1. 18 Jan, 2019 1 commit
  2. 17 Jan, 2019 13 commits
  3. 16 Jan, 2019 10 commits
  4. 15 Jan, 2019 5 commits
    • Tycho Andersen's avatar
      seccomp: fix UAF in user-trap code · a811dc61
      Tycho Andersen authored
      On the failure path, we do an fput() of the listener fd if the filter fails
      to install (e.g. because of a TSYNC race that's lost, or if the thread is
      killed, etc.). fput() doesn't actually release the fd, it just ads it to a
      work queue. Then the thread proceeds to free the filter, even though the
      listener struct file has a reference to it.
      
      To fix this, on the failure path let's set the private data to null, so we
      know in ->release() to ignore the filter.
      
      Reported-by: syzbot+981c26489b2d1c6316ba@syzkaller.appspotmail.com
      Fixes: 6a21cc50 ("seccomp: add a return code to trap to userspace")
      Signed-off-by: default avatarTycho Andersen <tycho@tycho.ws>
      Acked-by: default avatarKees Cook <keescook@chromium.org>
      Signed-off-by: default avatarJames Morris <james.morris@microsoft.com>
      a811dc61
    • Linus Torvalds's avatar
      Merge tag 'trace-v5.0-rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/rostedt/linux-trace · 7939f8be
      Linus Torvalds authored
      Pull tracing fix from Steven Rostedt:
       "Andrea Righi fixed a NULL pointer dereference in trace_kprobe_create()
      
        It is possible to trigger a NULL pointer dereference by writing an
        incorrectly formatted string to the krpobe_events file"
      
      * tag 'trace-v5.0-rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/rostedt/linux-trace:
        tracing/kprobes: Fix NULL pointer dereference in trace_kprobe_create()
      7939f8be
    • Linus Torvalds's avatar
      Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net · e8746440
      Linus Torvalds authored
      Pull networking fixes from David Miller:
      
       1) Fix regression in multi-SKB responses to RTM_GETADDR, from Arthur
          Gautier.
      
       2) Fix ipv6 frag parsing in openvswitch, from Yi-Hung Wei.
      
       3) Unbounded recursion in ipv4 and ipv6 GUE tunnels, from Stefano
          Brivio.
      
       4) Use after free in hns driver, from Yonglong Liu.
      
       5) icmp6_send() needs to handle the case of NULL skb, from Eric
          Dumazet.
      
       6) Missing rcu read lock in __inet6_bind() when operating on mapped
          addresses, from David Ahern.
      
       7) Memory leak in tipc-nl_compat_publ_dump(), from Gustavo A. R. Silva.
      
       8) Fix PHY vs r8169 module loading ordering issues, from Heiner
          Kallweit.
      
       9) Fix bridge vlan memory leak, from Ido Schimmel.
      
      10) Dev refcount leak in AF_PACKET, from Jason Gunthorpe.
      
      11) Infoleak in ipv6_local_error(), flow label isn't completely
          initialized. From Eric Dumazet.
      
      12) Handle mv88e6390 errata, from Andrew Lunn.
      
      13) Making vhost/vsock CID hashing consistent, from Zha Bin.
      
      14) Fix lack of UMH cleanup when it unexpectedly exits, from Taehee Yoo.
      
      15) Bridge forwarding must clear skb->tstamp, from Paolo Abeni.
      
      * git://git.kernel.org/pub/scm/linux/kernel/git/davem/net: (87 commits)
        bnxt_en: Fix context memory allocation.
        bnxt_en: Fix ring checking logic on 57500 chips.
        mISDN: hfcsusb: Use struct_size() in kzalloc()
        net: clear skb->tstamp in bridge forwarding path
        net: bpfilter: disallow to remove bpfilter module while being used
        net: bpfilter: restart bpfilter_umh when error occurred
        net: bpfilter: use cleanup callback to release umh_info
        umh: add exit routine for UMH process
        isdn: i4l: isdn_tty: Fix some concurrency double-free bugs
        vhost/vsock: fix vhost vsock cid hashing inconsistent
        net: stmmac: Prevent RX starvation in stmmac_napi_poll()
        net: stmmac: Fix the logic of checking if RX Watchdog must be enabled
        net: stmmac: Check if CBS is supported before configuring
        net: stmmac: dwxgmac2: Only clear interrupts that are active
        net: stmmac: Fix PCI module removal leak
        tools/bpf: fix bpftool map dump with bitfields
        tools/bpf: test btf bitfield with >=256 struct member offset
        bpf: fix bpffs bitfield pretty print
        net: ethernet: mediatek: fix warning in phy_start_aneg
        tcp: change txhash on SYN-data timeout
        ...
      e8746440
    • Andrea Righi's avatar
      tracing/kprobes: Fix NULL pointer dereference in trace_kprobe_create() · 8b05a3a7
      Andrea Righi authored
      It is possible to trigger a NULL pointer dereference by writing an
      incorrectly formatted string to krpobe_events (trying to create a
      kretprobe omitting the symbol).
      
      Example:
      
       echo "r:event_1 " >> /sys/kernel/debug/tracing/kprobe_events
      
      That triggers this:
      
       BUG: unable to handle kernel NULL pointer dereference at 0000000000000000
       #PF error: [normal kernel read fault]
       PGD 0 P4D 0
       Oops: 0000 [#1] SMP PTI
       CPU: 6 PID: 1757 Comm: bash Not tainted 5.0.0-rc1+ #125
       Hardware name: Dell Inc. XPS 13 9370/0F6P3V, BIOS 1.5.1 08/09/2018
       RIP: 0010:kstrtoull+0x2/0x20
       Code: 28 00 00 00 75 17 48 83 c4 18 5b 41 5c 5d c3 b8 ea ff ff ff eb e1 b8 de ff ff ff eb da e8 d6 36 bb ff 66 0f 1f 44 00 00 31 c0 <80> 3f 2b 55 48 89 e5 0f 94 c0 48 01 c7 e8 5c ff ff ff 5d c3 66 2e
       RSP: 0018:ffffb5d482e57cb8 EFLAGS: 00010246
       RAX: 0000000000000000 RBX: 0000000000000001 RCX: ffffffff82b12720
       RDX: ffffb5d482e57cf8 RSI: 0000000000000000 RDI: 0000000000000000
       RBP: ffffb5d482e57d70 R08: ffffa0c05e5a7080 R09: ffffa0c05e003980
       R10: 0000000000000000 R11: 0000000040000000 R12: ffffa0c04fe87b08
       R13: 0000000000000001 R14: 000000000000000b R15: ffffa0c058d749e1
       FS:  00007f137c7f7740(0000) GS:ffffa0c05e580000(0000) knlGS:0000000000000000
       CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
       CR2: 0000000000000000 CR3: 0000000497d46004 CR4: 00000000003606e0
       Call Trace:
        ? trace_kprobe_create+0xb6/0x840
        ? _cond_resched+0x19/0x40
        ? _cond_resched+0x19/0x40
        ? __kmalloc+0x62/0x210
        ? argv_split+0x8f/0x140
        ? trace_kprobe_create+0x840/0x840
        ? trace_kprobe_create+0x840/0x840
        create_or_delete_trace_kprobe+0x11/0x30
        trace_run_command+0x50/0x90
        trace_parse_run_command+0xc1/0x160
        probes_write+0x10/0x20
        __vfs_write+0x3a/0x1b0
        ? apparmor_file_permission+0x1a/0x20
        ? security_file_permission+0x31/0xf0
        ? _cond_resched+0x19/0x40
        vfs_write+0xb1/0x1a0
        ksys_write+0x55/0xc0
        __x64_sys_write+0x1a/0x20
        do_syscall_64+0x5a/0x120
        entry_SYSCALL_64_after_hwframe+0x44/0xa9
      
      Fix by doing the proper argument checks in trace_kprobe_create().
      
      Cc: Ingo Molnar <mingo@redhat.com>
      Link: https://lore.kernel.org/lkml/20190111095108.b79a2ee026185cbd62365977@kernel.org
      Link: http://lkml.kernel.org/r/20190111060113.GA22841@xps-13
      Fixes: 6212dd29 ("tracing/kprobes: Use dyn_event framework for kprobe events")
      Acked-by: default avatarMasami Hiramatsu <mhiramat@kernel.org>
      Signed-off-by: default avatarAndrea Righi <righi.andrea@gmail.com>
      Signed-off-by: default avatarMasami Hiramatsu <mhiramat@kernel.org>
      Signed-off-by: default avatarSteven Rostedt (VMware) <rostedt@goodmis.org>
      8b05a3a7
    • Ming Lei's avatar
      sbitmap: Protect swap_lock from hardirq · fe76fc6a
      Ming Lei authored
      Because we may call blk_mq_get_driver_tag() directly from
      blk_mq_dispatch_rq_list() without holding any lock, then HARDIRQ may
      come and the above DEADLOCK is triggered.
      
      Commit ab53dcfb3e7b ("sbitmap: Protect swap_lock from hardirq") tries to
      fix this issue by using 'spin_lock_bh', which isn't enough because we
      complete request from hardirq context direclty in case of multiqueue.
      
      Cc: Clark Williams <williams@redhat.com>
      Fixes: ab53dcfb3e7b ("sbitmap: Protect swap_lock from hardirq")
      Cc: Jens Axboe <axboe@kernel.dk>
      Cc: Ming Lei <ming.lei@redhat.com>
      Cc: Guenter Roeck <linux@roeck-us.net>
      Cc: Steven Rostedt (VMware) <rostedt@goodmis.org>
      Signed-off-by: default avatarMing Lei <ming.lei@redhat.com>
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      fe76fc6a
  5. 14 Jan, 2019 7 commits
    • Steven Rostedt (VMware)'s avatar
      sbitmap: Protect swap_lock from softirqs · 37198768
      Steven Rostedt (VMware) authored
      The swap_lock used by sbitmap has a chain with locks taken from softirq,
      but the swap_lock is not protected from being preempted by softirqs.
      
      A chain exists of:
      
       sbq->ws[i].wait -> dispatch_wait_lock -> swap_lock
      
      Where the sbq->ws[i].wait lock can be taken from softirq context, which
      means all locks below it in the chain must also be protected from
      softirqs.
      Reported-by: default avatarClark Williams <williams@redhat.com>
      Fixes: 58ab5e32 ("sbitmap: silence bogus lockdep IRQ warning")
      Fixes: ea86ea2c ("sbitmap: amortize cost of clearing bits")
      Cc: Jens Axboe <axboe@kernel.dk>
      Cc: Ming Lei <ming.lei@redhat.com>
      Cc: Guenter Roeck <linux@roeck-us.net>
      Signed-off-by: default avatarSteven Rostedt (VMware) <rostedt@goodmis.org>
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      37198768
    • Linus Torvalds's avatar
      Merge tag 'gpio-v5.0-2' of git://git.kernel.org/pub/scm/linux/kernel/git/linusw/linux-gpio · c962cb32
      Linus Torvalds authored
      Pull GPIO fixes from Linus Walleij:
       "The patch hitting the MMC/SD subsystem is fixing up my own mess when
        moving semantics from MMC/SD over to gpiolib. Ulf is on vacation but I
        managed to reach him on chat and obtain his ACK.
      
        The other two are early-rc fixes that are not super serious but pretty
        annoying so I'd like to get rid of them.
      
        Summary:
      
         - Get rid of some WARN_ON() from the ACPI code
      
         - Staticize a symbol
      
         - Fix MMC polarity detection"
      
      * tag 'gpio-v5.0-2' of git://git.kernel.org/pub/scm/linux/kernel/git/linusw/linux-gpio:
        mmc: core: don't override the CD GPIO level when "cd-inverted" is set
        gpio: pca953x: Make symbol 'pca953x_i2c_regmap' static
        gpiolib-acpi: Remove unnecessary WARN_ON from acpi_gpiochip_free_interrupts
      c962cb32
    • Linus Torvalds's avatar
      Merge tag 'mfd-next-4.21' of git://git.kernel.org/pub/scm/linux/kernel/git/lee/mfd · 9deb9e16
      Linus Torvalds authored
      Pull MFD updates from Lee Jones:
       "New Device Support
         - Add support for Power Supply to AXP813
         - Add support for GPIO, ADC, AC and Battery Power Supply to AXP803
         - Add support for UART to Exynos LPASS
      
        Fix-ups:
         - Use supplied MACROS; ti_am335x_tscadc
         - Trivial spelling/whitespace/alignment; tmio, axp20x, rave-sp
         - Regmap changes; bd9571mwv, wm5110-tables
         - Kconfig dependencies; MFD_AT91_USART
         - Supply shared data for child-devices; madera-core
         - Use new of_node_name_eq() API call; max77620, stmpe
         - Use managed resources (devm_*); tps65218
         - Comment descriptions; ingenic-tcu
         - Coding style; madera-core
      
        Bug Fixes:
         - Fix section mismatches; twl-core, db8500-prcmu
         - Correct error path related issues; mt6397-core, ab8500-core, mc13xxx-core
         - IRQ related fixes; tps6586x
         - Ensure proper initialisation sequence; qcom_rpm
         - Repair potential memory leak; cros_ec_dev"
      
      * tag 'mfd-next-4.21' of git://git.kernel.org/pub/scm/linux/kernel/git/lee/mfd: (25 commits)
        mfd: exynos-lpass: Enable UART module support
        mfd: mc13xxx: Fix a missing check of a register-read failure
        mfd: cros_ec: Add commands to control codec
        mfd: madera: Remove spurious semicolon in while loop
        mfd: rave-sp: Fix typo in rave_sp_checksum comment
        mfd: ingenic-tcu: Fix bit field description in header
        mfd: tps65218: Use devm_regmap_add_irq_chip and clean up error path in probe()
        mfd: Use of_node_name_eq() for node name comparisons
        mfd: cros_ec_dev: Add missing mfd_remove_devices() call in remove
        mfd: axp20x: Add supported cells for AXP803
        mfd: axp20x: Re-align MFD cell entries
        mfd: axp20x: Add AC power supply cell for AXP813
        mfd: wm5110: Add missing ASRC rate register
        mfd: qcom_rpm: write fw_version to CTRL_REG
        mfd: tps6586x: Handle interrupts on suspend
        mfd: madera: Add shared data for accessory detection
        mfd: at91-usart: Add platform dependency
        mfd: bd9571mwv: Add volatile register to make DVFS work
        mfd: ab8500-core: Return zero in get_register_interruptible()
        mfd: tmio: Typo s/use use/use/
        ...
      9deb9e16
    • Linus Torvalds's avatar
      Merge tag 'backlight-next-4.21' of git://git.kernel.org/pub/scm/linux/kernel/git/lee/backlight · 3a73e73a
      Linus Torvalds authored
      Pull backlight updates from Lee Jones:
       "Fix-ups:
         - Use new of_node_name_eq() API call
      
        Bug Fixes:
         - Internally track 'enabled' state in pwm_bl
         - Fix auto-generated pwm_bl brightness tables parsed by DT
      
      * tag 'backlight-next-4.21' of git://git.kernel.org/pub/scm/linux/kernel/git/lee/backlight:
        backlight: 88pm860x_bl: Use of_node_name_eq for node name comparisons
        backlight: pwm_bl: Fix devicetree parsing with auto-generated brightness tables
        backlight: pwm_bl: Re-add driver internal enabled tracking
      3a73e73a
    • Masahiro Yamada's avatar
      kbuild: remove unused baseprereq · bd352a73
      Masahiro Yamada authored
      Commit eea199b4 ("kbuild: remove unnecessary LEX_PREFIX and
      YACC_PREFIX") removed the last users of this macro.
      Signed-off-by: default avatarMasahiro Yamada <yamada.masahiro@socionext.com>
      bd352a73
    • Paul Burton's avatar
      kbuild: Disable LD_DEAD_CODE_DATA_ELIMINATION with ftrace & GCC <= 4.7 · 16fd20aa
      Paul Burton authored
      When building using GCC 4.7 or older, -ffunction-sections & the -pg flag
      used by ftrace are incompatible. This causes warnings or build failures
      (where -Werror applies) such as the following:
      
        arch/mips/generic/init.c:
          error: -ffunction-sections disabled; it makes profiling impossible
      
      This used to be taken into account by the ordering of calls to cc-option
      from within the top-level Makefile, which was introduced by commit
      90ad4052 ("kbuild: avoid conflict between -ffunction-sections and
      -pg on gcc-4.7"). Unfortunately this was broken when the
      CONFIG_LD_DEAD_CODE_DATA_ELIMINATION cc-option check was moved to
      Kconfig in commit e85d1d65 ("kbuild: test dead code/data elimination
      support in Kconfig"), because the flags used by this check no longer
      include -pg.
      
      Fix this by not allowing CONFIG_LD_DEAD_CODE_DATA_ELIMINATION to be
      enabled at the same time as ftrace/CONFIG_FUNCTION_TRACER when building
      using GCC 4.7 or older.
      Signed-off-by: default avatarPaul Burton <paul.burton@mips.com>
      Fixes: e85d1d65 ("kbuild: test dead code/data elimination support in Kconfig")
      Reported-by: default avatarGeert Uytterhoeven <geert@linux-m68k.org>
      Cc: Nicholas Piggin <npiggin@gmail.com>
      Cc: stable@vger.kernel.org # v4.19+
      Signed-off-by: default avatarMasahiro Yamada <yamada.masahiro@socionext.com>
      16fd20aa
    • Masahiro Yamada's avatar
      kconfig: clean generated *conf-cfg files · 2648ca18
      Masahiro Yamada authored
      I accidentally dropped '*' in the previous renaming patch.
      
      Revive it so that 'make mrproper' can clean the generated files.
      
      Fixes: d86271af ("kconfig: rename generated .*conf-cfg to *conf-cfg")
      Signed-off-by: default avatarMasahiro Yamada <yamada.masahiro@socionext.com>
      2648ca18
  6. 13 Jan, 2019 4 commits
    • Linus Torvalds's avatar
      Linux 5.0-rc2 · 1c7fc5cb
      Linus Torvalds authored
      1c7fc5cb
    • Jonathan Neuschäfer's avatar
      kernel/sys.c: Clarify that UNAME26 does not generate unique versions anymore · b7285b42
      Jonathan Neuschäfer authored
      UNAME26 is a mechanism to report Linux's version as 2.6.x, for
      compatibility with old/broken software.  Due to the way it is
      implemented, it would have to be updated after 5.0, to keep the
      resulting versions unique.  Linus Torvalds argued:
      
       "Do we actually need this?
      
        I'd rather let it bitrot, and just let it return random versions. It
        will just start again at 2.4.60, won't it?
      
        Anybody who uses UNAME26 for a 5.x kernel might as well think it's
        still 4.x. The user space is so old that it can't possibly care about
        differences between 4.x and 5.x, can it?
      
        The only thing that matters is that it shows "2.4.<largeenough>",
        which it will do regardless"
      Signed-off-by: default avatarJonathan Neuschäfer <j.neuschaefer@gmx.net>
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      b7285b42
    • Linus Torvalds's avatar
      Merge tag 'armsoc-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/arm/arm-soc · dbc3c09b
      Linus Torvalds authored
      Pull ARM SoC fixes from Olof Johansson:
       "A bigger batch than I anticipated this week, for two reasons:
      
         - Some fallout on Davinci from board file -> DTB conversion, that
           also includes a few longer-standing fixes (i.e. not recent
           regressions).
      
         - drivers/reset material that has been in linux-next for a while, but
           didn't get sent to us until now for a variety of reasons
           (maintainer out sick, holidays, etc). There's a functional
           dependency in there such that one platform (Altera's SoCFPGA) won't
           boot without one of the patches; instead of reverting the patch
           that got merged, I looked at this set and decided it was small
           enough that I'll pick it up anyway. If you disagree I can revisit
           with a smaller set.
      
        That being said, there's also a handful of the usual stuff:
      
         - Fix for a crash on Armada 7K/8K when the kernel touches
           PSCI-reserved memory
      
         - Fix for PCIe reset on Macchiatobin (Armada 8K development board,
           what this email is sent from in fact :)
      
         - Enable a few new-merged modules for Amlogic in arm64 defconfig
      
         - Error path fixes on Integrator
      
         - Build fix for Renesas and Qualcomm
      
         - Initialization fix for Renesas RZ/G2E
      
        .. plus a few more fixlets"
      
      * tag 'armsoc-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/arm/arm-soc: (28 commits)
        ARM: integrator: impd1: use struct_size() in devm_kzalloc()
        qcom-scm: Include <linux/err.h> header
        gpio: pl061: handle failed allocations
        ARM: dts: kirkwood: Fix polarity of GPIO fan lines
        arm64: dts: marvell: mcbin: fix PCIe reset signal
        arm64: dts: marvell: armada-ap806: reserve PSCI area
        ARM: dts: da850-lcdk: Correct the sound card name
        ARM: dts: da850-lcdk: Correct the audio codec regulators
        ARM: dts: da850-evm: Correct the sound card name
        ARM: dts: da850-evm: Correct the audio codec regulators
        ARM: davinci: omapl138-hawk: fix label names in GPIO lookup entries
        ARM: davinci: dm644x-evm: fix label names in GPIO lookup entries
        ARM: davinci: dm355-evm: fix label names in GPIO lookup entries
        ARM: davinci: da850-evm: fix label names in GPIO lookup entries
        ARM: davinci: da830-evm: fix label names in GPIO lookup entries
        arm64: defconfig: enable modules for amlogic s400 sound card
        reset: uniphier-glue: Add AHCI reset control support in glue layer
        dt-bindings: reset: uniphier: Add AHCI core reset description
        reset: uniphier-usb3: Rename to reset-uniphier-glue
        dt-bindings: reset: uniphier: Replace the expression of USB3 with generic peripherals
        ...
      dbc3c09b
    • Linus Torvalds's avatar
      Merge tag 'for-5.0-rc1-tag' of git://git.kernel.org/pub/scm/linux/kernel/git/kdave/linux · 6b529fb0
      Linus Torvalds authored
      Pull btrfs fixes from David Sterba:
      
       - two regression fixes in clone/dedupe ioctls, the generic check
         callback needs to lock extents properly and wait for io to avoid
         problems with writeback and relocation
      
       - fix deadlock when using free space tree due to block group creation
      
       - a recently added check refuses a valid fileystem with seeding device,
         make that work again with a quickfix, proper solution needs more
         intrusive changes
      
      * tag 'for-5.0-rc1-tag' of git://git.kernel.org/pub/scm/linux/kernel/git/kdave/linux:
        btrfs: Use real device structure to verify dev extent
        Btrfs: fix deadlock when using free space tree due to block group creation
        Btrfs: fix race between reflink/dedupe and relocation
        Btrfs: fix race between cloning range ending at eof and writeback
      6b529fb0