and a lot data to write"

* tag 'for-5.0-rc2-tag' of git://git.kernel.org/pub/scm/linux/kernel/git/kdave/linux:
  btrfs: wakeup cleaner thread when adding delayed iput
  btrfs: run delayed iputs before committing
  btrfs: wait on ordered extents on abort cleanup
  btrfs: handle delayed ref head accounting cleanup in abort
  Revert "btrfs: balance dirty metadata pages in btrfs_finish_ordered_io"
2019-01-21 07:35:26 +13:00
Linus Torvalds
315a6d850a include/linux/compiler*.h changes:
- A fix for OPTIMIZER_HIDE_VAR
     From Michael S. Tsirkin
 -----BEGIN PGP SIGNATURE-----
 
 iQIzBAABCgAdFiEEPjU5OPd5QIZ9jqqOGXyLc2htIW0FAlxEkZkACgkQGXyLc2ht
 IW2ksQ/8C2rfoTcKKeNxjpgV2XQ0HV6DsacEeQw+0VSBTzA2OPSiV61Dfm6/qywp
 Y7DyjrosteIOShZhxSdg6M04uDEtb9m8GaWQitW3ewfmbnXmRX5OB3CI5vFF1/nS
 LOj/Bd6FRqkIM6b0b7MWp/J0hQMnSNuElZp+yqlJyy1YuivfXN3vu8iDsHDhlyAs
 OY4SqNmmlaUtSlRaTgJsSt28AFJ4CSgJqziKZux17xzjrstXg1p9BhcnZVzcmjeY
 tcGFptbpUEmrcF2iqR8weaWkJSizgfsI60USrRZwLKM+i1NyOmnk9AWtSxOblNZZ
 0z4QslkZG1/7rtmHOn6qVGcWsic+AINbrzSeBReEg8G/f/P/XI7yRJmQAaQWqzOD
 ByEYoCp6U7gmQY6QiLLwq9d3VTHxV9d6PeC6gqEDM5ifrTIdOwNbL0MPvpb/UOlC
 1IC/RpHOqAwWKTaYvpoutXzw9kG/TXG/yvdphTsStxOSnXeEXntdwmd0CDLKG6sG
 y4xmEqU51KUoQ1UsX++dhxxxR4H7O6WcUmcFGXcrrhAD+x0N7Rd9g+lSDCpxW9yC
 sIzr2aaPpaZMD40gAHb4vlXR+MqJdIFAAJ4xI1oaU+zSuxkEUn05xR6OgVgAdMLp
 jT1SbI0XpbviakV6mwquAND7HOKWP/eZ7NLf6LlJIp0wrkBZRrQ=
 =2ce7
 -----END PGP SIGNATURE-----
mergetag object 99e309b6ed
 type commit
 tag clang-format-for-linus-v5.0-rc3
 tagger Miguel Ojeda <miguel.ojeda.sandonis@gmail.com> 1547999145 +0100
 
 clang-format changes:
 
   - Update of the for_each macro list
     From Jason Gunthorpe
 -----BEGIN PGP SIGNATURE-----
 
 iQIzBAABCgAdFiEEPjU5OPd5QIZ9jqqOGXyLc2htIW0FAlxEmAYACgkQGXyLc2ht
 IW3AZQ//byEzF7HPogmwAQDA8cs6Rg2GSP3ohPsGavvqmd6AegXMqAfV9VNzFRBr
 tekhJuPufen6TjFkD+1Tlk+dvsXZXb/n/wYQWAJWm5SgOUfzh6Monprhe1JofLz0
 pQ5xIAKtbpsuS6TmjWttXMKWN7aTenNQIPyGXxZziKe653yLYdISuYKDqo9SbLQX
 QaXi911REjZHSUXdHrsmGyidci6HizJZkqCVB7zWrmB3+ygMTzo8x6HPTeIBOAdX
 zEHGDdKQEPKO7y6Jyh5GkCzpCKWqSgdgXsI16eyKsPYymkARaqgMYtCPHTBvZ3e1
 DkpCUg2BEMEDeftEFa9ysNOWppQTw9xDVuk6BO0T8YYeXnLlo9CWb6Dl7YRnoO63
 0nsdvmHRkDKP93Hs9Zn3kZRVvy1EgOeIkfD+gK6sJpibyzJZRFGAwC3ysP/ERDVx
 Lb25tdluWaxKZQwepqC472fiwX1V65YrLX66gUGfF5JIJqYDjeoOl+lgVb8L6Ped
 sjYKO8uf2D9ZPRpsXgecx9u+Fy94P0fPTEm76vo5z1HBMAldihrQnw1U9ZNsvjBr
 HiWIB6ccP/chDN+wtoI/lQGKgqjM6EYWJpts/NkPHvA1d0BUEPJ7/tHTFmUZ0c6z
 DxdcjX/g4Bu/rSyIJaeosdcKNgFm+maHWQX+L+YV9yE1uGTzdcE=
 =mM3e
 -----END PGP SIGNATURE-----

Merge tags 'compiler-attributes-for-linus-v5.0-rc3' and 'clang-format-for-linus-v5.0-rc3' of git://github.com/ojeda/linux

Pull misc clang fixes from Miguel Ojeda:

  - A fix for OPTIMIZER_HIDE_VAR from Michael S Tsirkin

  - Update clang-format with the latest for_each macro list from Jason
    Gunthorpe

* tag 'compiler-attributes-for-linus-v5.0-rc3' of git://github.com/ojeda/linux:
  include/linux/compiler*.h: fix OPTIMIZER_HIDE_VAR

* tag 'clang-format-for-linus-v5.0-rc3' of git://github.com/ojeda/linux:
  clang-format: Update .clang-format with the latest for_each macro list
2019-01-21 07:23:42 +13:00
Florian La Roche
fbfaf85190 fix int_sqrt64() for very large numbers
If an input number x for int_sqrt64() has the highest bit set, then
fls64(x) is 64.  (1UL << 64) is an overflow and breaks the algorithm.

Subtracting 1 is a better guess for the initial value of m anyway and
that's what also done in int_sqrt() implicitly [*].

[*] Note how int_sqrt() uses __fls() with two underscores, which already
    returns the proper raw bit number.

    In contrast, int_sqrt64() used fls64(), and that returns bit numbers
    illogically starting at 1, because of error handling for the "no
    bits set" case. Will points out that he bug probably is due to a
    copy-and-paste error from the regular int_sqrt() case.

Signed-off-by: Florian La Roche <Florian.LaRoche@googlemail.com>
Acked-by: Will Deacon <will.deacon@arm.com>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
2019-01-21 07:20:18 +13:00
Will Deacon
6e693b3ffe x86: uaccess: Inhibit speculation past access_ok() in user_access_begin()
Commit 594cc251fd ("make 'user_access_begin()' do 'access_ok()'")
makes the access_ok() check part of the user_access_begin() preceding a
series of 'unsafe' accesses.  This has the desirable effect of ensuring
that all 'unsafe' accesses have been range-checked, without having to
pick through all of the callsites to verify whether the appropriate
checking has been made.

However, the consolidated range check does not inhibit speculation, so
it is still up to the caller to ensure that they are not susceptible to
any speculative side-channel attacks for user addresses that ultimately
fail the access_ok() check.

This is an oversight, so use __uaccess_begin_nospec() to ensure that
speculation is inhibited until the access_ok() check has passed.

Reported-by: Julien Thierry <julien.thierry@arm.com>
Signed-off-by: Will Deacon <will.deacon@arm.com>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
2019-01-20 15:33:22 +12:00
Linus Torvalds
b0f3e768a8 arm64 fixes for -rc3
- Fix broken kpti page-table rewrite in bizarre KASLR configuration
 
 - Fix module loading with KASLR
 
 - Remove redundant definition of ARCH_SLAB_MINALIGN
 -----BEGIN PGP SIGNATURE-----
 
 iQEzBAABCgAdFiEEPxTL6PPUbjXGY88ct6xw3ITBYzQFAlxDkU8ACgkQt6xw3ITB
 YzRSeggAsvhxwa0Yg61A/s3tuaSO+kb6U6QXCVZSBw5F6tn3TPm7txoLlq+kUFoq
 gcQ5RFzoGaW27TQafWQHVWcwYVWHYAc4WqSLQBQDMDPRpA0WR7sx/WUaxPdBDHt1
 qLYHTKs68oTCdHMbvugNQhvBEt9s0qAQzrBk4exPhTLxkeWYELK4F2SpSgxzJun/
 K5Eg9qrl8XRCXO5TGyUT54MtZaF2utnopJOVupRpBpIjBrCY6BGSpZbWA6pcNlUr
 hftyXYMB8B4VGtKWAZp8mive2PFbzH/cj/rmxWDQRl0JUfnLw3lqXyHO8fe1e8vJ
 cZ6tW2shLhHzEM50OmAYnfaeTPqxcg==
 =EjUI
 -----END PGP SIGNATURE-----

Merge tag 'arm64-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/arm64/linux

Pull arm64 fixes from Will Deacon:
 "Three arm64 fixes for -rc3.

  We've plugged a couple of nasty issues involving KASLR-enabled
  kernels, and removed a redundant #define that was introduced as part
  of the KHWASAN fixes from akpm at -rc2.

   - Fix broken kpti page-table rewrite in bizarre KASLR configuration

   - Fix module loading with KASLR

   - Remove redundant definition of ARCH_SLAB_MINALIGN"

* tag 'arm64-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/arm64/linux:
  kasan, arm64: remove redundant ARCH_SLAB_MINALIGN define
  arm64: kaslr: ensure randomized quantities are clean to the PoC
  arm64: kpti: Update arm64_kernel_use_ng_mappings() when forced on
2019-01-20 15:27:59 +12:00
David S. Miller
6436408e81 Merge git://git.kernel.org/pub/scm/linux/kernel/git/bpf/bpf
Daniel Borkmann says:

====================
pull-request: bpf 2019-01-20

The following pull-request contains BPF updates for your *net* tree.

The main changes are:

1) Fix a out-of-bounds access in __bpf_redirect_no_mac, from Willem.

2) Fix bpf_setsockopt to reset sock dst on SO_MARK changes, from Peter.

3) Fix map in map masking to prevent out-of-bounds access under
   speculative execution, from Daniel.

4) Fix bpf_setsockopt's SO_MAX_PACING_RATE to support TCP internal
   pacing, from Yuchung.

5) Fix json writer license in bpftool, from Thomas.

6) Fix AF_XDP to check if an actually queue exists during umem
   setup, from Krzysztof.

7) Several fixes to BPF stackmap's build id handling. Another fix
   for bpftool build to account for libbfd variations wrt linking
   requirements, from Stanislav.

8) Fix BPF samples build with clang by working around missing asm
   goto, from Yonghong.

9) Fix libbpf to retry program load on signal interrupt, from Lorenz.

10) Various minor compile warning fixes in BPF code, from Mathieu.
====================

Signed-off-by: David S. Miller <davem@davemloft.net>
2019-01-19 16:38:12 -08:00
Willem de Bruijn
e7c87bd6cc bpf: in __bpf_redirect_no_mac pull mac only if present
Syzkaller was able to construct a packet of negative length by
redirecting from bpf_prog_test_run_skb with BPF_PROG_TYPE_LWT_XMIT:

    BUG: KASAN: slab-out-of-bounds in memcpy include/linux/string.h:345 [inline]
    BUG: KASAN: slab-out-of-bounds in skb_copy_from_linear_data include/linux/skbuff.h:3421 [inline]
    BUG: KASAN: slab-out-of-bounds in __pskb_copy_fclone+0x2dd/0xeb0 net/core/skbuff.c:1395
    Read of size 4294967282 at addr ffff8801d798009c by task syz-executor2/12942

    kasan_report.cold.9+0x242/0x309 mm/kasan/report.c:412
    check_memory_region_inline mm/kasan/kasan.c:260 [inline]
    check_memory_region+0x13e/0x1b0 mm/kasan/kasan.c:267
    memcpy+0x23/0x50 mm/kasan/kasan.c:302
    memcpy include/linux/string.h:345 [inline]
    skb_copy_from_linear_data include/linux/skbuff.h:3421 [inline]
    __pskb_copy_fclone+0x2dd/0xeb0 net/core/skbuff.c:1395
    __pskb_copy include/linux/skbuff.h:1053 [inline]
    pskb_copy include/linux/skbuff.h:2904 [inline]
    skb_realloc_headroom+0xe7/0x120 net/core/skbuff.c:1539
    ipip6_tunnel_xmit net/ipv6/sit.c:965 [inline]
    sit_tunnel_xmit+0xe1b/0x30d0 net/ipv6/sit.c:1029
    __netdev_start_xmit include/linux/netdevice.h:4325 [inline]
    netdev_start_xmit include/linux/netdevice.h:4334 [inline]
    xmit_one net/core/dev.c:3219 [inline]
    dev_hard_start_xmit+0x295/0xc90 net/core/dev.c:3235
    __dev_queue_xmit+0x2f0d/0x3950 net/core/dev.c:3805
    dev_queue_xmit+0x17/0x20 net/core/dev.c:3838
    __bpf_tx_skb net/core/filter.c:2016 [inline]
    __bpf_redirect_common net/core/filter.c:2054 [inline]
    __bpf_redirect+0x5cf/0xb20 net/core/filter.c:2061
    ____bpf_clone_redirect net/core/filter.c:2094 [inline]
    bpf_clone_redirect+0x2f6/0x490 net/core/filter.c:2066
    bpf_prog_41f2bcae09cd4ac3+0xb25/0x1000

The generated test constructs a packet with mac header, network
header, skb->data pointing to network header and skb->len 0.

Redirecting to a sit0 through __bpf_redirect_no_mac pulls the
mac length, even though skb->data already is at skb->network_header.
bpf_prog_test_run_skb has already pulled it as LWT_XMIT !is_l2.

Update the offset calculation to pull only if skb->data differs
from skb->network_header, which is not true in this case.

The test itself can be run only from commit 1cf1cae963 ("bpf:
introduce BPF_PROG_TEST_RUN command"), but the same type of packets
with skb at network header could already be built from lwt xmit hooks,
so this fix is more relevant to that commit.

Also set the mac header on redirect from LWT_XMIT, as even after this
change to __bpf_redirect_no_mac that field is expected to be set, but
is not yet in ip_finish_output2.

Fixes: 3a0af8fd61 ("bpf: BPF for lightweight tunnel infrastructure")
Reported-by: syzbot <syzkaller@googlegroups.com>
Signed-off-by: Willem de Bruijn <willemb@google.com>
Acked-by: Martin KaFai Lau <kafai@fb.com>
Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
2019-01-20 01:11:48 +01:00
Michael S. Tsirkin
df133f3f96 virtio_net: bulk free tx skbs
Use napi_consume_skb() to get bulk free.  Note that napi_consume_skb is
safe to call in a non-napi context as long as the napi_budget flag is
correct.

Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
Acked-by: Jason Wang <jasowang@redhat.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2019-01-19 16:06:52 -08:00
Linus Torvalds
5d5c303ea0 A few MIPS fixes for 5.0:
- Fix IPI handling for Lantiq SoCs, which was broken by changes made
   back in v4.12.
 
 - Enable OF/DT serial support in ath79_defconfig to give us working
   serial by default.
 
 - Fix 64b builds for the Jazz platform.
 
 - Set up a struct device for the BCM47xx SoC to allow BCM47xx drivers to
   perform DMA again following the major DMA mapping changes made in
   v4.19.
 
 - Disable MSI on Cavium Octeon systems when the pcie_disable command
   line parameter introduced in v3.3 is used, in order to avoid
   inadvetently accessing PCIe controller registers despite the command
   line.
 
 - Fix a build failure for Cavium Octeon kernels with kexec enabled,
   introduced in v4.20.
 
 - Fix a regression in the behaviour of semctl/shmctl/msgctl IPC syscalls
   for kernels including n32 support but not o32 support caused by some
   cleanup in v3.19.
 -----BEGIN PGP SIGNATURE-----
 
 iIsEABYIADMWIQRgLjeFAZEXQzy86/s+p5+stXUA3QUCXEJhqRUccGF1bC5idXJ0
 b25AbWlwcy5jb20ACgkQPqefrLV1AN2aWwEA4ZExeZQi+g9oPNII/jd9wbLKU4Eq
 xjl/+NdzPVu+pP4A/AuG5hsEMFIgS2U0k2js7kNMHCzoV9Ky2m3kdbSNHvQI
 =AqoC
 -----END PGP SIGNATURE-----

Merge tag 'mips_fixes_5.0_2' of git://git.kernel.org/pub/scm/linux/kernel/git/mips/linux

Pull MIPS fixes from Paul Burton:

 - Fix IPI handling for Lantiq SoCs, which was broken by changes made
   back in v4.12.

 - Enable OF/DT serial support in ath79_defconfig to give us working
   serial by default.

 - Fix 64b builds for the Jazz platform.

 - Set up a struct device for the BCM47xx SoC to allow BCM47xx drivers
   to perform DMA again following the major DMA mapping changes made in
   v4.19.

 - Disable MSI on Cavium Octeon systems when the pcie_disable command
   line parameter introduced in v3.3 is used, in order to avoid
   inadvetently accessing PCIe controller registers despite the command
   line.

 - Fix a build failure for Cavium Octeon kernels with kexec enabled,
   introduced in v4.20.

 - Fix a regression in the behaviour of semctl/shmctl/msgctl IPC
   syscalls for kernels including n32 support but not o32 support caused
   by some cleanup in v3.19.

* tag 'mips_fixes_5.0_2' of git://git.kernel.org/pub/scm/linux/kernel/git/mips/linux:
  MIPS: OCTEON: fix kexec support
  mips: fix n32 compat_ipc_parse_version
  Disable MSI also when pcie-octeon.pcie_disable on
  MIPS: BCM47XX: Setup struct device for the SoC
  MIPS: jazz: fix 64bit build
  MIPS: ath79: Enable OF serial ports in the default config
  MIPS: lantiq: Use CP0_LEGACY_COMPARE_IRQ
  MIPS: lantiq: Fix IPI interrupt handling
2019-01-20 10:33:18 +12:00
Linus Torvalds
6a0141a096 A single build fix for powerpc due to device_node.type removal
-----BEGIN PGP SIGNATURE-----
 
 iQJEBAABCgAuFiEEktVUI4SxYhzZyEuo+vtdtY28YcMFAlxDUjkQHHJvYmhAa2Vy
 bmVsLm9yZwAKCRD6+121jbxhwzTBD/9MfQbCzF5IcgW+alp7fKqoFH5MQUkwEQgO
 TJ7TO/CgrnT/uDjUe90tfixsF7A4orpK8h8FWczLF22Ksnirqaxv4Gcmj0ItGQlD
 TeTzCV7DW6Kgcv6weQjH5PohB3XUKzHQe8/MdZCXnn/ikQpKK5bmQEV3Kxw1s4zM
 jHIwMGcDy+EKbcLPpq/lhLyCR7Ce3SrzCtrY41rw+tpgi450A72g0/sOf5onb/Xz
 +/akwRl8lIfcIl21+wMA4zyLOHVeqio+xvXSiYB31z82Pv2v4hGLxjTqBVfPLhpq
 1qJI1ua4v+424RLBNInuEf3+lnUkNizjT38INw0zw+E86TLtQYj1n/m2upoVsRE3
 ggLWVnxlWEIebDhpLySnKW9R58fYxXSq+qaP2jOKkGjzx+0HCZDVIjZwZx3C2Vft
 sMAVSNKd+Mche6GGGEhcPxmKnMIh6P2XyIo/60hv8JqYY6CwqxBGyCGQvCck38AA
 OySmMnS7q31pwiS3m6/RnlLiL6JmHeI/P5FRmPUak68Gbsp7dddcw6dIFUuOBsnF
 QQpuq99cG4r3e9Az5/A45KNrR5MyZVJHoZj0CmjLPRnQuJsPvpEk5BQi2rmH5jSG
 F/BPcFU9/+r65tDVYVmOaaHfqOWk9oeoxGR+e8ve/MpfTktid7to/dLv9smqs0UB
 XdHeh+jepg==
 =6H3h
 -----END PGP SIGNATURE-----

Merge tag 'devicetree-fixes-for-5.0-2' of git://git.kernel.org/pub/scm/linux/kernel/git/robh/linux

Pull Devicetree fix from Rob Herring:
 "A single build fix for powerpc due to device_node.type removal"

* tag 'devicetree-fixes-for-5.0-2' of git://git.kernel.org/pub/scm/linux/kernel/git/robh/linux:
  powerpc: chrp: Use of_node_is_type to access device_type
2019-01-20 10:28:46 +12:00
Linus Torvalds
26caabbcd7 libnvdimm v5.0-rc3
* Fix driver initialization crash due to the inability to report an
   'error' state for a DIMM's security capability.
 * Build warning fix for little-endian ARM64 builds
 * Fix a potential race between the EDAC driver's usage of the NFIT
   SMBIOS id for a DIMM and the driver shutdown path.
 * A small collection of one-line benign cleanups for duplicate variable
   assignments, a duplicate header include and a mis-typed function
   argument.
 -----BEGIN PGP SIGNATURE-----
 
 iQIcBAABAgAGBQJcQ4vDAAoJEB7SkWpmfYgCwrYP/iCZZVWz7TlP8u73alEXtw4G
 gPPQHb+n0Y5DQOMZCu1jFfKvkZzcIq4Wp6277Ht6DEREzoobyswRM8G1EKOwbzUM
 J9D0Hm8XCy9Z6v3MpH/VASMowjQkClL/5xy8rlJdZMjprjDFqq3t4M/sBARsaeZv
 xldAcNdbAQWq6HEebLZXja/AF8Ex0o59Z/w3oJ1Ds98mGPjGPUejV9cnpgCOHGZc
 rfB9DZdEKf4CUEqZmlRI253yhR4iHtzKJQGMadQVhcLdO/Jjc8DKxozOgxQOuWQu
 SvAv6t+tymGzPCUJg+pFROwemn3mB2fh3XMaueEY1biCZcj67Lml0H/zTewezsI7
 CZ4ZUPypc9L50GIUYCyPkNuB7E6jXmMD6Vn7EEx1GwQTlZmRQ8WbTELLGGsNUfvI
 55TqT0IbcnUhOXqKbaYql1Y7Z/yEmiBI1f5VdB9zXQKZ66dcgfgfVqLfhw7HUmmu
 j6J3xAtvcYX8x2EA75fdfr5mKUyrr1UAYG6bkActll0mRIHK4u2+ME4E4wmhZidG
 PlZV0sIy6EMDTbTyFP1N0P9FsG4DmK6mTATXFn/CqYMoW3TTuAlsWxhdtGMzhpur
 See6W4yJ0pT3wmzzPcOgPI4erntb7dQirwDjclw4qj/DnUegPKxP8UxXzFBH3gFV
 /wYYqXWh0cXa/Jq9YX3L
 =HCIs
 -----END PGP SIGNATURE-----

Merge tag 'libnvdimm-fixes-5.0-rc3' of git://git.kernel.org/pub/scm/linux/kernel/git/nvdimm/nvdimm

Pull libnvdimm fixes from Dan Williams:
 "A crash fix, a build warning fix, a miscellaneous small cleanups.

  In case anyone is looking for them, there was a regression caught by
  testing that caused two patches to be dropped from this update.  Those
  patches have been reworked and will soak for another week / re-target
  5.0-rc4.

   - Fix driver initialization crash due to the inability to report an
     'error' state for a DIMM's security capability.

   - Build warning fix for little-endian ARM64 builds

   - Fix a potential race between the EDAC driver's usage of the NFIT
     SMBIOS id for a DIMM and the driver shutdown path.

   - A small collection of one-line benign cleanups for duplicate
     variable assignments, a duplicate header include and a mis-typed
     function argument"

* tag 'libnvdimm-fixes-5.0-rc3' of git://git.kernel.org/pub/scm/linux/kernel/git/nvdimm/nvdimm:
  libnvdimm/security: Fix nvdimm_security_state() state request selection
  acpi/nfit: Remove duplicate set nd_set in acpi_nfit_init_interleave_set()
  acpi/nfit: Fix race accessing memdev in nfit_get_smbios_id()
  libnvdimm/dimm: Fix security capability detection for non-Intel NVDIMMs
  nfit: Mark some functions as __maybe_unused
  ACPI/nfit: delete the function to_acpi_nfit_desc
  ACPI/nfit: delete the redundant header file
2019-01-20 10:24:30 +12:00
Linus Torvalds
f403d718eb linux-watchdog 5.0-rc-fixes tag
-----BEGIN PGP SIGNATURE-----
 Version: GnuPG v2.0.14 (GNU/Linux)
 
 iEYEABECAAYFAlxDCwIACgkQ+iyteGJfRsq2qwCgxfbjmuRPmmo9qfFF9/0TNLGY
 aJkAniMRSsJzw1BhfW4+7841jPAZm3EV
 =ZUhJ
 -----END PGP SIGNATURE-----

Merge tag 'linux-watchdog-5.0-rc-fixes' of git://www.linux-watchdog.org/linux-watchdog

Pull watchdog fixes from Wim Van Sebroeck:

 - mt7621_wdt/rt2880_wdt: Fix compilation problem

 - tqmx86: Fix a couple IS_ERR() vs NULL bugs

* tag 'linux-watchdog-5.0-rc-fixes' of git://www.linux-watchdog.org/linux-watchdog:
  watchdog: tqmx86: Fix a couple IS_ERR() vs NULL bugs
  watchdog: mt7621_wdt/rt2880_wdt: Fix compilation problem
2019-01-20 09:58:52 +12:00
Linus Torvalds
b0efca46b5 NFS client fixes for Linux 5.0
Stable bugfixes:
 - Fix TCP receive code on archs with flush_dcache_page()
 
 Other bugfixes:
 - Fix error code in rpcrdma_buffer_create()
 - Fix a double free in rpcrdma_send_ctxs_create()
 - Fix kernel BUG at kernel/cred.c:825
 - Fix unnecessary retry in nfs42_proc_copy_file_range()
 - Ensure rq_bytes_sent is reset before request transmission
 - Ensure we respect the RPCSEC_GSS sequence number limit
 - Address Kerberos performance/behavior regression
 -----BEGIN PGP SIGNATURE-----
 
 iQIzBAABCAAdFiEEnZ5MQTpR7cLU7KEp18tUv7ClQOsFAlxCH1kACgkQ18tUv7Cl
 QOs4rBAAymqyhUzNgap1TX/KezFxqii7CVMVabrA5eGN+ZXbSVAZkwy7BMZWwVIp
 tEvD7lxWtF11x7bQDw7Xz+ruBCjLdD0RQIFnlBpVKqsRy9oSRA4PsgSbuIFaw+gX
 Bun4Z0xmOCPF7knRv6gQonArEZfHeokIIN8AtSBtWVByaOrnZwgDkNTIub8akpUl
 FQlzgq7lTydVzNcju2ImBeubU7KgFEu0F2Zub5z/iR+F2Mx/bAju8Q4YeVlPyD8U
 QJoIBlXAvgK8LK4bZCh40zPeEt0TMWXnW7o0JHgVQ0g6VbT+hp17I7fz91xEazye
 qbjpIJIjv5daEv0REM8t5ZCZB3tEatVjb4EQWXp0gJYb0l5E3I/O+7MO44n4uMYx
 s3UTxzM6NjwCtlgmn4tYUj+vEIExQHUUnwOl02e5iEa7bqNNY75ehAhj5Rh7iQBH
 H4b+OVuqc608q87rNePdK1LRyh0/u1cDI1kDAQoIP2omlb5hJQGk0Nuz9G2BodIj
 rP0x7nV+ykOXZtr6TR+RvaksL1W39PzVKYA0aL+e2gbcv4YO+Oq1phvNKwRWPM4a
 g08r/kvifS5h6/Jq8Wmn83f1vAOX7Sf23RtEoj+t9hc4S4JbsV2iYK3PY3eWbSYE
 Oz0Vt4gvBBJ+0rHJ10BsQ7686OQkyMKpIlvmx6O5mWVlthovbJM=
 =6Nzz
 -----END PGP SIGNATURE-----

Merge tag 'nfs-for-5.0-2' of git://git.linux-nfs.org/projects/anna/linux-nfs

Pull NFS client fixes from Anna Schumaker:
 "These are mostly fixes for SUNRPC bugs, with a single v4.2
  copy_file_range() fix mixed in.

  Stable bugfixes:
   - Fix TCP receive code on archs with flush_dcache_page()

  Other bugfixes:
   - Fix error code in rpcrdma_buffer_create()
   - Fix a double free in rpcrdma_send_ctxs_create()
   - Fix kernel BUG at kernel/cred.c:825
   - Fix unnecessary retry in nfs42_proc_copy_file_range()
   - Ensure rq_bytes_sent is reset before request transmission
   - Ensure we respect the RPCSEC_GSS sequence number limit
   - Address Kerberos performance/behavior regression"

* tag 'nfs-for-5.0-2' of git://git.linux-nfs.org/projects/anna/linux-nfs:
  SUNRPC: Address Kerberos performance/behavior regression
  SUNRPC: Ensure we respect the RPCSEC_GSS sequence number limit
  SUNRPC: Ensure rq_bytes_sent is reset before request transmission
  NFSv4.2 fix unnecessary retry in nfs4_copy_file_range
  sunrpc: kernel BUG at kernel/cred.c:825!
  SUNRPC: Fix TCP receive code on archs with flush_dcache_page()
  xprtrdma: Double free in rpcrdma_sendctxs_create()
  xprtrdma: Fix error code in rpcrdma_buffer_create()
2019-01-20 09:27:38 +12:00
Linus Torvalds
4d5f6e0201 SCSI fixes on 20190118
A set of 17 fixes.  Most of these are minor or trivial.  The one fix
 that may be serious is the isci one: the bug can cause hba parameters
 to be set from uninitialized memory.  I don't think it's exploitable,
 but you never know.
 
 Signed-off-by: James E.J. Bottomley <jejb@linux.ibm.com>
 -----BEGIN PGP SIGNATURE-----
 
 iJwEABMIAEQWIQTnYEDbdso9F2cI+arnQslM7pishQUCXEKL0SYcamFtZXMuYm90
 dG9tbGV5QGhhbnNlbnBhcnRuZXJzaGlwLmNvbQAKCRDnQslM7pishVZpAQCwuPTk
 fqOt4v4hJ0oUHtEBsQK3VMXSdUvWdb5Lbn3WeQD/RFYTyNxcIF7ADSWw71b+IigT
 ejUrMzI8ig+nZ1jbFZ4=
 =BdS/
 -----END PGP SIGNATURE-----

Merge tag 'scsi-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/jejb/scsi

Pull SCSI fixes from James Bottomley:
 "A set of 17 fixes. Most of these are minor or trivial.

  The one fix that may be serious is the isci one: the bug can cause hba
  parameters to be set from uninitialized memory. I don't think it's
  exploitable, but you never know"

* tag 'scsi-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/jejb/scsi:
  scsi: cxgb4i: add wait_for_completion()
  scsi: qla1280: set 64bit coherent mask
  scsi: ufs: Fix geometry descriptor size
  scsi: megaraid_sas: Retry reads of outbound_intr_status reg
  scsi: qedi: Add ep_state for login completion on un-reachable targets
  scsi: ufs: Fix system suspend status
  scsi: qla2xxx: Use correct number of vectors for online CPUs
  scsi: hisi_sas: Set protection parameters prior to adding SCSI host
  scsi: tcmu: avoid cmd/qfull timers updated whenever a new cmd comes
  scsi: isci: initialize shost fully before calling scsi_add_host()
  scsi: lpfc: lpfc_sli: Mark expected switch fall-throughs
  scsi: smartpqi_init: fix boolean expression in pqi_device_remove_start
  scsi: core: Synchronize request queue PM status only on successful resume
  scsi: pm80xx: reduce indentation
  scsi: qla4xxx: check return code of qla4xxx_copy_from_fwddb_param
  scsi: megaraid_sas: correct an info message
  scsi: target/iscsi: fix error msg typo when create lio_qr_cache failed
  scsi: sd: Fix cache_type_store()
2019-01-20 09:15:04 +12:00
Linus Torvalds
0facb89245 for-linus-20190118
-----BEGIN PGP SIGNATURE-----
 
 iQJEBAABCAAuFiEEwPw5LcreJtl1+l5K99NY+ylx4KYFAlxCLxcQHGF4Ym9lQGtl
 cm5lbC5kawAKCRD301j7KXHgpmBID/0SpsLsnoeki37Wei0HzBZeRdFGIXFfg1XB
 +s66nJUL+igHIIwH+EO7Ct+vw8jfCWZfasI+ThGtkgRg88bqJO3HEbE1MQY8KlTh
 Dm9LRHH9Jp4OYbbag2RXammaD4XKi980fIyVTp9R0keszQroSUTXXS40fksszTtB
 K4LEBiAxGJgin60W9RgbbK93n/pw17U5Wu2WID6ZfVxZYVzpXl0iIQXUz1zmnpy5
 3aP7ORqJGnH7WQiV57LMpq5/QFBoKrfUsjtxpnJ+i2694sLYX8NCqnH82SUliSU+
 NN3Vxic1ozmZEADFKg4dfmgVqqyJaoVCRvsA5i5YjqG9m65G/S7/BmsaWbq5Ixf2
 N1KQr/36vkYGYWqtb2rbYRVf9XfbxWKp1wuSaX3N1Vh1/Ee180qD68+wpa/0mtkh
 2dXV6CQP9De4BXH6mxj3Yr7LI2a2r7KLYhULZCAvLMvDtsBrPyHAmRRgXxaLlKL8
 QMFYYO/1wjlzpGnn4IxP8sDMH6N2shtZHAmC2n9TM2gmk5tA0OmajJJ4uxNbtyhw
 +ZlDco3aw/x0v2onjlbTiPij2cReRgwN+tVaEvn0dj3uxaisCru60iYdnr9FX4nL
 g3NxNUJbUhl6YMwvNMI0GKfz1IILzjPgJIhDqSHvYhtCA1w0DMVXs3Qv4HXoVh3m
 ffdby6/Yqw==
 =5yJp
 -----END PGP SIGNATURE-----

Merge tag 'for-linus-20190118' of git://git.kernel.dk/linux-block

Pull block fixes from Jens Axboe:

 - block size setting fixes for loop/nbd (Jan Kara)

 - md bio_alloc_mddev() cleanup (Marcos)

 - Ensure we don't lose the REQ_INTEGRITY flag (Ming)

 - Two NVMe fixes by way of Christoph:
    - Fix NVMe IRQ calculation (Ming)
    - Uninitialized variable in nvmet-tcp (Sagi)

 - BFQ comment fix (Paolo)

 - License cleanup for recently added blk-mq-debugfs-zoned (Thomas)

* tag 'for-linus-20190118' of git://git.kernel.dk/linux-block:
  block: Cleanup license notice
  nvme-pci: fix nvme_setup_irqs()
  nvmet-tcp: fix uninitialized variable access
  block: don't lose track of REQ_INTEGRITY flag
  blockdev: Fix livelocks on loop device
  nbd: Use set_blocksize() to set device blocksize
  md: Make bio_alloc_mddev use bio_alloc_bioset
  block, bfq: fix comments on __bfq_deactivate_entity
2019-01-20 09:12:50 +12:00
Jason Gunthorpe
99e309b6ed clang-format: Update .clang-format with the latest for_each macro list
Re-run the shell fragment that generated the original list. In particular
this adds the missing xarray related functions.

Signed-off-by: Jason Gunthorpe <jgg@mellanox.com>
Signed-off-by: Miguel Ojeda <miguel.ojeda.sandonis@gmail.com>
2019-01-19 19:26:06 +01:00
Camelia Groza
3e64cf7a43 net: phy: phy driver features are mandatory
Since phy driver features became a link_mode bitmap, phy drivers that
don't have a list of features configured will cause the kernel to crash
when probed.

Prevent the phy driver from registering if the features field is missing.

Fixes: 719655a149 ("net: phy: Replace phy driver features u32 with link_mode bitmap")
Reported-by: Scott Wood <oss@buserror.net>
Signed-off-by: Camelia Groza <camelia.groza@nxp.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2019-01-19 10:03:08 -08:00
Nathan Chancellor
7afa81c55f isdn: avm: Fix string plus integer warning from Clang
A recent commit in Clang expanded the -Wstring-plus-int warning, showing
some odd behavior in this file.

drivers/isdn/hardware/avm/b1.c:426:30: warning: adding 'int' to a string does not append to the string [-Wstring-plus-int]
                cinfo->version[j] = "\0\0" + 1;
                                    ~~~~~~~^~~
drivers/isdn/hardware/avm/b1.c:426:30: note: use array indexing to silence this warning
                cinfo->version[j] = "\0\0" + 1;
                                           ^
                                    &      [  ]
1 warning generated.

This is equivalent to just "\0". Nick pointed out that it is smarter to
use "" instead of "\0" because "" is used elsewhere in the kernel and
can be deduplicated at the linking stage.

Link: https://github.com/ClangBuiltLinux/linux/issues/309
Suggested-by: Nick Desaulniers <ndesaulniers@google.com>
Signed-off-by: Nathan Chancellor <natechancellor@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2019-01-19 10:01:03 -08:00
Rob Herring
75a080cde0 powerpc: chrp: Use of_node_is_type to access device_type
Commit 8ce5f84157 ("of: Remove struct device_node.type pointer")
removed struct device_node.type pointer, but the conversion to use
of_node_is_type() accessor was missed in chrp_init_IRQ().

Fixes: 8ce5f84157 ("of: Remove struct device_node.type pointer")
Reported-by: kbuild test robot <lkp@intel.com>
Cc: Benjamin Herrenschmidt <benh@kernel.crashing.org>
Cc: Paul Mackerras <paulus@samba.org>
Cc: linuxppc-dev@lists.ozlabs.org
Acked-by: Michael Ellerman <mpe@ellerman.id.au>
Signed-off-by: Rob Herring <robh@kernel.org>
2019-01-19 10:35:42 -06:00