1. 22 Apr, 2020 3 commits
    • Leon Romanovsky's avatar
      RDMA/core: Prevent mixed use of FDs between shared ufiles · 0fb00941
      Leon Romanovsky authored
      FDs can only be used on the ufile that created them, they cannot be mixed
      to other ufiles. We are lacking a check to prevent it.
      
        BUG: KASAN: null-ptr-deref in atomic64_sub_and_test include/asm-generic/atomic-instrumented.h:1547 [inline]
        BUG: KASAN: null-ptr-deref in atomic_long_sub_and_test include/asm-generic/atomic-long.h:460 [inline]
        BUG: KASAN: null-ptr-deref in fput_many+0x1a/0x140 fs/file_table.c:336
        Write of size 8 at addr 0000000000000038 by task syz-executor179/284
      
        CPU: 0 PID: 284 Comm: syz-executor179 Not tainted 5.5.0-rc5+ #1
        Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.12.1-0-ga5cab58e9a3f-prebuilt.qemu.org 04/01/2014
        Call Trace:
         __dump_stack lib/dump_stack.c:77 [inline]
         dump_stack+0x94/0xce lib/dump_stack.c:118
         __kasan_report+0x18f/0x1b7 mm/kasan/report.c:510
         kasan_report+0xe/0x20 mm/kasan/common.c:639
         check_memory_region_inline mm/kasan/generic.c:185 [inline]
         check_memory_region+0x15d/0x1b0 mm/kasan/generic.c:192
         atomic64_sub_and_test include/asm-generic/atomic-instrumented.h:1547 [inline]
         atomic_long_sub_and_test include/asm-generic/atomic-long.h:460 [inline]
         fput_many+0x1a/0x140 fs/file_table.c:336
         rdma_lookup_put_uobject+0x85/0x130 drivers/infiniband/core/rdma_core.c:692
         uobj_put_read include/rdma/uverbs_std_types.h:96 [inline]
         _ib_uverbs_lookup_comp_file drivers/infiniband/core/uverbs_cmd.c:198 [inline]
         create_cq+0x375/0xba0 drivers/infiniband/core/uverbs_cmd.c:1006
         ib_uverbs_create_cq+0x114/0x140 drivers/infiniband/core/uverbs_cmd.c:1089
         ib_uverbs_write+0xaa5/0xdf0 drivers/infiniband/core/uverbs_main.c:769
         __vfs_write+0x7c/0x100 fs/read_write.c:494
         vfs_write+0x168/0x4a0 fs/read_write.c:558
         ksys_write+0xc8/0x200 fs/read_write.c:611
         do_syscall_64+0x9c/0x390 arch/x86/entry/common.c:294
         entry_SYSCALL_64_after_hwframe+0x44/0xa9
        RIP: 0033:0x44ef99
        Code: 00 b8 00 01 00 00 eb e1 e8 74 1c 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 c4 ff ff ff f7 d8 64 89 01 48
        RSP: 002b:00007ffc0b74c028 EFLAGS: 00000246 ORIG_RAX: 0000000000000001
        RAX: ffffffffffffffda RBX: 00007ffc0b74c030 RCX: 000000000044ef99
        RDX: 0000000000000040 RSI: 0000000020000040 RDI: 0000000000000005
        RBP: 00007ffc0b74c038 R08: 0000000000401830 R09: 0000000000401830
        R10: 00007ffc0b74c038 R11: 0000000000000246 R12: 0000000000000000
        R13: 0000000000000000 R14: 00000000006be018 R15: 0000000000000000
      
      Fixes: cf8966b3 ("IB/core: Add support for fd objects")
      Link: https://lore.kernel.org/r/20200421082929.311931-2-leon@kernel.orgSuggested-by: default avatarJason Gunthorpe <jgg@mellanox.com>
      Signed-off-by: default avatarLeon Romanovsky <leonro@mellanox.com>
      Signed-off-by: default avatarJason Gunthorpe <jgg@mellanox.com>
      0fb00941
    • Jason Gunthorpe's avatar
      RDMA/uverbs: Fix a race with disassociate and exit_mmap() · 39c011a5
      Jason Gunthorpe authored
      If uverbs_user_mmap_disassociate() is called while the mmap is
      concurrently doing exit_mmap then the ordering of the
      rdma_user_mmap_entry_put() is not reliable.
      
      The put must be done before uvers_user_mmap_disassociate() returns,
      otherwise there can be a use after free on the ucontext, and a left over
      entry in the xarray. If the put is not done here then it is done during
      rdma_umap_close() later.
      
      Add the missing put to the error exit path.
      
        WARNING: CPU: 7 PID: 7111 at drivers/infiniband/core/rdma_core.c:810 uverbs_destroy_ufile_hw+0x2a5/0x340 [ib_uverbs]
        Modules linked in: bonding ipip tunnel4 geneve ip6_udp_tunnel udp_tunnel ip6_gre ip6_tunnel tunnel6 ip_gre ip_tunnel gre mlx5_ib mlx5_core mlxfw pci_hyperv_intf act_ct nf_flow_table ptp pps_core rdma_ucm ib_uverbs ib_ipoib ib_umad 8021q garp mrp openvswitch nsh nf_conncount nfsv3 nfs_acl xt_MASQUERADE nf_conntrack_netlink nfnetlink iptable_nat xt_addrtype iptable_filter xt_conntrack br_netfilter bridge stp llc rpcsec_gss_krb5 auth_rpcgss nfsv4 dns_resolver nfs lockd grace fscache overlay rpcrdma ib_isert iscsi_target_mod ib_iser kvm_intel ib_srpt iTCO_wdt target_core_mod iTCO_vendor_support kvm ib_srp nf_nat irqbypass crc32_pclmul crc32c_intel nf_conntrack rfkill nf_defrag_ipv6 virtio_net nf_defrag_ipv4 pcspkr ghash_clmulni_intel i2c_i801 net_failover failover i2c_core lpc_ich mfd_core rdma_cm ib_cm iw_cm button ib_core sunrpc sch_fq_codel ip_tables serio_raw [last unloaded: tunnel4]
        CPU: 7 PID: 7111 Comm: python3 Tainted: G        W         5.6.0-rc6-for-upstream-dbg-2020-03-21_06-41-26-18 #1
        Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.12.1-0-ga5cab58e9a3f-prebuilt.qemu.org 04/01/2014
        RIP: 0010:uverbs_destroy_ufile_hw+0x2a5/0x340 [ib_uverbs]
        Code: ff df 48 89 fa 48 c1 ea 03 80 3c 02 00 75 74 49 8b 84 24 08 01 00 00 48 85 c0 0f 84 13 ff ff ff 48 89 ef ff d0 e9 09 ff ff ff <0f> 0b e9 77 ff ff ff e8 0f d8 fa e0 e9 c5 fd ff ff e8 05 d8 fa e0
        RSP: 0018:ffff88840e0779a0 EFLAGS: 00010286
        RAX: dffffc0000000000 RBX: ffff8882a7721c00 RCX: 0000000000000000
        RDX: 1ffff11054ee469f RSI: ffffffff8446d7e0 RDI: ffff8882a77234f8
        RBP: ffff8882a7723400 R08: ffffed1085c0112c R09: 0000000000000001
        R10: 0000000000000001 R11: ffffed1085c0112b R12: ffff888403c30000
        R13: 0000000000000002 R14: ffff8882a7721cb0 R15: ffff8882a7721cd0
        FS:  00007f2046089700(0000) GS:ffff88842de00000(0000) knlGS:0000000000000000
        CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
        CR2: 00007f7cfe9a6e20 CR3: 000000040b8ac006 CR4: 0000000000360ee0
        DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
        DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
        Call Trace:
         ib_uverbs_remove_one+0x273/0x480 [ib_uverbs]
         ? up_write+0x15c/0x4a0
         remove_client_context+0xa6/0xf0 [ib_core]
         disable_device+0x12d/0x200 [ib_core]
         ? remove_client_context+0xf0/0xf0 [ib_core]
         ? mnt_get_count+0x1d0/0x1d0
         __ib_unregister_device+0x79/0x150 [ib_core]
         ib_unregister_device+0x21/0x30 [ib_core]
         __mlx5_ib_remove+0x91/0x110 [mlx5_ib]
         ? __mlx5_ib_remove+0x110/0x110 [mlx5_ib]
         mlx5_remove_device+0x241/0x310 [mlx5_core]
         mlx5_unregister_device+0x4d/0x1e0 [mlx5_core]
         mlx5_unload_one+0xc0/0x260 [mlx5_core]
         remove_one+0x5c/0x160 [mlx5_core]
         pci_device_remove+0xef/0x2a0
         ? pcibios_free_irq+0x10/0x10
         device_release_driver_internal+0x1d8/0x470
         unbind_store+0x152/0x200
         ? sysfs_kf_write+0x3b/0x180
         ? sysfs_file_ops+0x160/0x160
         kernfs_fop_write+0x284/0x460
         ? __sb_start_write+0x243/0x3a0
         vfs_write+0x197/0x4a0
         ksys_write+0x156/0x1e0
         ? __x64_sys_read+0xb0/0xb0
         ? do_syscall_64+0x73/0x1330
         ? do_syscall_64+0x73/0x1330
         do_syscall_64+0xe7/0x1330
         ? down_write_nested+0x3e0/0x3e0
         ? syscall_return_slowpath+0x970/0x970
         ? entry_SYSCALL_64_after_hwframe+0x3e/0xbe
         ? lockdep_hardirqs_off+0x1de/0x2d0
         ? trace_hardirqs_off_thunk+0x1a/0x1c
         entry_SYSCALL_64_after_hwframe+0x49/0xbe
        RIP: 0033:0x7f20a3ff0cdb
        Code: 53 48 89 d5 48 89 f3 48 83 ec 18 48 89 7c 24 08 e8 5a fd ff ff 48 89 ea 41 89 c0 48 89 de 48 8b 7c 24 08 b8 01 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 31 44 89 c7 48 89 44 24 08 e8 90 fd ff ff 48
        RSP: 002b:00007f2046087040 EFLAGS: 00000293 ORIG_RAX: 0000000000000001
        RAX: ffffffffffffffda RBX: 00007f2038016df0 RCX: 00007f20a3ff0cdb
        RDX: 000000000000000d RSI: 00007f2038016df0 RDI: 0000000000000018
        RBP: 000000000000000d R08: 0000000000000000 R09: 0000000000000000
        R10: 0000000000000100 R11: 0000000000000293 R12: 00007f2046e29630
        R13: 00007f20280035a0 R14: 0000000000000018 R15: 00007f2038016df0
      
      Fixes: c043ff2c ("RDMA: Connect between the mmap entry and the umap_priv structure")
      Link: https://lore.kernel.org/r/20200413132136.930388-1-leon@kernel.orgSigned-off-by: default avatarYishai Hadas <yishaih@mellanox.com>
      Signed-off-by: default avatarLeon Romanovsky <leonro@mellanox.com>
      Reviewed-by: default avatarJason Gunthorpe <jgg@mellanox.com>
      Signed-off-by: default avatarJason Gunthorpe <jgg@mellanox.com>
      39c011a5
    • Aharon Landau's avatar
      RDMA/mlx5: Set GRH fields in query QP on RoCE · 2d7e3ff7
      Aharon Landau authored
      GRH fields such as sgid_index, hop limit, et. are set in the QP context
      when QP is created/modified.
      
      Currently, when query QP is performed, we fill the GRH fields only if the
      GRH bit is set in the QP context, but this bit is not set for RoCE. Adjust
      the check so we will set all relevant data for the RoCE too.
      
      Since this data is returned to userspace, the below is an ABI regression.
      
      Fixes: d8966fcd ("IB/core: Use rdma_ah_attr accessor functions")
      Link: https://lore.kernel.org/r/20200413132028.930109-1-leon@kernel.orgSigned-off-by: default avatarAharon Landau <aharonl@mellanox.com>
      Reviewed-by: default avatarMaor Gottlieb <maorg@mellanox.com>
      Signed-off-by: default avatarLeon Romanovsky <leonro@mellanox.com>
      Signed-off-by: default avatarJason Gunthorpe <jgg@mellanox.com>
      2d7e3ff7
  2. 15 Apr, 2020 1 commit
  3. 14 Apr, 2020 4 commits
  4. 12 Apr, 2020 10 commits
    • Linus Torvalds's avatar
      Linux 5.7-rc1 · 8f3d9f35
      Linus Torvalds authored
      8f3d9f35
    • Linus Torvalds's avatar
      MAINTAINERS: sort field names for all entries · 3b50142d
      Linus Torvalds authored
      This sorts the actual field names too, potentially causing even more
      chaos and confusion at merge time if you have edited the MAINTAINERS
      file.  But the end result is a more consistent layout, and hopefully
      it's a one-time pain minimized by doing this just before the -rc1
      release.
      
      This was entirely scripted:
      
        ./scripts/parse-maintainers.pl --input=MAINTAINERS --output=MAINTAINERS --order
      Requested-by: default avatarJoe Perches <joe@perches.com>
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      3b50142d
    • Linus Torvalds's avatar
      MAINTAINERS: sort entries by entry name · 4400b7d6
      Linus Torvalds authored
      They are all supposed to be sorted, but people who add new entries don't
      always know the alphabet.  Plus sometimes the entry names get edited,
      and people don't then re-order the entry.
      
      Let's see how painful this will be for merging purposes (the MAINTAINERS
      file is often edited in various different trees), but Joe claims there's
      relatively few patches in -next that touch this, and doing it just
      before -rc1 is likely the best time.  Fingers crossed.
      
      This was scripted with
      
        /scripts/parse-maintainers.pl --input=MAINTAINERS --output=MAINTAINERS
      
      but then I also ended up manually upper-casing a few entry names that
      stood out when looking at the end result.
      Requested-by: default avatarJoe Perches <joe@perches.com>
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      4400b7d6
    • Linus Torvalds's avatar
      Merge tag 'x86-urgent-2020-04-12' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip · 4f8a3cc1
      Linus Torvalds authored
      Pull x86 fixes from Thomas Gleixner:
       "A set of three patches to fix the fallout of the newly added split
        lock detection feature.
      
        It addressed the case where a KVM guest triggers a split lock #AC and
        KVM reinjects it into the guest which is not prepared to handle it.
      
        Add proper sanity checks which prevent the unconditional injection
        into the guest and handles the #AC on the host side in the same way as
        user space detections are handled. Depending on the detection mode it
        either warns and disables detection for the task or kills the task if
        the mode is set to fatal"
      
      * tag 'x86-urgent-2020-04-12' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip:
        KVM: VMX: Extend VMXs #AC interceptor to handle split lock #AC in guest
        KVM: x86: Emulate split-lock access as a write in emulator
        x86/split_lock: Provide handle_guest_split_lock()
      4f8a3cc1
    • Linus Torvalds's avatar
      Merge tag 'timers-urgent-2020-04-12' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip · 0785249f
      Linus Torvalds authored
      Pull time(keeping) updates from Thomas Gleixner:
      
       - Fix the time_for_children symlink in /proc/$PID/ so it properly
         reflects that it part of the 'time' namespace
      
       - Add the missing userns limit for the allowed number of time
         namespaces, which was half defined but the actual array member was
         not added. This went unnoticed as the array has an exessive empty
         member at the end but introduced a user visible regression as the
         output was corrupted.
      
       - Prevent further silent ucount corruption by adding a BUILD_BUG_ON()
         to catch half updated data.
      
      * tag 'timers-urgent-2020-04-12' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip:
        ucount: Make sure ucounts in /proc/sys/user don't regress again
        time/namespace: Add max_time_namespaces ucount
        time/namespace: Fix time_for_children symlink
      0785249f
    • Linus Torvalds's avatar
      Merge tag 'sched-urgent-2020-04-12' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip · 590680d1
      Linus Torvalds authored
      Pull scheduler fixes/updates from Thomas Gleixner:
      
       - Deduplicate the average computations in the scheduler core and the
         fair class code.
      
       - Fix a raise between runtime distribution and assignement which can
         cause exceeding the quota by up to 70%.
      
       - Prevent negative results in the imbalanace calculation
      
       - Remove a stale warning in the workqueue code which can be triggered
         since the call site was moved out of preempt disabled code. It's a
         false positive.
      
       - Deduplicate the print macros for procfs
      
       - Add the ucmap values to the SCHED_DEBUG procfs output for completness
      
      * tag 'sched-urgent-2020-04-12' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip:
        sched/debug: Add task uclamp values to SCHED_DEBUG procfs
        sched/debug: Factor out printing formats into common macros
        sched/debug: Remove redundant macro define
        sched/core: Remove unused rq::last_load_update_tick
        workqueue: Remove the warning in wq_worker_sleeping()
        sched/fair: Fix negative imbalance in imbalance calculation
        sched/fair: Fix race between runtime distribution and assignment
        sched/fair: Align rq->avg_idle and rq->avg_scan_cost
      590680d1
    • Linus Torvalds's avatar
      Merge tag 'perf-urgent-2020-04-12' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip · 20e2aa81
      Linus Torvalds authored
      Pull perf fixes from Thomas Gleixner:
       "Three fixes/updates for perf:
      
         - Fix the perf event cgroup tracking which tries to track the cgroup
           even for disabled events.
      
         - Add Ice Lake server support for uncore events
      
         - Disable pagefaults when retrieving the physical address in the
           sampling code"
      
      * tag 'perf-urgent-2020-04-12' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip:
        perf/core: Disable page faults when getting phys address
        perf/x86/intel/uncore: Add Ice Lake server uncore support
        perf/cgroup: Correct indirection in perf_less_group_idx()
        perf/core: Fix event cgroup tracking
      20e2aa81
    • Linus Torvalds's avatar
      Merge tag 'locking-urgent-2020-04-12' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip · 652fa53c
      Linus Torvalds authored
      Pull locking fixes from Thomas Gleixner:
       "Three small fixes/updates for the locking core code:
      
         - Plug a task struct reference leak in the percpu rswem
           implementation.
      
         - Document the refcount interaction with PID_MAX_LIMIT
      
         - Improve the 'invalid wait context' data dump in lockdep so it
           contains all information which is required to decode the problem"
      
      * tag 'locking-urgent-2020-04-12' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip:
        locking/lockdep: Improve 'invalid wait context' splat
        locking/refcount: Document interaction with PID_MAX_LIMIT
        locking/percpu-rwsem: Fix a task_struct refcount
      652fa53c
    • Linus Torvalds's avatar
      Merge tag '5.7-rc-smb3-fixes-part2' of git://git.samba.org/sfrench/cifs-2.6 · 4119bf9f
      Linus Torvalds authored
      Pull cifs fixes from Steve French:
       "Ten cifs/smb fixes:
      
         - five RDMA (smbdirect) related fixes
      
         - add experimental support for swap over SMB3 mounts
      
         - also a fix which improves performance of signed connections"
      
      * tag '5.7-rc-smb3-fixes-part2' of git://git.samba.org/sfrench/cifs-2.6:
        smb3: enable swap on SMB3 mounts
        smb3: change noisy error message to FYI
        smb3: smbdirect support can be configured by default
        cifs: smbd: Do not schedule work to send immediate packet on every receive
        cifs: smbd: Properly process errors on ib_post_send
        cifs: Allocate crypto structures on the fly for calculating signatures of incoming packets
        cifs: smbd: Update receive credits before sending and deal with credits roll back on failure before sending
        cifs: smbd: Check send queue size before posting a send
        cifs: smbd: Merge code to track pending packets
        cifs: ignore cached share root handle closing errors
      4119bf9f
    • Linus Torvalds's avatar
      Merge tag 'nfs-for-5.7-2' of git://git.linux-nfs.org/projects/trondmy/linux-nfs · 50bda5fa
      Linus Torvalds authored
      Pull NFS client bugfix from Trond Myklebust:
       "Fix an RCU read lock leakage in pnfs_alloc_ds_commits_list()"
      
      * tag 'nfs-for-5.7-2' of git://git.linux-nfs.org/projects/trondmy/linux-nfs:
        pNFS: Fix RCU lock leakage
      50bda5fa
  5. 11 Apr, 2020 14 commits
  6. 10 Apr, 2020 8 commits