Commit Graph

810282 Commits

Author SHA1 Message Date
Daniel Borkmann b7137c4eab bpf: fix check_map_access smin_value test when pointer contains offset
In check_map_access() we probe actual bounds through __check_map_access()
with offset of reg->smin_value + off for lower bound and offset of
reg->umax_value + off for the upper bound. However, even though the
reg->smin_value could have a negative value, the final result of the
sum with off could be positive when pointer arithmetic with known and
unknown scalars is combined. In this case we reject the program with
an error such as "R<x> min value is negative, either use unsigned index
or do a if (index >=0) check." even though the access itself would be
fine. Therefore extend the check to probe whether the actual resulting
reg->smin_value + off is less than zero.

Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
Acked-by: Alexei Starovoitov <ast@kernel.org>
Signed-off-by: Alexei Starovoitov <ast@kernel.org>
2019-01-02 16:01:24 -08:00
Daniel Borkmann 9d7eceede7 bpf: restrict unknown scalars of mixed signed bounds for unprivileged
For unknown scalars of mixed signed bounds, meaning their smin_value is
negative and their smax_value is positive, we need to reject arithmetic
with pointer to map value. For unprivileged the goal is to mask every
map pointer arithmetic and this cannot reliably be done when it is
unknown at verification time whether the scalar value is negative or
positive. Given this is a corner case, the likelihood of breaking should
be very small.

Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
Acked-by: Alexei Starovoitov <ast@kernel.org>
Signed-off-by: Alexei Starovoitov <ast@kernel.org>
2019-01-02 16:01:24 -08:00
Daniel Borkmann e4298d2583 bpf: restrict stack pointer arithmetic for unprivileged
Restrict stack pointer arithmetic for unprivileged users in that
arithmetic itself must not go out of bounds as opposed to the actual
access later on. Therefore after each adjust_ptr_min_max_vals() with
a stack pointer as a destination we simulate a check_stack_access()
of 1 byte on the destination and once that fails the program is
rejected for unprivileged program loads. This is analog to map
value pointer arithmetic and needed for masking later on.

Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
Acked-by: Alexei Starovoitov <ast@kernel.org>
Signed-off-by: Alexei Starovoitov <ast@kernel.org>
2019-01-02 16:01:24 -08:00
Daniel Borkmann 0d6303db79 bpf: restrict map value pointer arithmetic for unprivileged
Restrict map value pointer arithmetic for unprivileged users in that
arithmetic itself must not go out of bounds as opposed to the actual
access later on. Therefore after each adjust_ptr_min_max_vals() with a
map value pointer as a destination it will simulate a check_map_access()
of 1 byte on the destination and once that fails the program is rejected
for unprivileged program loads. We use this later on for masking any
pointer arithmetic with the remainder of the map value space. The
likelihood of breaking any existing real-world unprivileged eBPF
program is very small for this corner case.

Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
Acked-by: Alexei Starovoitov <ast@kernel.org>
Signed-off-by: Alexei Starovoitov <ast@kernel.org>
2019-01-02 16:01:24 -08:00
Daniel Borkmann 9b73bfdd08 bpf: enable access to ax register also from verifier rewrite
Right now we are using BPF ax register in JIT for constant blinding as
well as in interpreter as temporary variable. Verifier will not be able
to use it simply because its use will get overridden from the former in
bpf_jit_blind_insn(). However, it can be made to work in that blinding
will be skipped if there is prior use in either source or destination
register on the instruction. Taking constraints of ax into account, the
verifier is then open to use it in rewrites under some constraints. Note,
ax register already has mappings in every eBPF JIT.

Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
Acked-by: Alexei Starovoitov <ast@kernel.org>
Signed-off-by: Alexei Starovoitov <ast@kernel.org>
2019-01-02 16:01:24 -08:00
Daniel Borkmann 144cd91c4c bpf: move tmp variable into ax register in interpreter
This change moves the on-stack 64 bit tmp variable in ___bpf_prog_run()
into the hidden ax register. The latter is currently only used in JITs
for constant blinding as a temporary scratch register, meaning the BPF
interpreter will never see the use of ax. Therefore it is safe to use
it for the cases where tmp has been used earlier. This is needed to later
on allow restricted hidden use of ax in both interpreter and JITs.

Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
Acked-by: Alexei Starovoitov <ast@kernel.org>
Signed-off-by: Alexei Starovoitov <ast@kernel.org>
2019-01-02 16:01:24 -08:00
Daniel Borkmann c08435ec7f bpf: move {prev_,}insn_idx into verifier env
Move prev_insn_idx and insn_idx from the do_check() function into
the verifier environment, so they can be read inside the various
helper functions for handling the instructions. It's easier to put
this into the environment rather than changing all call-sites only
to pass it along. insn_idx is useful in particular since this later
on allows to hold state in env->insn_aux_data[env->insn_idx].

Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
Acked-by: Alexei Starovoitov <ast@kernel.org>
Signed-off-by: Alexei Starovoitov <ast@kernel.org>
2019-01-02 16:01:24 -08:00
Aditya Pakki 9c6260de50 infiniband/qedr: Potential null ptr dereference of qp
idr_find() may fail and return a NULL pointer. The fix checks the return
value of the function and returns an error in case of NULL.

Signed-off-by: Aditya Pakki <pakki001@umn.edu>
Acked-by: Michal Kalderon <michal.kalderon@marvell.com>
Signed-off-by: Jason Gunthorpe <jgg@mellanox.com>
2019-01-02 16:08:38 -07:00
Aditya Pakki 94edd87a1c infiniband: bnxt_re: qplib: Check the return value of send_message
In bnxt_qplib_map_tc2cos(), bnxt_qplib_rcfw_send_message() can return an
error value but it is lost. Propagate this error to the callers.

Signed-off-by: Aditya Pakki <pakki001@umn.edu>
Acked-By: Devesh Sharma <devesh.sharma@broadcom.com>
Signed-off-by: Jason Gunthorpe <jgg@mellanox.com>
2019-01-02 16:04:24 -07:00
Julia Lawall 2fb458953a IB/ipoib: drop useless LIST_HEAD
Drop LIST_HEAD where the variable it declares is never used.

Commit 31c02e2157 ("IPoIB: Avoid using stale last_send counter
when reaping AHs") removed the uses, but not the declaration.

The semantic patch that fixes this problem is as follows:
(http://coccinelle.lip6.fr/)

// <smpl>
@@
identifier x;
@@
- LIST_HEAD(x);
  ... when != x
// </smpl>

Fixes: 31c02e2157 ("IPoIB: Avoid using stale last_send counter when reaping AHs")
Signed-off-by: Julia Lawall <Julia.Lawall@lip6.fr>
Reviewed-by: Leon Romanovsky <leonro@mellanox.com>
Signed-off-by: Jason Gunthorpe <jgg@mellanox.com>
2019-01-02 15:42:43 -07:00
Aaro Koskinen edefae94b7
MIPS: OCTEON: mark RGMII interface disabled on OCTEON III
Commit 885872b722 ("MIPS: Octeon: Add Octeon III CN7xxx
interface detection") added RGMII interface detection for OCTEON III,
but it results in the following logs:

[    7.165984] ERROR: Unsupported Octeon model in __cvmx_helper_rgmii_probe
[    7.173017] ERROR: Unsupported Octeon model in __cvmx_helper_rgmii_probe

The current RGMII routines are valid only for older OCTEONS that
use GMX/ASX hardware blocks. On later chips AGL should be used,
but support for that is missing in the mainline. Until that is added,
mark the interface as disabled.

Fixes: 885872b722 ("MIPS: Octeon: Add Octeon III CN7xxx interface detection")
Signed-off-by: Aaro Koskinen <aaro.koskinen@iki.fi>
Signed-off-by: Paul Burton <paul.burton@mips.com>
Cc: Ralf Baechle <ralf@linux-mips.org>
Cc: James Hogan <jhogan@kernel.org>
Cc: linux-mips@vger.kernel.org
Cc: stable@vger.kernel.org # 4.7+
2019-01-02 14:17:24 -08:00
Bjorn Helgaas 72199051af Merge branch 'pci/imx6'
- Enable MSI for imx6 downstream components (Richard Zhu)

* pci/imx6:
  PCI: imx: Enable MSI from downstream components
2019-01-02 15:31:15 -06:00
Bjorn Helgaas cdf4f4dc11 Merge branch 'remotes/lorenzo/pci/uniphier'
- Add UniPhier PCIe controller driver and DT bindings (Kunihiko Hayashi)

* remotes/lorenzo/pci/uniphier:
  PCI: uniphier: Add UniPhier PCIe host controller support
  dt-bindings: PCI: Add UniPhier PCIe host controller description

# Conflicts:
#	drivers/pci/controller/dwc/Kconfig
#	drivers/pci/controller/dwc/Makefile
2019-01-02 15:31:15 -06:00
Bjorn Helgaas c266b026ae Merge branch 'remotes/lorenzo/pci/mediatek'
- Use devm resource parser in mediatek (Honghui Zhang)

  - Remove unused mediatek "num-lanes" DT property (Honghui Zhang)

* remotes/lorenzo/pci/mediatek:
  arm64: dts: mt7622: Remove un-used property for PCIe
  arm: dts: mt7623: Remove un-used property for PCIe
  dt-bindings: PCI: MediaTek: Remove un-used property
  PCI: mediatek: Remove un-used variant in struct mtk_pcie_port
  PCI: mediatek: Use devm_of_pci_get_host_bridge_resources() to parse DT
2019-01-02 15:31:10 -06:00
Bjorn Helgaas c8778707c2 Merge branch 'remotes/lorenzo/pci/dwc-msi'
- Mask DesignWare interrupts instead of disabling them to avoid lost
    interrupts (Marc Zyngier)

  - Add locking when acking DesignWare interrupts (Marc Zyngier)

  - Ack DesignWare interrupts in the proper callbacks (Marc Zyngier)

* remotes/lorenzo/pci/dwc-msi:
  PCI: dwc: Move interrupt acking into the proper callback
  PCI: dwc: Take lock when ACKing an interrupt
  PCI: dwc: Use interrupt masking instead of disabling
2019-01-02 15:31:09 -06:00
Bjorn Helgaas 6a790bf0ea Merge branch 'remotes/lorenzo/pci/dwc'
- Constify histb dw_pcie_host_ops structure (Julia Lawall)

  - Support multiple power domains for imx6 (Leonard Crestez)

  - Constify layerscape driver data (Stefan Agner)

  - Update imx6 Kconfig to allow imx6 PCIe in imx7 kernel (Trent Piepho)

  - Support armada8k GPIO reset (Baruch Siach)

  - Support suspend/resume support on imx6 (Leonard Crestez)

  - Don't hard-code DesignWare DBI/ATU offst (Stephen Warren)

  - Skip i.MX6 PHY setup on i.MX7D (Andrey Smirnov)

  - Remove Jianguo Sun from HiSilicon STB maintainers (Lorenzo Pieralisi)

* remotes/lorenzo/pci/dwc:
  MAINTAINERS: Remove Jianguo Sun from HiSilicon STB DWC entry
  PCI: dwc: Don't hard-code DBI/ATU offset
  PCI: imx: Add imx6sx suspend/resume support
  PCI: armada8k: Add support for gpio controlled reset signal
  PCI: dwc: Adjust Kconfig to allow IMX6 PCIe host on IMX7
  PCI: dwc: layerscape: Constify driver data
  PCI: imx: Add multi-pd support
  dt-bindings: imx6q-pcie: Add multi-pd bindings for imx6sx
  PCI: histb: Constify dw_pcie_host_ops structure
2019-01-02 15:31:08 -06:00
Bjorn Helgaas 33f3fd75b7 Merge branch 'remotes/lorenzo/pci/amlogic'
- Add Amlogic Meson PCIe controller driver and DT bindings (Yue Wang)

* remotes/lorenzo/pci/amlogic:
  PCI: amlogic: Add the Amlogic Meson PCIe controller driver
  dt-bindings: PCI: meson: add DT bindings for Amlogic Meson PCIe controller
2019-01-02 15:31:07 -06:00
Bjorn Helgaas 6ee86cac1c Merge branch 'pci/virtualization'
- Skip VF scanning on powerpc, which does this in firmware (Sebastian
    Ott)

* pci/virtualization:
  s390/pci: skip VF scanning
  PCI/IOV: Add flag so platforms can skip VF scanning
  PCI/IOV: Factor out sriov_add_vfs()
2019-01-02 15:31:06 -06:00
Bjorn Helgaas 54aed1909d Merge branch 'pci/switchtec'
- Remove status check after submitting Switchtec MRPC Firmware Download
    commands to avoid Completion Timeouts (Kelvin Cao)

  - Set Switchtec coherent DMA mask to allow 64-bit DMA (Boris Glimcher)

  - Fix Switchtec SWITCHTEC_IOCTL_EVENT_IDX_ALL flag overwrite issue (Joey
    Zhang)

  - Enable write combining for Switchtec MRPC Input buffers (Kelvin Cao)

  - Add Switchtec MRPC DMA mode support (Wesley Sheng)

* pci/switchtec:
  switchtec: Add MRPC DMA mode support
  switchtec: Improve MRPC efficiency by enabling write combining
  switchtec: Fix SWITCHTEC_IOCTL_EVENT_IDX_ALL flags overwrite
  switchtec: Set DMA coherent mask
  switchtec: Remove immediate status check after submitting MRPC command
2019-01-02 15:31:05 -06:00
Bjorn Helgaas 6f7cebea6b Merge branch 'pci/pm'
- Allow runtime PM even if driver doesn't supply callbacks (Jarkko
    Nikula)

* pci/pm:
  PCI / PM: Allow runtime PM without callback functions
2019-01-02 15:31:05 -06:00
Bjorn Helgaas baa12e5f3a Merge branch 'pci/peer-to-peer'
- Clean up P2PDMA documentation (Randy Dunlap)

* pci/peer-to-peer:
  PCI/P2PDMA: Clean up documentation and kernel-doc
2019-01-02 15:31:04 -06:00
Bjorn Helgaas e6397dfcb5 Merge branch 'pci/misc'
- Expand Kconfig "PF" acronyms (Randy Dunlap)

  - Update MAINTAINERS for arch/x86/kernel/early-quirks.c (Bjorn Helgaas)

  - Add missing include to drivers/pci.h (Alexandru Gagniuc)

  - Override Synopsys USB 3.x HAPS device class so dwc3-haps can claim it
    instead of xhci (Thinh Nguyen)

* pci/misc:
  PCI: Override Synopsys USB 3.x HAPS device class
  PCI: Move Synopsys HAPS platform device IDs
  PCI: Add missing include to drivers/pci.h
  PCI: Remove unnecessary space before function pointer arguments
  MAINTAINERS: Add x86 early-quirks.c file pattern to PCI subsystem
  PCI: Expand the "PF" acronym in Kconfig help text
2019-01-02 15:31:03 -06:00
Bjorn Helgaas 84e0e72722 Merge branch 'pci/enumeration'
- Fix Broadcom CNB20LE host bridge unintended sign extension (Colin Ian
    King)

* pci/enumeration:
  x86/PCI: Fix Broadcom CNB20LE unintended sign extension (redux)
2019-01-02 15:31:02 -06:00
Bjorn Helgaas 2caa4dc607 Merge branch 'pci/aspm'
- Remove unused lists from ASPM pcie_link_state (Frederick Lawler)

* pci/aspm:
  PCI/ASPM: Remove unused lists from struct pcie_link_state
2019-01-02 15:31:02 -06:00
Linus Torvalds 85f78456f2 Pull request for inclusion in 4.21
Missing prototype warning fix and a syzkaller fix when a 9p server
 advertises a too small msize
 
 ----------------------------------------------------------------
 Adeodato Simó (1):
       net/9p: include trans_common.h to fix missing prototype warning.
 
 Dominique Martinet (1):
       9p/net: put a lower bound on msize
 
  net/9p/client.c       | 21 +++++++++++++++++++++
  net/9p/trans_common.c |  1 +
  2 files changed, 22 insertions(+)
 -----BEGIN PGP SIGNATURE-----
 
 iQIzBAABCAAdFiEE/IPbcYBuWt0zoYhOq06b7GqY5nAFAlwlhYwACgkQq06b7GqY
 5nAnuQ/+JLQaW+n6D1/noTBVI0RAVDZNpR00+xG0TP7CKkFvMzS8rW2+Plo3lZuA
 aONbz0Tw2wOrNFNzq/kdN0avb8ZkpqBReCXTINMl6f96BxwvxV5iBR1Kjw1xjdp4
 q4hWj5JktrBWerTWZn0CYb3v2aF2SE16eAMrBC66c1BmagBk0KPHVXrAtLsZuQ3T
 MEnDCUYZCP0GPOZ3cyZqwpXvrBZACJaXfFSnlsx0MN6CJq4W/c/UoCIrFWwBpFH3
 8Cmsht/C42Ob36PMUghLuulKhztFqFwgVHM6iGB5u1RbqyGdIvYXDbd9NwcihNjE
 tbIudu0geYB8At05DcdPfQ5B7UOFxYwbLMbT//E/APxm/vjN90Fyylk62gLwFQM3
 nejVFwHweL7Wzv3tTTLkJR9uCF8qiECP1BN2voyuLbAhivHM+VCggpV3U8nDtAOm
 /zy5I1bkR9uhp0WInG+riq4fnW5xx1WISZrS76AwPgfHjS1i+191hEvD06b9u39f
 zlha8CH2KSZUSwMhFfYOIE5iFDbA8iuu9dgZNMynMW/5DJXsvCeE8bc0LJgfeWtG
 ziKG5rwKglzUuqjVFkKHKj3PSeb7fScyFdvLrMZb6d5Qc7xytf1xP4MyFRBDkIAQ
 BrycbwKUE/60BLBKhcAPkq/ha7h2g+4ZETCfh9v+C6ppU0bfUfk=
 =EdE3
 -----END PGP SIGNATURE-----

Merge tag '9p-for-4.21' of git://github.com/martinetd/linux

Pull 9p updates from Dominique Martinet:
 "Missing prototype warning fix and a syzkaller fix when a 9p server
  advertises a too small msize"

* tag '9p-for-4.21' of git://github.com/martinetd/linux:
  9p/net: put a lower bound on msize
  net/9p: include trans_common.h to fix missing prototype warning.
2019-01-02 12:11:01 -08:00
Linus Torvalds cacf02df4b 4 fixes for stable, improvements to DFS including allowing failover to alternate targets, and some small performance improvements
-----BEGIN PGP SIGNATURE-----
 
 iQGzBAABCgAdFiEE6fsu8pdIjtWE/DpLiiy9cAdyT1EFAlwqtf4ACgkQiiy9cAdy
 T1GLwAv+I4MaCe5oq/IHDZnr09Mb/sIRLqLXnMWJciRHedHFIa/x2egb+584M+bf
 Lrb3UjDyS4aXV8cjrm4XO8zzzvQkTRLtaJrlxo/b1oDZJ8JkH2M6EeNr5gAB6qso
 dbmUX59YMX8KSpmQMhigcv+ilOQdokDWVdxqZ2ezbEMeVMotkQOnhrcSiJPx05QS
 CRktWjSn7JKD87cj8i0dTX+txBPX9iIpYQJGWdbJa2n6V8mQkx9JPgyQCC/FwKF2
 TzCXl7wfn1gTnFSxCa/sq7lnYAr6xCngbFi+pgVU+O/Aw0dyW3AoKfF7hBOo+gAH
 ZJALnvhb8pJmKolXFt7OKQKuOoJSq8MInsjKSKgSe0Xt1yHEtm7IJPy6Kbj3zKVy
 TuDq1KXstB5m3uwO3QBmzGxZ7rCB4B1w1cGjn8MFcpK4+tOxtmSvIeYuzEj9Vxet
 5JFZzMICFyzedyuBaRxyEX8SKH7CxOXCiDajxLsp7GI8KN1i0skzjgpbmZ/tdRbB
 kHaPnRdU
 =rYS/
 -----END PGP SIGNATURE-----

Merge tag '4.21-smb3-fixes' of git://git.samba.org/sfrench/cifs-2.6

Pull cifs updates from Steve French:

 - four fixes for stable

 - improvements to DFS including allowing failover to alternate targets

 - some small performance improvements

* tag '4.21-smb3-fixes' of git://git.samba.org/sfrench/cifs-2.6: (39 commits)
  cifs: update internal module version number
  cifs: we can not use small padding iovs together with encryption
  cifs: Minor Kconfig clarification
  cifs: Always resolve hostname before reconnecting
  cifs: Add support for failover in cifs_reconnect_tcon()
  cifs: Add support for failover in smb2_reconnect()
  cifs: Only free DFS target list if we actually got one
  cifs: start DFS cache refresher in cifs_mount()
  cifs: Use GFP_ATOMIC when a lock is held in cifs_mount()
  cifs: Add support for failover in cifs_reconnect()
  cifs: Add support for failover in cifs_mount()
  cifs: remove set but not used variable 'sep'
  cifs: Make use of DFS cache to get new DFS referrals
  cifs: minor updates to documentation
  cifs: check kzalloc return
  cifs: remove set but not used variable 'server'
  cifs: Use kzfree() to free password
  cifs: Fix to use kmem_cache_free() instead of kfree()
  cifs: update for current_kernel_time64() removal
  cifs: Add DFS cache routines
  ...
2019-01-02 12:08:29 -08:00
Linus Torvalds 74673fc50b Merge branch 'next-tpm' of git://git.kernel.org/pub/scm/linux/kernel/git/jmorris/linux-security
Pull TPM updates from James Morris:

 - Support for partial reads of /dev/tpm0.

 - Clean up for TPM 1.x code: move the commands to tpm1-cmd.c and make
   everything to use the same data structure for building TPM commands
   i.e. struct tpm_buf.

* 'next-tpm' of git://git.kernel.org/pub/scm/linux/kernel/git/jmorris/linux-security: (25 commits)
  tpm: add support for partial reads
  tpm: tpm_ibmvtpm: fix kdoc warnings
  tpm: fix kdoc for tpm2_flush_context_cmd()
  tpm: tpm_try_transmit() refactor error flow.
  tpm: use u32 instead of int for PCR index
  tpm1: reimplement tpm1_continue_selftest() using tpm_buf
  tpm1: reimplement SAVESTATE using tpm_buf
  tpm1: rename tpm1_pcr_read_dev to tpm1_pcr_read()
  tpm1: implement tpm1_pcr_read_dev() using tpm_buf structure
  tpm: tpm1: rewrite tpm1_get_random() using tpm_buf structure
  tpm: tpm-space.c remove unneeded semicolon
  tpm: tpm-interface.c drop unused macros
  tpm: add tpm_auto_startup() into tpm-interface.c
  tpm: factor out tpm_startup function
  tpm: factor out tpm 1.x pm suspend flow into tpm1-cmd.c
  tpm: move tpm 1.x selftest code from tpm-interface.c tpm1-cmd.c
  tpm: factor out tpm1_get_random into tpm1-cmd.c
  tpm: move tpm_getcap to tpm1-cmd.c
  tpm: move tpm1_pcr_extend to tpm1-cmd.c
  tpm: factor out tpm_get_timeouts()
  ...
2019-01-02 11:05:43 -08:00
Linus Torvalds 19f2e267a5 Merge branch 'next-smack' of git://git.kernel.org/pub/scm/linux/kernel/git/jmorris/linux-security
Pull smack updates from James Morris:
 "Two Smack patches for 4.21.

  Jose's patch adds missing documentation and Zoran's fleshes out the
  access checks on keyrings"

* 'next-smack' of git://git.kernel.org/pub/scm/linux/kernel/git/jmorris/linux-security:
  Smack: Improve Documentation
  smack: fix access permissions for keyring
2019-01-02 10:56:09 -08:00
Linus Torvalds 1ac5cd4978 block: don't use un-ordered __set_current_state(TASK_UNINTERRUPTIBLE)
This mostly reverts commit 849a370016 ("block: avoid ordered task
state change for polled IO").  It was wrongly claiming that the ordering
wasn't necessary.  The memory barrier _is_ necessary.

If something is truly polling and not going to sleep, it's the whole
state setting that is unnecessary, not the memory barrier.  Whenever you
set your state to a sleeping state, you absolutely need the memory
barrier.

Note that sometimes the memory barrier can be elsewhere.  For example,
the ordering might be provided by an external lock, or by setting the
process state to sleeping before adding yourself to the wait queue list
that is used for waking up (where the wait queue lock itself will
guarantee that any wakeup will correctly see the sleeping state).

But none of those cases were true here.

NOTE! Some of the polling paths may indeed be able to drop the state
setting entirely, at which point the memory barrier also goes away.

(Also note that this doesn't revert the TASK_RUNNING cases: there is no
race between a wakeup and setting the process state to TASK_RUNNING,
since the end result doesn't depend on ordering).

Cc: Jens Axboe <axboe@kernel.dk>
Cc: Christoph Hellwig <hch@lst.de>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
2019-01-02 10:46:03 -08:00
Eric Dumazet d63967e475 isdn: fix kernel-infoleak in capi_unlocked_ioctl
Since capi_ioctl() copies 64 bytes after calling
capi20_get_manufacturer() we need to ensure to not leak
information to user.

BUG: KMSAN: kernel-infoleak in _copy_to_user+0x16b/0x1f0 lib/usercopy.c:32
CPU: 0 PID: 11245 Comm: syz-executor633 Not tainted 4.20.0-rc7+ #2
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Call Trace:
 __dump_stack lib/dump_stack.c:77 [inline]
 dump_stack+0x173/0x1d0 lib/dump_stack.c:113
 kmsan_report+0x12e/0x2a0 mm/kmsan/kmsan.c:613
 kmsan_internal_check_memory+0x9d4/0xb00 mm/kmsan/kmsan.c:704
 kmsan_copy_to_user+0xab/0xc0 mm/kmsan/kmsan_hooks.c:601
 _copy_to_user+0x16b/0x1f0 lib/usercopy.c:32
 capi_ioctl include/linux/uaccess.h:177 [inline]
 capi_unlocked_ioctl+0x1a0b/0x1bf0 drivers/isdn/capi/capi.c:939
 do_vfs_ioctl+0xebd/0x2bf0 fs/ioctl.c:46
 ksys_ioctl fs/ioctl.c:713 [inline]
 __do_sys_ioctl fs/ioctl.c:720 [inline]
 __se_sys_ioctl+0x1da/0x270 fs/ioctl.c:718
 __x64_sys_ioctl+0x4a/0x70 fs/ioctl.c:718
 do_syscall_64+0xbc/0xf0 arch/x86/entry/common.c:291
 entry_SYSCALL_64_after_hwframe+0x63/0xe7
RIP: 0033:0x440019
Code: 18 89 d0 c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 fb 13 fc ff c3 66 2e 0f 1f 84 00 00 00 00
RSP: 002b:00007ffdd4659fb8 EFLAGS: 00000213 ORIG_RAX: 0000000000000010
RAX: ffffffffffffffda RBX: 00000000004002c8 RCX: 0000000000440019
RDX: 0000000020000080 RSI: 00000000c0044306 RDI: 0000000000000003
RBP: 00000000006ca018 R08: 0000000000000000 R09: 00000000004002c8
R10: 0000000000000000 R11: 0000000000000213 R12: 00000000004018a0
R13: 0000000000401930 R14: 0000000000000000 R15: 0000000000000000

Local variable description: ----data.i@capi_unlocked_ioctl
Variable was created at:
 capi_ioctl drivers/isdn/capi/capi.c:747 [inline]
 capi_unlocked_ioctl+0x82/0x1bf0 drivers/isdn/capi/capi.c:939
 do_vfs_ioctl+0xebd/0x2bf0 fs/ioctl.c:46

Bytes 12-63 of 64 are uninitialized
Memory access of size 64 starts at ffff88807ac5fce8
Data copied to user address 0000000020000080

Signed-off-by: Eric Dumazet <edumazet@google.com>
Reported-by: syzbot <syzkaller@googlegroups.com>
Cc: Karsten Keil <isdn@linux-pingi.de>
Signed-off-by: David S. Miller <davem@davemloft.net>
2019-01-02 10:31:39 -08:00
Stefano Brivio 7adf324609 ipv6: route: Fix return value of ip6_neigh_lookup() on neigh_create() error
In ip6_neigh_lookup(), we must not return errors coming from
neigh_create(): if creation of a neighbour entry fails, the lookup should
return NULL, in the same way as it's done in __neigh_lookup().

Otherwise, callers legitimately checking for a non-NULL return value of
the lookup function might dereference an invalid pointer.

For instance, on neighbour table overflow, ndisc_router_discovery()
crashes ndisc_update() by passing ERR_PTR(-ENOBUFS) as 'neigh' argument.

Reported-by: Jianlin Shi <jishi@redhat.com>
Fixes: f8a1b43b70 ("net/ipv6: Create a neigh_lookup for FIB entries")
Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
Reviewed-by: David Ahern <dsahern@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2019-01-02 10:29:20 -08:00
Eric Dumazet 202700e307 net/hamradio/6pack: use mod_timer() to rearm timers
Using del_timer() + add_timer() is generally unsafe on SMP,
as noticed by syzbot. Use mod_timer() instead.

kernel BUG at kernel/time/timer.c:1136!
invalid opcode: 0000 [#1] PREEMPT SMP KASAN
CPU: 1 PID: 1026 Comm: kworker/u4:4 Not tainted 4.20.0+ #2
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Workqueue: events_unbound flush_to_ldisc
RIP: 0010:add_timer kernel/time/timer.c:1136 [inline]
RIP: 0010:add_timer+0xa81/0x1470 kernel/time/timer.c:1134
Code: 4d 89 7d 40 48 c7 85 70 fe ff ff 00 00 00 00 c7 85 7c fe ff ff ff ff ff ff 48 89 85 90 fe ff ff e9 e6 f7 ff ff e8 cf 42 12 00 <0f> 0b e8 c8 42 12 00 0f 0b e8 c1 42 12 00 4c 89 bd 60 fe ff ff e9
RSP: 0018:ffff8880a7fdf5a8 EFLAGS: 00010293
RAX: ffff8880a7846340 RBX: dffffc0000000000 RCX: 0000000000000000
RDX: 0000000000000000 RSI: ffffffff816f3ee1 RDI: ffff88808a514ff8
RBP: ffff8880a7fdf760 R08: 0000000000000007 R09: ffff8880a7846c58
R10: ffff8880a7846340 R11: 0000000000000000 R12: ffff88808a514ff8
R13: ffff88808a514ff8 R14: ffff88808a514dc0 R15: 0000000000000030
FS:  0000000000000000(0000) GS:ffff8880ae700000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 000000000061c500 CR3: 00000000994d9000 CR4: 00000000001406e0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
 decode_prio_command drivers/net/hamradio/6pack.c:903 [inline]
 sixpack_decode drivers/net/hamradio/6pack.c:971 [inline]
 sixpack_receive_buf drivers/net/hamradio/6pack.c:457 [inline]
 sixpack_receive_buf+0xf9c/0x1470 drivers/net/hamradio/6pack.c:434
 tty_ldisc_receive_buf+0x164/0x1c0 drivers/tty/tty_buffer.c:465
 tty_port_default_receive_buf+0x114/0x190 drivers/tty/tty_port.c:38
 receive_buf drivers/tty/tty_buffer.c:481 [inline]
 flush_to_ldisc+0x3b2/0x590 drivers/tty/tty_buffer.c:533
 process_one_work+0xd0c/0x1ce0 kernel/workqueue.c:2153
 worker_thread+0x143/0x14a0 kernel/workqueue.c:2296
 kthread+0x357/0x430 kernel/kthread.c:246
 ret_from_fork+0x3a/0x50 arch/x86/entry/entry_64.S:352

Fixes: 1da177e4c3 ("Linux-2.6.12-rc2")
Signed-off-by: Eric Dumazet <edumazet@google.com>
Reported-by: syzbot <syzkaller@googlegroups.com>
Cc: Andreas Koensgen <ajk@comnets.uni-bremen.de>
Signed-off-by: David S. Miller <davem@davemloft.net>
2019-01-02 10:27:01 -08:00
Xue Chaojing 53fe3ed19d net-next/hinic:add shutdown callback
If there is no shutdown callback, our board will report pcie UNF errors
after restarting. This patch add shutdown callback for hinic.

Signed-off-by: Xue Chaojing <xuechaojing@huawei.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2019-01-02 10:13:35 -08:00
Linus Torvalds d9a7fa67b4 Merge branch 'next-seccomp' of git://git.kernel.org/pub/scm/linux/kernel/git/jmorris/linux-security
Pull seccomp updates from James Morris:

 - Add SECCOMP_RET_USER_NOTIF

 - seccomp fixes for sparse warnings and s390 build (Tycho)

* 'next-seccomp' of git://git.kernel.org/pub/scm/linux/kernel/git/jmorris/linux-security:
  seccomp, s390: fix build for syscall type change
  seccomp: fix poor type promotion
  samples: add an example of seccomp user trap
  seccomp: add a return code to trap to userspace
  seccomp: switch system call argument type to void *
  seccomp: hoist struct seccomp_data recalculation higher
2019-01-02 09:48:13 -08:00
Bartlomiej Zolnierkiewicz 399382f801 drm/nouveau: fix incorrect FB_BACKLIGHT usage in Kconfig
Making FB_BACKLIGHT tristate by commit b4a1ed0cd1 ("fbdev:
make FB_BACKLIGHT a tristate") caused unmet dependencies in
some configurations:

WARNING: unmet direct dependencies detected for FB_BACKLIGHT
  Depends on [m]: HAS_IOMEM [=y] && FB [=m]
  Selected by [y]:
  - DRM_NOUVEAU [=y] && HAS_IOMEM [=y] && DRM [=y] && PCI [=y] && MMU [=y] && DRM_NOUVEAU_BACKLIGHT [=y]
  Selected by [m]:
  - FB_NVIDIA [=m] && HAS_IOMEM [=y] && FB [=m] && PCI [=y] && FB_NVIDIA_BACKLIGHT [=y]

Fix it by making DRM_NOUVEAU select BACKLIGHT_CLASS_DEVICE and
BACKLIGHT_LCD_SUPPORT instead of FB_BACKLIGHT.

Fixes: b4a1ed0cd1 ("fbdev: make FB_BACKLIGHT a tristate")
Reported-by: Randy Dunlap <rdunlap@infradead.org>
Acked-by: Randy Dunlap <rdunlap@infradead.org> # build-tested
Cc: Rob Clark <robdclark@gmail.com>
Cc: Arnd Bergmann <arnd@arndb.de>
Cc: Ben Skeggs <bskeggs@redhat.com>
Cc: David Airlie <airlied@linux.ie>
Cc: Daniel Vetter <daniel@ffwll.ch>
Cc: Stephen Rothwell <sfr@canb.auug.org.au>
Signed-off-by: Bartlomiej Zolnierkiewicz <b.zolnierkie@samsung.com>
2019-01-02 18:47:37 +01:00
Linus Torvalds f218a29c25 Merge branch 'next-integrity' of git://git.kernel.org/pub/scm/linux/kernel/git/jmorris/linux-security
Pull integrity updates from James Morris:
 "In Linux 4.19, a new LSM hook named security_kernel_load_data was
  upstreamed, allowing LSMs and IMA to prevent the kexec_load syscall.
  Different signature verification methods exist for verifying the
  kexec'ed kernel image. This adds additional support in IMA to prevent
  loading unsigned kernel images via the kexec_load syscall,
  independently of the IMA policy rules, based on the runtime "secure
  boot" flag. An initial IMA kselftest is included.

  In addition, this pull request defines a new, separate keyring named
  ".platform" for storing the preboot/firmware keys needed for verifying
  the kexec'ed kernel image's signature and includes the associated IMA
  kexec usage of the ".platform" keyring.

  (David Howell's and Josh Boyer's patches for reading the
  preboot/firmware keys, which were previously posted for a different
  use case scenario, are included here)"

* 'next-integrity' of git://git.kernel.org/pub/scm/linux/kernel/git/jmorris/linux-security:
  integrity: Remove references to module keyring
  ima: Use inode_is_open_for_write
  ima: Support platform keyring for kernel appraisal
  efi: Allow the "db" UEFI variable to be suppressed
  efi: Import certificates from UEFI Secure Boot
  efi: Add an EFI signature blob parser
  efi: Add EFI signature data types
  integrity: Load certs to the platform keyring
  integrity: Define a trusted platform keyring
  selftests/ima: kexec_load syscall test
  ima: don't measure/appraise files on efivarfs
  x86/ima: retry detecting secure boot mode
  docs: Extend trusted keys documentation for TPM 2.0
  x86/ima: define arch_get_ima_policy() for x86
  ima: add support for arch specific policies
  ima: refactor ima_init_policy()
  ima: prevent kexec_load syscall based on runtime secureboot flag
  x86/ima: define arch_ima_get_secureboot
  integrity: support new struct public_key_signature encoding field
2019-01-02 09:43:14 -08:00
Yangtao Li 260f71eff4 sunrpc: convert to DEFINE_SHOW_ATTRIBUTE
Use DEFINE_SHOW_ATTRIBUTE macro to simplify the code.

Signed-off-by: Yangtao Li <tiny.windzz@gmail.com>
Signed-off-by: Anna Schumaker <Anna.Schumaker@Netapp.com>
2019-01-02 12:05:49 -05:00
Santosh kumar pradhan 10e037d1e0 sunrpc: Add xprt after nfs4_test_session_trunk()
Multipathing: In case of NFSv3, rpc_clnt_test_and_add_xprt() adds
the xprt to xprt switch (i.e. xps) if rpc_call_null_helper() returns
success. But in case of NFSv4.1, it needs to do EXCHANGEID to verify
the path along with check for session trunking.

Add the xprt in nfs4_test_session_trunk() only when
nfs4_detect_session_trunking() returns success. Also release refcount
hold by rpc_clnt_setup_test_and_add_xprt().

Signed-off-by: Santosh kumar pradhan <santoshkumar.pradhan@wdc.com>
Tested-by: Suresh Jayaraman <suresh.jayaraman@wdc.com>
Reported-by: Aditya Agnihotri <aditya.agnihotri@wdc.com>
Signed-off-by: Anna Schumaker <Anna.Schumaker@Netapp.com>
2019-01-02 12:05:19 -05:00
J. Bruce Fields cb24e35b4f sunrpc: convert unnecessary GFP_ATOMIC to GFP_NOFS
It's OK to sleep here, we just don't want to recurse into the filesystem
as a writeout could be waiting on this.

Future work: the documentation for GFP_NOFS says "Please try to avoid
using this flag directly and instead use memalloc_nofs_{save,restore} to
mark the whole scope which cannot/shouldn't recurse into the FS layer
with a short explanation why. All allocation requests will inherit
GFP_NOFS implicitly."

But I'm not sure where to do this.  Should the workqueue be arranging
that for us in the case of workqueues created with WQ_MEM_RECLAIM?

Reported-by: Trond Myklebust <trondmy@hammer.space>
Signed-off-by: J. Bruce Fields <bfields@redhat.com>
Signed-off-by: Anna Schumaker <Anna.Schumaker@Netapp.com>
2019-01-02 12:05:19 -05:00
J. Bruce Fields 81c88b18de sunrpc: handle ENOMEM in rpcb_getport_async
If we ignore the error we'll hit a null dereference a little later.

Reported-by: syzbot+4b98281f2401ab849f4b@syzkaller.appspotmail.com
Signed-off-by: J. Bruce Fields <bfields@redhat.com>
Signed-off-by: Anna Schumaker <Anna.Schumaker@Netapp.com>
2019-01-02 12:05:19 -05:00
NeilBrown c2c7d84fd1 NFS: remove unnecessary test for IS_ERR(cred)
As gte_current_cred() cannot return an error,
this test is not necessary.
It hasn't been necessary for years, but it wasn't so obvious
before.

Reported-by: Dan Carpenter <dan.carpenter@oracle.com>
Signed-off-by: NeilBrown <neilb@suse.com>
Signed-off-by: Anna Schumaker <Anna.Schumaker@Netapp.com>
2019-01-02 12:05:19 -05:00
Chuck Lever 07e10308ee xprtrdma: Prevent leak of rpcrdma_rep objects
If a reply has been processed but the RPC is later retransmitted
anyway, the req->rl_reply field still contains the only pointer to
the old rpcrdma rep. When the next reply comes in, the reply handler
will stomp on the rl_reply field, leaking the old rep.

A trace event is added to capture such leaks.

This problem seems to be worsened by the restructuring of the RPC
Call path in v4.20. Fully addressing this issue will require at
least a re-architecture of the disconnect logic, which is not
appropriate during -rc.

Signed-off-by: Chuck Lever <chuck.lever@oracle.com>
Signed-off-by: Anna Schumaker <Anna.Schumaker@Netapp.com>
2019-01-02 12:05:19 -05:00
Olga Kornievskaia 9aeaf8cfcb NFSv4.2 fix async copy reboot recovery
Original commit (e4648aa4f9 "NFS recover from destination server
reboot for copies") used memcmp() and then it was changed to use
nfs4_stateid_match_other() but that function returns opposite of
memcmp. As the result, recovery can't find the copy leading
to copy hanging.

Fixes: 80f4236886 ("NFSv4: Split out NFS v4.2 copy completion functions")
Fixes: cb7a8384dc ("NFS: Split out the body of nfs4_reclaim_open_state")
Signed-of-by: Olga Kornievskaia <kolga@netapp.com>
Signed-off-by: Anna Schumaker <Anna.Schumaker@Netapp.com>
2019-01-02 12:05:19 -05:00
Chuck Lever f85adb1bf5 xprtrdma: Don't leak freed MRs
Defensive clean up. Don't set frwr->fr_mr until we know that the
scatterlist allocation has succeeded.

Signed-off-by: Chuck Lever <chuck.lever@oracle.com>
Signed-off-by: Anna Schumaker <Anna.Schumaker@Netapp.com>
2019-01-02 12:05:18 -05:00
Chuck Lever af65ed404c xprtrdma: Add documenting comment for rpcrdma_buffer_destroy
Make a note of the function's dependency on an earlier ib_drain_qp.

Signed-off-by: Chuck Lever <chuck.lever@oracle.com>
Signed-off-by: Anna Schumaker <Anna.Schumaker@Netapp.com>
2019-01-02 12:05:18 -05:00
Chuck Lever 995d312a28 xprtrdma: Replace outdated comment for rpcrdma_ep_post
Since commit 7c8d9e7c88 ("xprtrdma: Move Receive posting to
Receive handler"), rpcrdma_ep_post is no longer responsible for
posting Receive buffers. Update the documenting comment to reflect
this change.

Signed-off-by: Chuck Lever <chuck.lever@oracle.com>
Signed-off-by: Anna Schumaker <Anna.Schumaker@Netapp.com>
2019-01-02 12:05:18 -05:00
Chuck Lever e0f86bc4f9 xprtrdma: Update comments in frwr_op_send
Commit f287762308 ("xprtrdma: Chain Send to FastReg WRs") was
written before commit ce5b371782 ("xprtrdma: Replace all usage of
"frmr" with "frwr""), but was merged afterwards. Thus it still
refers to FRMR and MWs.

Signed-off-by: Chuck Lever <chuck.lever@oracle.com>
Signed-off-by: Anna Schumaker <Anna.Schumaker@Netapp.com>
2019-01-02 12:05:18 -05:00
Chuck Lever acf0a39f4f SUNRPC: Fix some kernel doc complaints
Clean up some warnings observed when building with "make W=1".

Signed-off-by: Chuck Lever <chuck.lever@oracle.com>
Signed-off-by: Anna Schumaker <Anna.Schumaker@Netapp.com>
2019-01-02 12:05:18 -05:00
Chuck Lever dc5820bd21 SUNRPC: Simplify defining common RPC trace events
Clean up, no functional change is expected.

Signed-off-by: Chuck Lever <chuck.lever@oracle.com>
Signed-off-by: Anna Schumaker <Anna.Schumaker@Netapp.com>
2019-01-02 12:05:18 -05:00
Chuck Lever 5b2095d0ce NFS: Fix NFSv4 symbolic trace point output
These symbolic values were not being displayed in string form.
TRACE_DEFINE_ENUM was missing in many cases. It also turns out that
__print_symbolic wants an unsigned long in the first field...

Signed-off-by: Chuck Lever <chuck.lever@oracle.com>
Signed-off-by: Anna Schumaker <Anna.Schumaker@Netapp.com>
2019-01-02 12:05:18 -05:00