The !CONFIG_GENERIC_IOMAP version of ioport_map uses MMIO_UPPER_LIMIT to
prevent users from making I/O accesses outside the expected I/O range -
however it erroneously treats MMIO_UPPER_LIMIT as a mask which is
contradictory to its other users.
The introduction of CONFIG_INDIRECT_PIO, which subtracts an arbitrary
amount from IO_SPACE_LIMIT to form MMIO_UPPER_LIMIT, results in ioport_map
mangling the given port rather than capping it.
We address this by aligning more closely with the CONFIG_GENERIC_IOMAP
implementation of ioport_map by using the comparison operator and
returning NULL where the port exceeds MMIO_UPPER_LIMIT. Though note that
we preserve the existing behavior of masking with IO_SPACE_LIMIT such that
we don't break existing buggy drivers that somehow rely on this masking.
Fixes: 5745392e0c ("PCI: Apply the new generic I/O management on PCI IO hosts")
Reported-by: Will Deacon <will.deacon@arm.com>
Reviewed-by: Arnd Bergmann <arnd@arndb.de>
Signed-off-by: Andrew Murray <andrew.murray@arm.com>
Signed-off-by: Will Deacon <will.deacon@arm.com>
It turns out OSXSAVE needs to be checked only for AVX, not for SSE.
Without this patch the affected modules refuse to load on CPUs with SSE2
but without AVX support.
Fixes: 877ccce7cb ("crypto: x86/aegis,morus - Fix and simplify CPUID checks")
Cc: <stable@vger.kernel.org> # 4.18
Reported-by: Zdenek Kaspar <zkaspar82@gmail.com>
Signed-off-by: Ondrej Mosnacek <omosnace@redhat.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2
iQIcBAABAgAGBQJbmj3VAAoJEFKgDEdIgJTyKjAP/ie5PLfZa0A5Epy/JEMFnII3
ISkEH4DxA2Ymxy6jNLIJMAH67OWJUNmIaIyjSINdiBw+r6i4oS5iLcLdo2chsPaJ
KUbxdMJ2p46b2zhNvx6COFe6FghVhrtIX4RIZN5ZuWF4ChIP2bMK7/cA4uFtJXeI
X/Ge6SpYZ4jnSlnw5jSdLCmC/fP6oEALD9r77j454K/TWNAYHFStmsKkjbrBMDlg
Ja56qfHNdCs+8IoIWONYKPOUiE325OGRjRSH7vE2uC+BecRpt/H6BxAxZIaMstgj
CeAdTiVvbCF8wbqvuVj0TkQU2hzNFzcPf0YaT07wPJl1ClSgTKCt/bkcOqOcpLQm
n9+4WfqHsVEmWlBHENuxmHm3jA2p11mWB4R/NqvvZCHifS6gnKv9P4RYrlbSD4KB
yVba9FF81yotQSO2G76QzuZ1MFjqxNkii5MDGsAGye1iZOWHHHCy3S23AYVXwfJX
K7RP3sZ2Gora6cTJnsLvJBbPHi7EZoraVzLZUen+ig2slPDsWoCM0gghvB/Kce0G
ih9zMGMhjLOd54QOlGHlfH67BO1pxle5PJAcraqcctOep4pr+pj/h1GDgsMfF0kI
+wxk9F+FIC6vtkCd+a/tDxc7C/4ObeiYQp6RGQGm5vw4/9uYhkxu4MX1+ltqHEVl
hzBOQCd4p2EI/pAMPDm1
=Dj1C
-----END PGP SIGNATURE-----
Merge tag 'printk-for-4.19-rc4' of git://git.kernel.org/pub/scm/linux/kernel/git/pmladek/printk
Pull printk fix from Petr Mladek:
"Revert a commit that caused "quiet", "debug", and "loglevel" early
parameters to be ignored for early boot messages"
* tag 'printk-for-4.19-rc4' of git://git.kernel.org/pub/scm/linux/kernel/git/pmladek/printk:
Revert "printk: make sure to print log on console."
-----BEGIN PGP SIGNATURE-----
iHUEABYIAB0WIQSQHSd0lITzzeNWNm3h3BK/laaZPAUCW5qpOgAKCRDh3BK/laaZ
PDCQAQCIKLg0aLeWOkfUO76mBjlp5srKgJfrqpFoyuozD6l2fQEAl/W2x9NOduV+
PK4sCYMT8SpI0hMrbv9P4zZ683kmaA8=
=RnZU
-----END PGP SIGNATURE-----
Merge tag 'ovl-fixes-4.19-rc4' of git://git.kernel.org/pub/scm/linux/kernel/git/mszeredi/vfs
Pull overlayfs fixes from Miklos Szeredi:
"This fixes a regression in the recent file stacking update, reported
and fixed by Amir Goldstein. The fix is fairly trivial, but involves
adding a fadvise() f_op and the associated churn in the vfs. As
discussed on -fsdevel, there are other possible uses for this method,
than allowing proper stacking for overlays.
And there's one other fix for a syzkaller detected oops"
* tag 'ovl-fixes-4.19-rc4' of git://git.kernel.org/pub/scm/linux/kernel/git/mszeredi/vfs:
ovl: fix oopses in ovl_fill_super() failure paths
ovl: add ovl_fadvise()
vfs: implement readahead(2) using POSIX_FADV_WILLNEED
vfs: add the fadvise() file operation
Documentation/filesystems: update documentation of file_operations
ovl: fix GPF in swapfile_activate of file from overlayfs over xfs
ovl: respect FIEMAP_FLAG_SYNC flag
-----BEGIN PGP SIGNATURE-----
iQJEBAABCAAuFiEEwPw5LcreJtl1+l5K99NY+ylx4KYFAlubFpAQHGF4Ym9lQGtl
cm5lbC5kawAKCRD301j7KXHgpoYnEADQYssR8J6leHkYgrAT4zhuhNLALknzHj49
F/s6U3npw1CkUOyNEJ52KScVDEv+bvKIjxXbpVOB1qXqtZWNQ9HkEwAEQWVg11T9
xfbvqDyk/qywfx/cKt+Fko8wcuCX4F4tDX8io9RWeosWg/W5oOPJ8vjh54j0kUXK
xzY947eNorYqjwDYUj56JsVkHObTA8PWg578tgnbYNQtXvJMhWLL4YlfqsbtTMfb
SuQ/AVRhsFPfCMX+0Qj5vu08UwrZ7VDkPKpqUpKfQPqB5VLpKbbCItMt32rCujj9
Ptmo81kEVxZaj9vqqst2wbUp3RVAN5SzcuXoj20GGP2HpWEwBAe8kxgsOVzEgOhx
dNPX2XjfsN0FGN0nPXbYSN0IPeyoxDSgImWRwrdZCaSTXm/96apnzPXNXt0kWh4L
3RP82Y655AtDEfZwVCkUFwqUIgyYm978vgGn/3zf682mBeQImon0AMAJk3QPNj7f
Re8acaPyix39D0+RYfeEHzO9UM1PQ2QF9IX9DwnSrHfoEWEnjPlaEZIbO5fGPKUV
ny+nGoadWqosOUz6/OJuo+MDzE7BlbN25KTN4xcLQlaKxblLJNoPhbgafR1AloTi
DkBXztwAYC9n49D+eiclHplJG0xcWmKyAj3FrINJsW1wkiH2LBjZVC4SX0NJh9Ei
RsFc6NdSDQ==
=1Jo5
-----END PGP SIGNATURE-----
Merge tag 'for-linus-20180913' of git://git.kernel.dk/linux-block
Pull block fixes from Jens Axboe:
"Three fixes that should go into this series. This contains:
- Increase number of policies supported by blk-cgroup.
With blk-iolatency, we now have four in kernel, but we had a hard
limit of three...
- Fix regression in null_blk, where the zoned supported broke
queue_mode=0 (bio based).
- NVMe pull request, with a single fix for an issue in the rdma code"
* tag 'for-linus-20180913' of git://git.kernel.dk/linux-block:
null_blk: fix zoned support for non-rq based operation
blk-cgroup: increase number of supported policies
nvmet-rdma: fix possible bogus dereference under heavy load
asynchronous crypto hadsh API.
- Fix to both DM crypt and DM integrity targets to discontinue using
CRYPTO_TFM_REQ_MAY_SLEEP because its use of GFP_KERNEL can lead to
deadlock by recursing back into a filesystem.
- Various DM raid fixes related to reshape and rebuild races.
- Fix for DM thin-provisioning to avoid data corruption that was a
side-effect of needing to abort DM thin metadata transaction due to
running out of metadata space. Fix is to reserve a small amount of
metadata space so that once it is used the DM thin-pool can finish its
active transaction before switching to read-only mode.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQEcBAABAgAGBQJbmq1sAAoJEMUj8QotnQNa9hwIANBzgefmIoBA8hCqlS7Nzogh
moHAbaUONYxAVksJ5s4Divpa4RE8jSZ8AiVJizbLj94XxqnpA5x4pmhtUs3OdWxq
4FW8fZvb2L1IMeshajMsO+rKrL6y8uwYnRI5zSJRKxhV2frj1VZ4ioMEXMGrwqjO
jwNYFWglX5G3eIohUIDxgXki/WkacndQlsy2T6Utx0idz50usOt1pNON/GPhRsXd
yWbvxQWuaZlm6+TF1ygsrXr1nMwRwDw0pdjY9sRQ3hHmuYQ24Wgkwf5Ggi5US7VZ
iwgK8dppR8zWqwRyxRYahJvQvwcnC18mewFAmuDQfvPXqvUHtuhWaxzE4D9c3L0=
=yIoD
-----END PGP SIGNATURE-----
Merge tag 'for-4.19/dm-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/device-mapper/linux-dm
Pull device mapper fixes from Mike Snitzer:
- DM verity fix for crash due to using vmalloc'd buffers with the
asynchronous crypto hadsh API.
- Fix to both DM crypt and DM integrity targets to discontinue using
CRYPTO_TFM_REQ_MAY_SLEEP because its use of GFP_KERNEL can lead to
deadlock by recursing back into a filesystem.
- Various DM raid fixes related to reshape and rebuild races.
- Fix for DM thin-provisioning to avoid data corruption that was a
side-effect of needing to abort DM thin metadata transaction due to
running out of metadata space. Fix is to reserve a small amount of
metadata space so that once it is used the DM thin-pool can finish
its active transaction before switching to read-only mode.
* tag 'for-4.19/dm-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/device-mapper/linux-dm:
dm thin metadata: try to avoid ever aborting transactions
dm raid: bump target version, update comments and documentation
dm raid: fix RAID leg rebuild errors
dm raid: fix rebuild of specific devices by updating superblock
dm raid: fix stripe adding reshape deadlock
dm raid: fix reshape race on small devices
dm: disable CRYPTO_TFM_REQ_MAY_SLEEP to fix a GFP_KERNEL recursion deadlock
dm verity: fix crash on bufio buffer that was allocated with vmalloc
-----BEGIN PGP SIGNATURE-----
iQIcBAABAgAGBQJbmxVCAAoJEAx081l5xIa+H0EP/2F5S+VeVX/GQB3hs5xdNubj
fBGWorXefXRySPOtS0SdSjHnPnJCUgWnHnKOGrBAxtqRaImnqZLra9HztdV7WbBI
mzhfw39cekWX6q2/5WoTP2IxaujVMEyCFX9lgW+96msFktuwvmNGA6QP9MtOfyfV
oBzjrtoQSJYHx7uzDDiAzghMKm6EGbkDjqHnOuO3HGNc2N+mPlNd4cIaReAehOkG
r1PqOn26CRi9y/bsDgERLEiQURS4kHLz6QaGotJtMVrQblFuNwwk4eBEL9FjkGur
f9jNnRAW9MXk/lPkXjWCwPV5wYcHW7XpldL0pZKTnL/Od6Fm956Ecoda72cRquMe
4Rt+LOlZueNEcY4WyDnT9i5kYdE18TYvYNW5SpWXT2ZwhHmRgsblZsO+nTufndGT
+GxGAalsLB8wSVh0m3h2TdJeULINzHoN287i6KXZOoc0tR4yXh3Bek3k5K1Sajiv
3Ehp4mzOEBcut7qR9P8KNoOtt5lExp8LwxHcpwbl+rYeFUhNUr1ffuLBV59bVLt7
sluZQ9+UVHu72XSXdXRtB9WeyKPToZBkh2+rwad4SPLpUKwJuyXJim/IHKfGt0O9
BeilehpFVerP4RyB7dK3PRRzKS0zQmfVlr5x1WDXwir1RHDjWdoyLvHFzwn5OKSH
rIGf2J64oreok1UrCKyN
=NZvZ
-----END PGP SIGNATURE-----
Merge tag 'drm-fixes-2018-09-14' of git://anongit.freedesktop.org/drm/drm
Pull drm fixes from Dave Airlie:
"This is the general drm fixes pull for rc4.
i915:
- Two GVT fixes (one for the mm reference issue you pointed out)
- Gen 2 video playback fix
- IPS timeout error suppression on Broadwell
amdgpu:
- Small memory leak
- SR-IOV reset
- locking fix
- updated SDMA golden registers
nouveau:
- Remove some leftover debugging"
* tag 'drm-fixes-2018-09-14' of git://anongit.freedesktop.org/drm/drm:
drm/nouveau/devinit: fix warning when PMU/PRE_OS is missing
drm/amdgpu: fix error handling in amdgpu_cs_user_fence_chunk
drm/i915/overlay: Allocate physical registers from stolen
drm/amdgpu: move PSP init prior to IH in gpu reset
drm/amdgpu: Fix SDMA hang in prt mode v2
drm/amdgpu: fix amdgpu_mn_unlock() in the CS error path
drm/i915/bdw: Increase IPS disable timeout to 100ms
drm/i915/gvt: Fix the incorrect length of child_device_config issue
drm/i915/gvt: Fix life cycle reference on KVM mm
- A complicated IRQ fix for the MSM driver (see commit).
- Fix the group/function check in the Ingenic driver.
- Deal with a possible NULL pointer dereference in the Madera
driver.
-----BEGIN PGP SIGNATURE-----
iQIcBAABAgAGBQJbmlOCAAoJEEEQszewGV1zXTAP+gLLyF9Txaa4t65wGYnbafoi
6DgGHOCvgxvro8M1vlWViDLmGdHGvMqSA0kHdpur5H+91tHIsHFTvZwiUtOQrwiG
nNJVK+ijNPLnVQNALqFbxasDCLs3FPQU+8KsQfQ/L4K3hz848+B/3Rqb/zxur/rY
miGPgivvXqdKr//o+lh9ekK+xrc9Je1PMUoRbXaZWBVMNqRB38NnRpkcFmTnfYUS
VGn6gXhJ33pajQCQOJLXppRP0z7hN5L1g8W2JOmZucZdRZjTVRxv99dUiFLxneEX
r9mvAS4W0pQLZOSsmOFCc/R64W3Znr8sQaJjlH6La76zazNCE8wGYhOgFnfQgHoH
z08WRSdd34xXGjzI0ipOHS0NdvM2V8tQQTSAzlE8qc5ItNSbyAmmHCrj9iodAQ7F
B1N4/YQTfly8vlnO8jRWF1E3AJ6zcwLu8Irh4MiBqUPxSF9SsQvDJIoQsD0HpsT3
bWl6dUmr96NhVwzuatITIfX8NHhR3YPTWgSir4ri4ybRuLTrA0iOH8UBfdegL0gM
xLfAAQt1VjU4ZN2s9b+IzXjsB0N/TPCbxDFlLOGgxn1/hdU4e8+2oD6R9Ba98jLx
e2DQ9D8raJo76069yQ0wzu92zFj5oEY71praWA3hDBa+HOzgx9xeryb9WHEzuYkR
iCjRSnCUO3Mbf6EukIy3
=g3Rc
-----END PGP SIGNATURE-----
Merge tag 'pinctrl-v4.19-2' of git://git.kernel.org/pub/scm/linux/kernel/git/linusw/linux-pinctrl
Pull pin control fixes from Linus Walleij:
- A complicated IRQ fix for the MSM driver (see commit)
- Fix the group/function check in the Ingenic driver
- Deal with a possible NULL pointer dereference in the Madera driver
* tag 'pinctrl-v4.19-2' of git://git.kernel.org/pub/scm/linux/kernel/git/linusw/linux-pinctrl:
pinctrl: madera: Fix possible NULL pointer with pdata config
pinctrl: ingenic: Fix group & function error checking
pinctrl: msm: Really mask level interrupts to prevent latching
Pull percpu maintainership update from Tejun Heo:
"This updates the MAINTAINERS file to transfer the percpu tree
maintainership to Dennis Zhou.
Dennis rewrote a good portion of the percpu allocator, knows most of
percpu related code, is already listed as a co-maintainer, has been
reliable, and now sits right behind me. I'll keep reviewing and
involved with percpu stuff and am sure that Dennis will soon make a
better maintainer than I ever was"
* 'for-4.19-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/tj/percpu:
MAINTAINERS: Make Dennis the percpu tree maintainer
Pull hexagon fixes from Richard Kuo:
"Some fixes for compile warnings"
* 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/rkuo/linux-hexagon-kernel:
hexagon: modify ffs() and fls() to return int
arch/hexagon: fix kernel/dma.c build warning
One fix for the zcrypt driver to correctly handle incomplete
encryption/decryption operations.
A cleanup for the aqmask/apmask parsing to avoid variable
length arrays on the stack.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2
iQEcBAABCAAGBQJbmkYUAAoJEDjwexyKj9rgrugH/21Uf1S0mkkRfDeYxD6lJva6
zNmEZ3V+GXc8L/0CisFWQOcIU1fO+jozp9HPGkQxeTvAuqIfVhBRVoMMxiTRaZb3
xdSBel8EvAGxlZq/6eq6fU59HPWGm+N53rC9J5MMQQqgpSmq8F2QeO5CoidflRh8
bdio9cliLsjPu+3P2JU3noolhb/f577J3dgP4gKARRpOfh8vUI7NLU3Mham+7886
ASjG8s/zr9spPnrErJusloOLDJt4M94J8KrIbB/WAT1wZv7GxClaGsCoyCuk4cDt
TV8zIgMK9TChedwMOO0T8WMaxq+XJV+iI0dC1eZ7xNUlaIBw+UbifxCG335L3E0=
=dHq1
-----END PGP SIGNATURE-----
Merge tag 's390-4.19-3' of git://git.kernel.org/pub/scm/linux/kernel/git/s390/linux
Pull s390 fixes from Martin Schwidefsky:
- One fix for the zcrypt driver to correctly handle incomplete
encryption/decryption operations.
- A cleanup for the aqmask/apmask parsing to avoid variable length
arrays on the stack.
* tag 's390-4.19-3' of git://git.kernel.org/pub/scm/linux/kernel/git/s390/linux:
s390/zcrypt: remove VLA usage from the AP bus
s390/crypto: Fix return code checking in cbc_paes_crypt()
Jann Horn points out that the vmacache_flush_all() function is not only
potentially expensive, it's buggy too. It also happens to be entirely
unnecessary, because the sequence number overflow case can be avoided by
simply making the sequence number be 64-bit. That doesn't even grow the
data structures in question, because the other adjacent fields are
already 64-bit.
So simplify the whole thing by just making the sequence number overflow
case go away entirely, which gets rid of all the complications and makes
the code faster too. Win-win.
[ Oleg Nesterov points out that the VMACACHE_FULL_FLUSHES statistics
also just goes away entirely with this ]
Reported-by: Jann Horn <jannh@google.com>
Suggested-by: Will Deacon <will.deacon@arm.com>
Acked-by: Davidlohr Bueso <dave@stgolabs.net>
Cc: Oleg Nesterov <oleg@redhat.com>
Cc: stable@kernel.org
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
a IPS timeout error suppression on Broadwell and GVT bucked with
"Most critical one is to fix KVM's mm reference when we access guest memory,
issue was raised by Linus [1], and another one with virtual opregion fix."
[1] - https://lists.freedesktop.org/archives/intel-gvt-dev/2018-August/004130.html
-----BEGIN PGP SIGNATURE-----
iQEcBAABAgAGBQJbmEJvAAoJEPpiX2QO6xPKNNMIAItkqjJpqsGZq0Ii1/ph3D9U
gX3Jj4H7ZoAoE/c+wx2nNADjmn8RhV7PnKrGFuXmLkRJaNJllXA8U7h7YfWqRBT9
jQ0RIuFdbfiRrwHmqtEZ2q3XP4HCWbdSIigimO/Lk/A2l+sCY8oA+9bGB7IRxeRV
e162GARNsxN0a8D+5i+KR0mrTezSoKOvYFtUFp76UKUDAKrK85XNQsn1TR8ZMXGC
fIi03y6ZM66I+bzIsq15HEj/jrRcaXm7xjd94/HetqeVJaEOEs2ztfaex+v3yDnC
meWZKWCJ5x9noqHTO3XdHJGlKnfFQxopZsINNiqpqwOKpH7oaHWyAnnUrafJfhA=
=/IQQ
-----END PGP SIGNATURE-----
Merge tag 'drm-intel-fixes-2018-09-11' of git://anongit.freedesktop.org/drm/drm-intel into drm-fixes
This contains a regression fix for video playbacks on gen 2 hardware,
a IPS timeout error suppression on Broadwell and GVT bucked with
"Most critical one is to fix KVM's mm reference when we access guest memory,
issue was raised by Linus [1], and another one with virtual opregion fix."
[1] - https://lists.freedesktop.org/archives/intel-gvt-dev/2018-August/004130.html
Signed-off-by: Dave Airlie <airlied@redhat.com>
From: Rodrigo Vivi <rodrigo.vivi@intel.com>
Link: https://patchwork.freedesktop.org/patch/msgid/20180911223229.GA30328@intel.com
As reported by Reobert O'Callahan, since Viro's commit to kill
dev_ifsioc() we attempt to copy too much data in compat mode,
which may lead to EFAULT when the 32-bit version of struct ifreq
sits at/near the end of a page boundary, and the next page isn't
mapped.
Fix this by passing the approprate compat/non-compat size to copy
and using that, as before the dev_ifsioc() removal. This works
because only the embedded "struct ifmap" has different size, and
this is only used in SIOCGIFMAP/SIOCSIFMAP which has a different
handler. All other parts of the union are naturally compatible.
This fixes https://bugzilla.kernel.org/show_bug.cgi?id=199469.
Fixes: bf4405737f ("kill dev_ifsioc()")
Reported-by: Robert O'Callahan <robert@ocallahan.org>
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Dennis rewrote a significant portion of the percpu allocator and has
shown that he can respond in a timely and helpful manner when issues
are reported against percpu allocator.
Let's make Dennis the percpu tree maintainer.
Signed-off-by: Tejun Heo <tj@kernel.org>
Cc: Dennis Zhou <dennis@kernel.org>
Cc: Christoph Lameter <cl@linux.com>
When splitting a GSO segment that consists of encapsulated packets, the
skb->mac_len of the segments can end up being set wrong, causing packet
drops in particular when using act_mirred and ifb interfaces in
combination with a qdisc that splits GSO packets.
This happens because at the time skb_segment() is called, network_header
will point to the inner header, throwing off the calculation in
skb_reset_mac_len(). The network_header is subsequently adjust by the
outer IP gso_segment handlers, but they don't set the mac_len.
Fix this by adding skb_reset_mac_len() calls to both the IPv4 and IPv6
gso_segment handlers, after they modify the network_header.
Many thanks to Eric Dumazet for his help in identifying the cause of
the bug.
Acked-by: Dave Taht <dave.taht@gmail.com>
Reviewed-by: Eric Dumazet <edumazet@google.com>
Signed-off-by: Toke Høiland-Jørgensen <toke@toke.dk>
Signed-off-by: David S. Miller <davem@davemloft.net>
Johan Hedberg says:
====================
pull request: bluetooth 2018-09-13
A few Bluetooth fixes for the 4.19-rc series:
- Fixed rw_semaphore leak in hci_ldisc
- Fixed local Out-of-Band pairing data handling
Let me know if there are any issues pulling. Thanks.
====================
Signed-off-by: David S. Miller <davem@davemloft.net>
Sabrina Dubroca says:
====================
tls: don't leave keys in kernel memory
There are a few places where the RX/TX key for a TLS socket is copied
to kernel memory. This series clears those memory areas when they're no
longer needed.
v2: add union tls_crypto_context, following Vakul Garg's comment
swap patch 2 and 3, using new union in patch 3
====================
Signed-off-by: David S. Miller <davem@davemloft.net>
This contains key material in crypto_send_aes_gcm_128 and
crypto_recv_aes_gcm_128.
Introduce union tls_crypto_context, and replace the two identical
unions directly embedded in struct tls_context with it. We can then
use this union to clean up the memory in the new tls_ctx_free()
function.
Fixes: 3c4d755915 ("tls: kernel TLS support")
Signed-off-by: Sabrina Dubroca <sd@queasysnail.net>
Signed-off-by: David S. Miller <davem@davemloft.net>
There's no need to copy the key to an on-stack buffer before calling
crypto_aead_setkey().
Fixes: 3c4d755915 ("tls: kernel TLS support")
Signed-off-by: Sabrina Dubroca <sd@queasysnail.net>
Signed-off-by: David S. Miller <davem@davemloft.net>
Update 'confirmed' timestamp when ARP packet is received. It shouldn't
affect locktime logic and anyway entry can be confirmed by any higher-layer
protocol. Thus it makes sense to confirm it when ARP packet is received.
Fixes: 77d7123342 ("neighbour: update neigh timestamps iff update is effective")
Signed-off-by: Vasily Khoruzhick <vasilykh@arista.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
This fix addresses https://bugzilla.kernel.org/show_bug.cgi?id=201071
Commit 5025f7f7d5 wrongly relied on __dev_change_flags to notify users of
dev flag changes in the case when dev->rtnl_link_state = RTNL_LINK_INITIALIZED.
Fix it by indicating flag changes explicitly to __dev_notify_flags.
Fixes: 5025f7f7d5 ("rtnetlink: add rtnl_link_state check in rtnl_configure_link")
Reported-By: Liam mcbirnie <liam.mcbirnie@boeing.com>
Signed-off-by: Roopa Prabhu <roopa@cumulusnetworks.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Fields ->dev and ->next of struct ipddp_route may be copied to
userspace on the SIOCFINDIPDDPRT ioctl. This is only accessible
to CAP_NET_ADMIN though. Let's manually copy the relevant fields
instead of using memcpy().
BugLink: http://blog.infosectcbr.com.au/2018/09/linux-kernel-infoleaks.html
Cc: Jann Horn <jannh@google.com>
Signed-off-by: Willy Tarreau <w@1wt.eu>
Signed-off-by: David S. Miller <davem@davemloft.net>
persistent_ram_vmap() returns the page start vaddr.
persistent_ram_iomap() supports non-page-aligned mapping.
persistent_ram_buffer_map() always adds offset-in-page to the vaddr
returned from these two functions, which causes incorrect mapping of
non-page-aligned persistent ram buffer.
By default ftrace_size is 4096 and max_ftrace_cnt is nr_cpu_ids. Without
this patch, the zone_sz in ramoops_init_przs() is 4096/nr_cpu_ids which
might not be page aligned. If the offset-in-page > 2048, the vaddr will be
in next page. If the next page is not mapped, it will cause kernel panic:
[ 0.074231] BUG: unable to handle kernel paging request at ffffa19e0081b000
...
[ 0.075000] RIP: 0010:persistent_ram_new+0x1f8/0x39f
...
[ 0.075000] Call Trace:
[ 0.075000] ramoops_init_przs.part.10.constprop.15+0x105/0x260
[ 0.075000] ramoops_probe+0x232/0x3a0
[ 0.075000] platform_drv_probe+0x3e/0xa0
[ 0.075000] driver_probe_device+0x2cd/0x400
[ 0.075000] __driver_attach+0xe4/0x110
[ 0.075000] ? driver_probe_device+0x400/0x400
[ 0.075000] bus_for_each_dev+0x70/0xa0
[ 0.075000] driver_attach+0x1e/0x20
[ 0.075000] bus_add_driver+0x159/0x230
[ 0.075000] ? do_early_param+0x95/0x95
[ 0.075000] driver_register+0x70/0xc0
[ 0.075000] ? init_pstore_fs+0x4d/0x4d
[ 0.075000] __platform_driver_register+0x36/0x40
[ 0.075000] ramoops_init+0x12f/0x131
[ 0.075000] do_one_initcall+0x4d/0x12c
[ 0.075000] ? do_early_param+0x95/0x95
[ 0.075000] kernel_init_freeable+0x19b/0x222
[ 0.075000] ? rest_init+0xbb/0xbb
[ 0.075000] kernel_init+0xe/0xfc
[ 0.075000] ret_from_fork+0x3a/0x50
Signed-off-by: Bin Yang <bin.yang@intel.com>
[kees: add comments describing the mapping differences, updated commit log]
Fixes: 24c3d2f342 ("staging: android: persistent_ram: Make it possible to use memory outside of bootmem")
Cc: stable@vger.kernel.org
Signed-off-by: Kees Cook <keescook@chromium.org>
When we delete a chain of filters, we need to notify
user-space we are deleting each filters in this chain
too.
Fixes: 32a4f5ecd7 ("net: sched: introduce chain object to uapi")
Cc: Jiri Pirko <jiri@mellanox.com>
Signed-off-by: Cong Wang <xiyou.wangcong@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
The recent change of vga_switcheroo allowed the runtime PM for
HD-audio on AMD GPUs, but this also resulted in a regression. When
the HD-audio controller driver gets runtime-suspended, HD-audio link
is turned off, and the hotplug notification is ignored. This leads to
the inconsistent audio state (the connection isn't notified and ELD is
ignored).
The best fix would be to implement the proper ELD notification via the
audio component, but it's still not ready. As a quick workaround,
this patch adds the check of runtime_idle and allows the runtime
suspend only when the vga_switcheroo is bound with discrete GPU.
That is, a system with a single GPU and APU would be again without
runtime PM to keep the HD-audio link for the hotplug notification and
ELD read out.
Also, the codec->auto_runtime_pm flag is set only for the discrete GPU
at the time GPU gets bound via vga_switcheroo (i.e. only dGPU is
forcibly runtime-PM enabled), so that APU can still get the ELD
notification.
For identifying which GPU is bound, a new vga_switcheroo client
callback, gpu_bound, is implemented. The vga_switcheroo simply calls
this when GPU is bound, and tells whether it's dGPU or APU.
Bugzilla: https://bugzilla.kernel.org/show_bug.cgi?id=200945
Fixes: 07f4f97d7b ("vga_switcheroo: Use device link for HDA controller")
Reported-by: Jian-Hong Pan <jian-hong@endlessm.com>
Tested-by: Jian-Hong Pan <jian-hong@endlessm.com>
Acked-by: Lukas Wunner <lukas@wunner.de>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Commit 57f230ab04 ("xen/netfront: raise max number of slots in
xennet_get_responses()") raised the max number of allowed slots by one.
This seems to be problematic in some configurations with netback using
a larger MAX_SKB_FRAGS value (e.g. old Linux kernel with MAX_SKB_FRAGS
defined as 18 instead of nowadays 17).
Instead of BUG_ON() in this case just fall back to retransmission.
Fixes: 57f230ab04 ("xen/netfront: raise max number of slots in xennet_get_responses()")
Cc: stable@vger.kernel.org
Signed-off-by: Juergen Gross <jgross@suse.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
In inet6_rtm_getroute, since Commit 93531c6743 ("net/ipv6: separate
handling of FIB entries from dst based routes"), it has used rt->from
to dump route info instead of rt.
However for some route like cache, some of its information like flags
or gateway is not the same as that of the 'from' one. It caused 'ip
route get' to dump the wrong route information.
In Jianlin's testing, the output information even lost the expiration
time for a pmtu route cache due to the wrong fib6_flags.
So change to use rt6_info members for dst addr, src addr, flags and
gateway when it tries to dump a route entry without fibmatch set.
v1->v2:
- not use rt6i_prefsrc.
- also fix the gw dump issue.
Fixes: 93531c6743 ("net/ipv6: separate handling of FIB entries from dst based routes")
Reported-by: Jianlin Shi <jishi@redhat.com>
Signed-off-by: Xin Long <lucien.xin@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Although private data of sound card instance is usually allocated in the
tail of the instance, drivers in ALSA firewire stack allocate the private
data before allocating the instance. In this case, the private data
should be released explicitly at .private_free callback of the instance.
This commit fixes memory leak following to the above design.
Fixes: 6c29230e2a ('ALSA: oxfw: delayed registration of sound card')
Cc: <stable@vger.kernel.org> # v4.7+
Signed-off-by: Takashi Sakamoto <o-takashi@sakamocchi.jp>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Although private data of sound card instance is usually allocated in the
tail of the instance, drivers in ALSA firewire stack allocate the private
data before allocating the instance. In this case, the private data
should be released explicitly at .private_free callback of the instance.
This commit fixes memory leak following to the above design.
Fixes: b610386c8a ('ALSA: firewire-tascam: deleyed registration of sound card')
Cc: <stable@vger.kernel.org> # v4.7+
Signed-off-by: Takashi Sakamoto <o-takashi@sakamocchi.jp>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Although private data of sound card instance is usually allocated in the
tail of the instance, drivers in ALSA firewire stack allocate the private
data before allocating the instance. In this case, the private data
should be released explicitly at .private_free callback of the instance.
This commit fixes memory leak following to the above design.
Fixes: 86c8dd7f4d ('ALSA: firewire-digi00x: delayed registration of sound card')
Cc: <stable@vger.kernel.org> # v4.7+
Signed-off-by: Takashi Sakamoto <o-takashi@sakamocchi.jp>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
for cd2315d "ipmi: kcs_bmc: don't change device name" which is for a
driver that very few people use, and those people need the change.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQIcBAABAgAGBQJbmb2pAAoJEGHzjJCRm/+B73kP/j+dbKDEYJoBzHl+ni7yJNnv
gfmmJ8mmjB0ia7Y8rAcd3VkyzUnTtRliHs8j78VLmMHHOfQYR55xWbJmV53qJnTA
umq4SaDpmLAxnCxRlmaB6/s2HvMFVXWzgs4Ke8xVqA8cL37i/JDyHBe1wc+xkZcB
6rj5Sg8WgJTsbybTOCDvSAN99tdo5o8TjfTLk94isVuEbFz/3qcsIxdofJQvYwJ8
c/TC5zVY6pvUmTZEl6bIBT1GzLRnrCpijM4GBsmKCrL/ZRb+UW/vryWUcKMxs6oY
IhCfXAM6rl83cgfH6SHZjjruDMnUFZxpyQvR+bqEnZpp3RJ5D5SQQkLNMwrR9cCV
wdIz/n+LYATbiSOUJgJOlFsjUv1xQ4V1F92Krln8Kir/+rDkkb/75mBS7edNl606
iPQDdrg193Rz8xEqmuf9CcmRsft+9QxcdzsSOt8ZZQSHIS1TAyQc1pwtkFeyExXP
n1CVbx3+toX2J9LGfUq0h4ntcEcfW9qZRz8gAhZ4Gj5S4N3ih2KU2xo8lRQ+HRAk
8XGnSy/6IidnPn/r7onvC37RoDNltSPELm1CZxt510dZWX0GQw6G5e/TParjbvqY
3HsJZ3fGsWyzCDcblfBS010Rdz4K4vb2KFZ1da4Xrt568g1ciLY/BJrrn6ltSif/
hmxDJ/KY4iMfwiPz/E20
=nuBB
-----END PGP SIGNATURE-----
Merge tag 'for-linus-4.19' of git://github.com/cminyard/linux-ipmi
Pull IPMI bugfixes from Corey Minyard:
"A few fixes that came around or after the merge window, except for
commit cd2315d471 ("ipmi: kcs_bmc: don't change device name") which
is for a driver that very few people use, and those people need the
change"
* tag 'for-linus-4.19' of git://github.com/cminyard/linux-ipmi:
ipmi: Fix NULL pointer dereference in ssif_probe
ipmi: Fix I2C client removal in the SSIF driver
ipmi: Move BT capabilities detection to the detect call
ipmi: Rework SMI registration failure
ipmi: kcs_bmc: don't change device name
Currently, the CCP driver assumes that the SEV command issued to the PSP
will always return (i.e. it will never hang). But recently, firmware bugs
have shown that a command can hang. Since of the SEV commands are used
in probe routines, this can cause boot hangs and/or loss of virtualization
capabilities.
To protect against firmware bugs, add a timeout in the SEV command
execution flow. If a command does not complete within the specified
timeout then return -ETIMEOUT and stop the driver from executing any
further commands since the state of the SEV firmware is unknown.
Cc: Tom Lendacky <thomas.lendacky@amd.com>
Cc: Gary Hook <Gary.Hook@amd.com>
Cc: Herbert Xu <herbert@gondor.apana.org.au>
Cc: linux-kernel@vger.kernel.org
Signed-off-by: Brijesh Singh <brijesh.singh@amd.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
-----BEGIN PGP SIGNATURE-----
iQIcBAABAgAGBQJbmLg2AAoJEAx081l5xIa+794QAJeBd7XnrQtMS+BWMet0G4Dh
yY1t3LAsP75GiyI73Zbf1mWIdNk1hxli9+9+XVSrK9Yt2oh/AD+Q8BBGW7V3b17S
BvpAhKdQNJut8NskfTKvFE5lz/oMrJCKYFYh/vwigfOXo9ELg9imUcKMQJqHLzPP
SEiS4EgQ00h97FSodqYLj8E8sSIGx61xKkCBgczcpXq6SrxQAIZGW0Ut7cKUebl+
VON1sccI6xKCqVHqv/mqkm/Cugc5c6bj+AUII9NvXljAKptNjb8c813XbjwCCfzC
5OMX084ZXl94jAbqZjJXDYu640tkUpx1+o3eJZOfWz4dM7oTWU59+AHxytQWmF8P
T73o9+r93cQSP0YUb070LkSPr/YSBldb3PFk22mzRX1kHeHPuLzMGGr37Xj/3RI9
Uilddus6n2S7JzLdPl3RNLnDfVwRopc/E7VUbUCMDKrbHjV2tvsyZvBDDgPXCU68
cxG/VXKQsa4yicMbXUCjl+vGwaXZLve1wGGx/ee9Ooaqa7b7L297NWpxqhl3PjhL
G2gySbwa7gItRPw34fhNlzmEoNFk+JyAp3EOYOZQM78+IBKRSwhDVJOrbAjY+H1F
c+sUOdBk+yLQ15MVbhFeq+1puJETnV3ZmJgHjNDUUhRcJamilqfLBNiNUfGm4Pqp
9E8QZTq8BgZqWJE9ep0m
=GbIW
-----END PGP SIGNATURE-----
Merge tag 'drm-fixes-2018-09-12' of git://anongit.freedesktop.org/drm/drm
Pull drm nouveau fixes from Dave Airlie:
"I'm sending this separately as it's a bit larger than I generally like
for one driver, but it does contain a bunch of make my nvidia laptop
not die (runpm) and a bunch to make my docking station and monitor
display stuff (mst) fixes.
Lyude has spent a lot of time on these, and we are putting the fixes
into distro kernels as well asap, as it helps a bunch of standard
Lenovo laptops, so I'm fairly happy things are better than they were
before these patches, but I decided to split them out just for
clarification"
* tag 'drm-fixes-2018-09-12' of git://anongit.freedesktop.org/drm/drm:
drm/nouveau/disp/gm200-: enforce identity-mapped SOR assignment for LVDS/eDP panels
drm/nouveau/disp: fix DP disable race
drm/nouveau/disp: move eDP panel power handling
drm/nouveau/disp: remove unused struct member
drm/nouveau/TBDdevinit: don't fail when PMU/PRE_OS is missing from VBIOS
drm/nouveau/mmu: don't attempt to dereference vmm without valid instance pointer
drm/nouveau: fix oops in client init failure path
drm/nouveau: Fix nouveau_connector_ddc_detect()
drm/nouveau/drm/nouveau: Don't forget to cancel hpd_work on suspend/unload
drm/nouveau/drm/nouveau: Prevent handling ACPI HPD events too early
drm/nouveau: Reset MST branching unit before enabling
drm/nouveau: Only write DP_MSTM_CTRL when needed
drm/nouveau: Remove useless poll_enable() call in drm_load()
drm/nouveau: Remove useless poll_disable() call in switcheroo_set_state()
drm/nouveau: Remove useless poll_enable() call in switcheroo_set_state()
drm/nouveau: Fix deadlocks in nouveau_connector_detect()
drm/nouveau/drm/nouveau: Use pm_runtime_get_noresume() in connector_detect()
drm/nouveau/drm/nouveau: Fix deadlock with fb_helper with async RPM requests
drm/nouveau: Remove duplicate poll_enable() in pmops_runtime_suspend()
drm/nouveau/drm/nouveau: Fix bogus drm_kms_helper_poll_enable() placement
Pull networking fixes from David Miller:
1) Fix up several Kconfig dependencies in netfilter, from Martin Willi
and Florian Westphal.
2) Memory leak in be2net driver, from Petr Oros.
3) Memory leak in E-Switch handling of mlx5 driver, from Raed Salem.
4) mlx5_attach_interface needs to check for errors, from Huy Nguyen.
5) tipc_release() needs to orphan the sock, from Cong Wang.
6) Need to program TxConfig register after TX/RX is enabled in r8169
driver, not beforehand, from Maciej S. Szmigiero.
7) Handle 64K PAGE_SIZE properly in ena driver, from Netanel Belgazal.
8) Fix crash regression in ip_do_fragment(), from Taehee Yoo.
9) syzbot can create conditions where kernel log is flooded with
synflood warnings due to creation of many listening sockets, fix
that. From Willem de Bruijn.
10) Fix RCU issues in rds socket layer, from Cong Wang.
11) Fix vlan matching in nfp driver, from Pieter Jansen van Vuuren.
* git://git.kernel.org/pub/scm/linux/kernel/git/davem/net: (59 commits)
nfp: flower: reject tunnel encap with ipv6 outer headers for offloading
nfp: flower: fix vlan match by checking both vlan id and vlan pcp
tipc: check return value of __tipc_dump_start()
s390/qeth: don't dump past end of unknown HW header
s390/qeth: use vzalloc for QUERY OAT buffer
s390/qeth: switch on SG by default for IQD devices
s390/qeth: indicate error when netdev allocation fails
rds: fix two RCU related problems
r8169: Clear RTL_FLAG_TASK_*_PENDING when clearing RTL_FLAG_TASK_ENABLED
erspan: fix error handling for erspan tunnel
erspan: return PACKET_REJECT when the appropriate tunnel is not found
tcp: rate limit synflood warnings further
MIPS: lantiq: dma: add dev pointer
netfilter: xt_hashlimit: use s->file instead of s->private
netfilter: nfnetlink_queue: Solve the NFQUEUE/conntrack clash for NF_REPEAT
netfilter: cttimeout: ctnl_timeout_find_get() returns incorrect pointer to type
netfilter: conntrack: timeout interface depend on CONFIG_NF_CONNTRACK_TIMEOUT
netfilter: conntrack: reset tcp maxwin on re-register
qmi_wwan: Support dynamic config on Quectel EP06
ethernet: renesas: convert to SPDX identifiers
...
Messed up when sending pull request and sent an outdated version of
previous patch, this fixes it up to remove warnings.
Signed-off-by: Ben Skeggs <bskeggs@redhat.com>
The supported added for zones in null_blk seem to assume that only rq
based operation is possible. But this depends on the queue_mode setting,
if this is set to 0, then cmd->bio is what we need to be operating on.
Right now any attempt to load null_blk with queue_mode=0 will
insta-crash, since cmd->rq is NULL and null_handle_cmd() assumes it to
always be set.
Make the zoned code deal with bio's instead, or pass in the
appropriate sector/nr_sectors instead.
Fixes: ca4b2a0119 ("null_blk: add zone support")
Tested-by: Omar Sandoval <osandov@fb.com>
Signed-off-by: Jens Axboe <axboe@kernel.dk>
We need to verify that the "data_offset" is within bounds.
Reported-by: Dr Silvio Cesare of InfoSect <silvio.cesare@gmail.com>
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
Signed-off-by: Steve French <stfrench@microsoft.com>
Reviewed-by: Aurelien Aptel <aaptel@suse.com>
Helper bpg_msg_pull_data() can allocate multiple pages while
linearizing multiple scatterlist elements into one shared page.
However, if the shared page has size > PAGE_SIZE, using
copy_page_to_iter() causes below warning.
e.g.
[ 6367.019832] WARNING: CPU: 2 PID: 7410 at lib/iov_iter.c:825
page_copy_sane.part.8+0x0/0x8
To avoid above warning, use __GFP_COMP while allocating multiple
contiguous pages.
Fixes: 015632bb30 ("bpf: sk_msg program helper bpf_sk_msg_pull_data")
Signed-off-by: Tushar Dave <tushar.n.dave@oracle.com>
Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
Subtraction of pointers was accidentally allowed for unpriv programs
by commit 82abbf8d2f. Revert that part of commit.
Fixes: 82abbf8d2f ("bpf: do not allow root to mangle valid pointers")
Reported-by: Jann Horn <jannh@google.com>
Acked-by: Daniel Borkmann <daniel@iogearbox.net>
Signed-off-by: Alexei Starovoitov <ast@kernel.org>
Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
Jakub Kicinski says:
====================
nfp: flower: fixes for flower offload
Two fixes for flower matching and tunnel encap. Pieter fixes
VLAN matching if the entire VLAN id is masked out and match
is only performed on the PCP field. Louis adds validation of
tunnel flags for encap, most importantly we should not offload
actions on IPv6 tunnels if it's not supported.
====================
Signed-off-by: David S. Miller <davem@davemloft.net>
This fixes a bug where ipv6 tunnels would report that it is
getting offloaded to hardware but would actually be rejected
by hardware.
Fixes: b27d6a95a7 ("nfp: compile flower vxlan tunnel set actions")
Signed-off-by: Louis Peens <louis.peens@netronome.com>
Reviewed-by: John Hurley <john.hurley@netronome.com>
Reviewed-by: Simon Horman <simon.horman@netronome.com>
Reviewed-by: Jakub Kicinski <jakub.kicinski@netronome.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Previously we only checked if the vlan id field is present when trying
to match a vlan tag. The vlan id and vlan pcp field should be treated
independently.
Fixes: 5571e8c9f2 ("nfp: extend flower matching capabilities")
Signed-off-by: Pieter Jansen van Vuuren <pieter.jansenvanvuuren@netronome.com>
Reviewed-by: Jakub Kicinski <jakub.kicinski@netronome.com>
Signed-off-by: David S. Miller <davem@davemloft.net>