The ib_uverbs_create_ah() ind ib_uverbs_modify_qp() calls receive
the port number from user input as part of its attributes and assumes
it is valid. Down on the stack, that parameter is used to access kernel
data structures. If the value is invalid, the kernel accesses memory
it should not. To prevent this, verify the port number before using it.
BUG: KASAN: use-after-free in ib_uverbs_create_ah+0x6d5/0x7b0
Read of size 4 at addr ffff880018d67ab8 by task syz-executor/313
BUG: KASAN: slab-out-of-bounds in modify_qp.isra.4+0x19d0/0x1ef0
Read of size 4 at addr ffff88006c40ec58 by task syz-executor/819
Fixes: 67cdb40ca4 ("[IB] uverbs: Implement more commands")
Fixes: 189aba99e7 ("IB/uverbs: Extend modify_qp and support packet pacing")
Cc: <stable@vger.kernel.org> # v2.6.14+
Cc: <security@kernel.org>
Cc: Yevgeny Kliteynik <kliteyn@mellanox.com>
Cc: Tziporet Koren <tziporet@mellanox.com>
Cc: Alex Polak <alexpo@mellanox.com>
Signed-off-by: Boris Pismenny <borisp@mellanox.com>
Signed-off-by: Leon Romanovsky <leon@kernel.org>
Signed-off-by: Doug Ledford <dledford@redhat.com>
It is actually a patch that missed the end of the 4.12 merge
window. The patch itself fix a bogus definition of the timer for the
Armada 37xx SoCs.
-----BEGIN PGP SIGNATURE-----
iIEEABECAEEWIQQYqXDMF3cvSLY+g9cLBhiOFHI71QUCWVpGxCMcZ3JlZ29yeS5j
bGVtZW50QGZyZWUtZWxlY3Ryb25zLmNvbQAKCRALBhiOFHI71SGMAKCP9mGjMWqD
Z9uCT8swDJ8LCi/o+wCfV4Cs0eWzqkJUDMaycdJrlMjB174=
=TavE
-----END PGP SIGNATURE-----
Merge tag 'mvebu-dt64-4.13-3' of git://git.infradead.org/linux-mvebu into next/dt64
Pull "late dt64 for 4.13" from Gregory CLEMENT:
It is actually a patch that missed the end of the 4.12 merge
window. The patch itself fix a bogus definition of the timer for the
Armada 37xx SoCs.
* tag 'mvebu-dt64-4.13-3' of git://git.infradead.org/linux-mvebu:
ARM64: dts: marvell: armada37xx: Fix timer interrupt specifiers
Contrary to popular belief, PPIs connected to a GICv3 to not have
an affinity field similar to that of GICv2. That is consistent
with the fact that GICv3 is designed to accomodate thousands of
CPUs, and fitting them as a bitmap in a byte is... difficult.
Fixes: adbc3695d9 ("arm64: dts: add the Marvell Armada 3700 family and
a development board")
Cc: <stable@vger.kernel.org>
Signed-off-by: Marc Zyngier <marc.zyngier@arm.com>
Signed-off-by: Gregory CLEMENT <gregory.clement@free-electrons.com>
EPT A/D was enabled in the vmcs02 EPTP regardless of the vmcs12's EPTP
value. The problem is that enabling A/D changes the behavior of L2's
x86 page table walks as seen by L1. With A/D enabled, x86 page table
walks are always treated as EPT writes.
Commit ae1e2d1082 ("kvm: nVMX: support EPT accessed/dirty bits",
2017-03-30) tried to work around this problem by clearing the write
bit in the exit qualification for EPT violations triggered by page
walks. However, that fixup introduced the opposite bug: page-table walks
that actually set x86 A/D bits were *missing* the write bit in the exit
qualification.
This patch fixes the problem by disabling EPT A/D in the shadow MMU
when EPT A/D is disabled in vmcs12's EPTP.
Signed-off-by: Peter Feiner <pfeiner@google.com>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
DECLARE_HASHTABLE needs similar handling to DECLARE_BITMAP
because otherwise kernel-doc assumes the member name is the
second, not first macro parameter.
Signed-off-by: Jakub Kicinski <jakub.kicinski@netronome.com>
Signed-off-by: Jonathan Corbet <corbet@lwn.net>
I was trying to wrap my head around meaning of mru, and realised
that the second line of the comment defining it had somehow
ended up after the line defining cutlen, leading to much confusion.
Reorder the lines to make sense.
Signed-off-by: Daniel Axtens <dja@axtens.net>
Signed-off-by: David S. Miller <davem@davemloft.net>
Last minute changes to get new hardware and firmware support for
iwlwifi and few other changes I was able to squeeze in. Also two
patches for ieee80211.h and nl80211 as Johannes is away.
Major changes:
iwlwifi
* some important fixes for 9000 HW
* support for version 30 of the FW API for 8000 and 9000 series
* a few new PCI IDs for 9000 series
* reorganization of common files
brcmfmac
* support 4-way handshake offloading for WPA/WPA2-PSK and 802.1X
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQEcBAABAgAGBQJZWiolAAoJEG4XJFUm622bDq4H/0hezP1JZ7ljQ5+w6PCNNij9
o1+MSjMc3Xtj+uQsQOOReFCfFyUQDwsa8YxghCPjjQJvNJOGfChOS3yszFKRpn94
+IVaAbKO+9yPa8lwh8l5RPls3wP2MF6UL/QiArPxlo0OFZy0PYUsl0vZGiOFWTKe
efoUG4mt/JMAPUcffoOcnitNYrys+scVqyTt1lOzIEUnivafBrsHE+srGzgse00S
Wc9F10f+tJNqs9xCXYam5OaE9DSVobvUiYfFC1Ql1amYCfsDHJ3ve0gDHqxEE6HL
OwK3pM9F7dUFLHWf/I2kjy1NNqVu3aoL4RAJnMguQih3scdCTOh6Tk7Or1YAPRM=
=EOqs
-----END PGP SIGNATURE-----
Merge tag 'wireless-drivers-next-for-davem-2017-07-03' of https://git.kernel.org/pub/scm/linux/kernel/git/kvalo/wireless-drivers-next
Kalle Valo says:
====================
wireless-drivers-next patches for 4.13
Last minute changes to get new hardware and firmware support for
iwlwifi and few other changes I was able to squeeze in. Also two
patches for ieee80211.h and nl80211 as Johannes is away.
Major changes:
iwlwifi
* some important fixes for 9000 HW
* support for version 30 of the FW API for 8000 and 9000 series
* a few new PCI IDs for 9000 series
* reorganization of common files
brcmfmac
* support 4-way handshake offloading for WPA/WPA2-PSK and 802.1X
====================
Signed-off-by: David S. Miller <davem@davemloft.net>
The S500 SoC can start secondary CPUs without busy-looping for pen_release,
so simplify the SMP code compared to the LeMaker kernel tree.
Fixes: 172067e0bc ("ARM: owl: Implement CPU enable-method for S500")
Suggested-by: Arnd Bergmann <arnd@arndb.de>
Cc: David Liu <liuwei@actions-semi.com>
Signed-off-by: Andreas Färber <afaerber@suse.de>
Signed-off-by: Arnd Bergmann <arnd@arndb.de>
Rely on the fallback to "Generic DT based system".
This change is visible in /proc/cpuinfo.
Cc: Arnd Bergmann <arnd@arndb.de>
Signed-off-by: Andreas Färber <afaerber@suse.de>
Signed-off-by: Arnd Bergmann <arnd@arndb.de>
* acpi-pmic:
ACPI / PMIC: xpower: Add support for the GPI1 regulator to the OpRegion handler
* acpi-misc:
ACPI: fix whitespace in pr_fmt() to align log entries
* acpi-tables:
ACPI: configfs: Unload SSDT on configfs entry removal
* acpica: (53 commits)
ACPICA: Use designated initializers
ACPICA: Update version to 20170531
ACPICA: Update a couple of debug output messages
ACPICA: acpiexec: enhance local signal handler
ACPICA: Simplify output for the ACPI Debug Object
ACPICA: Unix application OSL: Correctly handle control-c (EINTR)
ACPICA: Improvements for debug output only
ACPICA: Disassembler: allow conflicting external declarations to be emitted.
ACPICA: Disassembler: add external op to namespace on first pass
ACPICA: Disassembler: prevent external op's from opening a new scope
ACPICA: Changed Gbl_disasm_flag to acpi_gbl_disasm_flag
ACPICA: Changing External to a named object
ACPICA: Update two error messages to emit control method name
ACPICA: Fix for Device/Thermal objects with ObjectType and DerefOf
ACPICA: Comment update: spelling/format. No functional change
ACPICA: Update comments, no functional change
ACPICA: Split resource descriptor decode strings to a new file
ACPICA: Remove extraneous status check
ACPICA: Export the public mutex interfaces
ACPICA: Disassembler: Abort on an invalid/unknown AML opcode
...
* acpi-pm:
PM / core: Drop run_wake flag from struct dev_pm_info
PCI / PM: Simplify device wakeup settings code
PCI / PM: Drop pme_interrupt flag from struct pci_dev
ACPI / PM: Consolidate device wakeup settings code
ACPI / PM: Drop run_wake from struct acpi_device_wakeup_flags
ACPI / sleep: EC-based wakeup from suspend-to-idle on recent systems
platform: x86: intel-hid: Wake up the system from suspend-to-idle
platform: x86: intel-vbtn: Wake up the system from suspend-to-idle
ACPI / PM: Ignore spurious SCI wakeups from suspend-to-idle
platform/x86: Add driver for ACPI INT0002 Virtual GPIO device
PCI / PM: Restore PME Enable if skipping wakeup setup
PM / sleep: Print timing information if debug is enabled
ACPI / PM: Clean up device wakeup enable/disable code
ACPI / PM: Change log level of wakeup-related message
USB / PCI / PM: Allow the PCI core to do the resume cleanup
ACPI / PM: Run wakeup notify handlers synchronously
Conflicts:
drivers/base/power/main.c
* pm-sleep:
PM: hibernate: constify attribute_group structures.
PM / hibernate: Drop redundant parameter of swsusp_alloc()
PM / hibernate: Use CONFIG_HAVE_SET_MEMORY for include condition
x86/power/64: Use char arrays for asm function names
* pm-cpufreq:
cpufreq / CPPC: Initialize policy->min to lowest nonlinear performance
cpufreq: sfi: make freq_table static
cpufreq: exynos5440: Fix inconsistent indenting
cpufreq: imx6q: imx6ull should use the same flow as imx6ul
cpufreq: dt: Add support for hi3660
* intel_pstate:
cpufreq: Update scaling_cur_freq documentation
cpufreq: intel_pstate: Clean up after performance governor changes
intel_pstate: skip scheduler hook when in "performance" mode
intel_pstate: delete scheduler hook in HWP mode
x86: use common aperfmperf_khz_on_cpu() to calculate KHz using APERF/MPERF
cpufreq: intel_pstate: Remove max/min fractions to limit performance
x86: do not use cpufreq_quick_get() for /proc/cpuinfo "cpu MHz"
* pm-cpuidle:
cpuidle: menu: allow state 0 to be disabled
intel_idle: Use more common logging style
x86/ACPI/cstate: Allow ACPI C1 FFH MWAIT use on AMD systems
ARM: cpuidle: Support asymmetric idle definition
* pm-tools:
cpupower: Add support for new AMD family 0x17
cpupower: Fix bug where return value was not used
tools/power turbostat: update version number
tools/power turbostat: decode MSR_IA32_MISC_ENABLE only on Intel
tools/power turbostat: stop migrating, unless '-m'
tools/power turbostat: if --debug, print sampling overhead
tools/power turbostat: hide SKL counters, when not requested
intel_pstate: use updated msr-index.h HWP.EPP values
tools/power x86_energy_perf_policy: support HWP.EPP
x86: msr-index.h: fix shifts to ULL results in HWP macros.
x86: msr-index.h: define HWP.EPP values
x86: msr-index.h: define EPB mid-points
Userspace application can do a hypercall through /dev/xen/privcmd, and
some for some hypercalls argument is a pointers to user-provided
structure. When SMAP is supported and enabled, hypervisor can't access.
So, lets allow it.
The same applies to HYPERVISOR_dm_op, where additionally privcmd driver
carefully verify buffer addresses.
Cc: stable@vger.kernel.org
Signed-off-by: Marek Marczykowski-Górecki <marmarek@invisiblethingslab.com>
Reviewed-by: Juergen Gross <jgross@suse.com>
Signed-off-by: Juergen Gross <jgross@suse.com>
Remove unnecessary variable mfn in function xen_foreach_remap_area() and,
refactor the code.
Variable mfn at line 518:mfn = xen_remap_buf.mfns[i];
is only being used to store a value to be passed as
an argument to the xen_update_mem_tables() function.
This value can be passed directly, which makes variable
mfn unnecessary. Also, value assigned to variable mfn
at line 534:mfn = xen_remap_mfn; is never used.
Addresses-Coverity-ID: 1260110
Signed-off-by: Gustavo A. R. Silva <garsilva@embeddedor.com>
Reviewed-by: Juergen Gross <jgross@suse.com>
Signed-off-by: Juergen Gross <jgross@suse.com>
Some overlapping changes in the mlx5 driver.
A merge conflict resolution posted by Stephen Rothwell was used as a
guide.
Signed-off-by: David S. Miller <davem@davemloft.net>
