1. 25 Jul, 2017 7 commits
    • Dan Carpenter's avatar
      scsi: qedi: Fix return code in qedi_ep_connect() · 2c675218
      Dan Carpenter authored
      We shouldn't be writing over the "ret" variable.  It means we return
      ERR_PTR(0) which is NULL and it results in a NULL dereference in the
      caller.
      
      Fixes: ace7f46b ("scsi: qedi: Add QLogic FastLinQ offload iSCSI driver framework.")
      Signed-off-by: default avatarDan Carpenter <dan.carpenter@oracle.com>
      Signed-off-by: default avatarMartin K. Petersen <martin.petersen@oracle.com>
      2c675218
    • Arnd Bergmann's avatar
      scsi: lpfc: fix linking against modular NVMe support · cd069bb9
      Arnd Bergmann authored
      When LPFC is built-in but NVMe is a loadable module, we fail to link the
      kernel:
      
      drivers/scsi/built-in.o: In function `lpfc_nvme_create_localport':
      (.text+0x156a82): undefined reference to `nvme_fc_register_localport'
      drivers/scsi/built-in.o: In function `lpfc_nvme_destroy_localport':
      (.text+0x156eaa): undefined reference to `nvme_fc_unregister_remoteport'
      
      We can avoid this either by forcing lpfc to be a module, or by disabling
      NVMe support in this case. This implements the former.
      
      Fixes: 7d708033 ("scsi: lpfc: Finalize Kconfig options for nvme")
      Cc: stable@vger.kernel.org
      Link: https://patchwork.kernel.org/patch/9636569/Signed-off-by: default avatarArnd Bergmann <arnd@arndb.de>
      Signed-off-by: default avatarMartin K. Petersen <martin.petersen@oracle.com>
      cd069bb9
    • Hannes Reinecke's avatar
      scsi: scsi_transport_fc: return -EBUSY for deleted vport · 260f4aed
      Hannes Reinecke authored
      When trying to delete a vport via 'vport_delete' sysfs attribute we
      should be checking if the port is already in state VPORT_DELETING; if so
      there's no need to do anything.
      Signed-off-by: default avatarHannes Reinecke <hare@suse.de>
      Signed-off-by: default avatarMartin K. Petersen <martin.petersen@oracle.com>
      260f4aed
    • Varun Prakash's avatar
      scsi: libcxgbi: add check for valid cxgbi_task_data · 50292710
      Varun Prakash authored
      In error case it is possible that ->cleanup_task() gets called without
      calling ->alloc_pdu() in this case cxgbi_task_data is not valid, so add
      a check for for valid cxgbi_task_data in cxgbi_cleanup_task().
      Signed-off-by: default avatarVarun Prakash <varun@chelsio.com>
      Signed-off-by: default avatarMartin K. Petersen <martin.petersen@oracle.com>
      50292710
    • Jakub Kicinski's avatar
      scsi: aic7xxx: fix firmware build with O=path · 516b7db5
      Jakub Kicinski authored
      Building firmware with O=path was apparently broken in aic7 for ever.
      Message of the previous commit to the Makefile (from 2008) mentions this
      unfortunate state of affairs already.  Fix this, mostly to make
      randconfig builds more reliable.
      Signed-off-by: default avatarJakub Kicinski <jakub.kicinski@netronome.com>
      Reviewed-by: default avatarHannes Reinecke <hare@suse.com>
      Signed-off-by: default avatarMartin K. Petersen <martin.petersen@oracle.com>
      516b7db5
    • Shu Wang's avatar
      scsi: megaraid_sas: fix memleak in megasas_alloc_cmdlist_fusion · 70c54e21
      Shu Wang authored
      Found this issue by kmemleak, a few kb mem was leaked in
      megasas_alloc_cmdlist_fusion when kzalloc failed for one
      megasas_cmd_fusion allocation.
      
      unreferenced object 0xffff88045dbd2000 (size 8192):
        comm "systemd-udevd", pid 323, jiffies 4294671759 (age 49.008s)
        backtrace:
          [<ffffffff8176166a>] kmemleak_alloc+0x4a/0xa0
          [<ffffffff812186a8>] __kmalloc+0xe8/0x220
          [<ffffffffc0060594>] megasas_alloc_cmdlist_fusion+0x34/0xe0 [megaraid_sas]
      (gdb) list *megasas_alloc_cmdlist_fusion+0x34
      0xd5c4 is in megasas_alloc_cmdlist_fusion
                     (drivers/scsi/megaraid/megaraid_sas_fusion.c:443).
          [<ffffffffc0060ca5>] megasas_alloc_cmds_fusion+0x25/0x410 [megaraid_sas]
          [<ffffffffc0061edf>] megasas_init_adapter_fusion+0x21f/0x640 [megaraid_sas]
          [<ffffffffc005df17>] megasas_init_fw+0x357/0xd30 [megaraid_sas]
          [<ffffffffc005ef26>] megasas_probe_one.part.33+0x636/0x1100 [megaraid_sas]
          [<ffffffffc005fa36>] megasas_probe_one+0x46/0xc0 [megaraid_sas]
          [<ffffffff813d2ca5>] local_pci_probe+0x45/0xa0
          [<ffffffff813d4222>] pci_device_probe+0x192/0x1b0
          [<ffffffff814e3658>] driver_probe_device+0x2a8/0x460
          [<ffffffff814e38ed>] __driver_attach+0xdd/0xe0
          [<ffffffff814e124c>] bus_for_each_dev+0x6c/0xc0
          [<ffffffff814e2dde>] driver_attach+0x1e/0x20
          [<ffffffff814e2775>] bus_add_driver+0x45/0x270
          [<ffffffff814e4400>] driver_register+0x60/0xe0
      unreferenced object 0xffff880454ce3600 (size 192):
        backtrace:
          [<ffffffff8176166a>] kmemleak_alloc+0x4a/0xa0
          [<ffffffff8121801a>] kmem_cache_alloc_trace+0xca/0x1d0
          [<ffffffffc00605d7>] megasas_alloc_cmdlist_fusion+0x77/0xe0 [megaraid_sas]
      (gdb) list *megasas_alloc_cmdlist_fusion+0x77
      0xd607 is in megasas_alloc_cmdlist_fusion
                      (drivers/scsi/megaraid/megaraid_sas_fusion.c:450).
          [<ffffffffc0060ca5>] megasas_alloc_cmds_fusion+0x25/0x410 [megaraid_sas]
          [<ffffffffc0061edf>] megasas_init_adapter_fusion+0x21f/0x640 [megaraid_sas]
          [<ffffffffc005df17>] megasas_init_fw+0x357/0xd30 [megaraid_sas]
          [<ffffffffc005ef26>] megasas_probe_one.part.33+0x636/0x1100 [megaraid_sas]
          [<ffffffffc005fa36>] megasas_probe_one+0x46/0xc0 [megaraid_sas]
          [<ffffffff813d2ca5>] local_pci_probe+0x45/0xa0
          [<ffffffff813d4222>] pci_device_probe+0x192/0x1b0
          [<ffffffff814e3658>] driver_probe_device+0x2a8/0x460
          [<ffffffff814e38ed>] __driver_attach+0xdd/0xe0
          [<ffffffff814e124c>] bus_for_each_dev+0x6c/0xc0
          [<ffffffff814e2dde>] driver_attach+0x1e/0x20
          [<ffffffff814e2775>] bus_add_driver+0x45/0x270
          [<ffffffff814e4400>] driver_register+0x60/0xe0
      Signed-off-by: default avatarShu Wang <shuwang@redhat.com>
      Acked-by: default avatarSumit Saxena <sumit.saxena@broadcom.com>
      Signed-off-by: default avatarMartin K. Petersen <martin.petersen@oracle.com>
      70c54e21
    • Nilesh Javali's avatar
      scsi: qedi: Add ISCSI_BOOT_SYSFS to Kconfig · cc20c29e
      Nilesh Javali authored
      qedi uses iscsi_boot_sysfs to export the targets used for boot to
      sysfs. Select the config option to make sure the module is built.
      
      This addresses the compile time issue,
          drivers/scsi/qedi/qedi_main.o: In function `qedi_remove':
          qedi_main.c:(.text+0x3bbd): undefined reference to `iscsi_boot_destroy_kset'
          drivers/scsi/qedi/qedi_main.o: In function `__qedi_probe.constprop.0':
          qedi_main.c:(.text+0x577a): undefined reference to `iscsi_boot_create_target'
          qedi_main.c:(.text+0x5807): undefined reference to `iscsi_boot_create_target'
          qedi_main.c:(.text+0x587f): undefined reference to `iscsi_boot_create_initiator'
          qedi_main.c:(.text+0x58f3): undefined reference to `iscsi_boot_create_ethernet'
          qedi_main.c:(.text+0x5927): undefined reference to `iscsi_boot_destroy_kset'
          qedi_main.c:(.text+0x5d7b): undefined reference to `iscsi_boot_create_host_kset'
      
      [mkp: fixed whitespace]
      Signed-off-by: default avatarNilesh Javali <nilesh.javali@cavium.com>
      Fixes: c57ec8fb ("scsi: qedi: Add support for Boot from SAN over iSCSI offload")
      Reported-by: default avatarArnd Bergmann <arnd@arndb.de>
      Signed-off-by: default avatarMartin K. Petersen <martin.petersen@oracle.com>
      cc20c29e
  2. 18 Jul, 2017 3 commits
  3. 12 Jul, 2017 10 commits
  4. 11 Jul, 2017 6 commits
    • Linus Torvalds's avatar
      Merge branch 'for-linus' of git://git.kernel.dk/linux-block · 130568d5
      Linus Torvalds authored
      Pull more block updates from Jens Axboe:
       "This is a followup for block changes, that didn't make the initial
        pull request. It's a bit of a mixed bag, this contains:
      
         - A followup pull request from Sagi for NVMe. Outside of fixups for
           NVMe, it also includes a series for ensuring that we properly
           quiesce hardware queues when browsing live tags.
      
         - Set of integrity fixes from Dmitry (mostly), fixing various issues
           for folks using DIF/DIX.
      
         - Fix for a bug introduced in cciss, with the req init changes. From
           Christoph.
      
         - Fix for a bug in BFQ, from Paolo.
      
         - Two followup fixes for lightnvm/pblk from Javier.
      
         - Depth fix from Ming for blk-mq-sched.
      
         - Also from Ming, performance fix for mtip32xx that was introduced
           with the dynamic initialization of commands"
      
      * 'for-linus' of git://git.kernel.dk/linux-block: (44 commits)
        block: call bio_uninit in bio_endio
        nvmet: avoid unneeded assignment of submit_bio return value
        nvme-pci: add module parameter for io queue depth
        nvme-pci: compile warnings in nvme_alloc_host_mem()
        nvmet_fc: Accept variable pad lengths on Create Association LS
        nvme_fc/nvmet_fc: revise Create Association descriptor length
        lightnvm: pblk: remove unnecessary checks
        lightnvm: pblk: control I/O flow also on tear down
        cciss: initialize struct scsi_req
        null_blk: fix error flow for shared tags during module_init
        block: Fix __blkdev_issue_zeroout loop
        nvme-rdma: unconditionally recycle the request mr
        nvme: split nvme_uninit_ctrl into stop and uninit
        virtio_blk: quiesce/unquiesce live IO when entering PM states
        mtip32xx: quiesce request queues to make sure no submissions are inflight
        nbd: quiesce request queues to make sure no submissions are inflight
        nvme: kick requeue list when requeueing a request instead of when starting the queues
        nvme-pci: quiesce/unquiesce admin_q instead of start/stop its hw queues
        nvme-loop: quiesce/unquiesce admin_q instead of start/stop its hw queues
        nvme-fc: quiesce/unquiesce admin_q instead of start/stop its hw queues
        ...
      130568d5
    • Linus Torvalds's avatar
      Merge tag 'smb3-security-fixes-for-4.13' of git://git.samba.org/sfrench/cifs-2.6 · 908b852d
      Linus Torvalds authored
      Pull cifs fixes and sane default from Steve French:
       "Upgrade default dialect to more secure SMB3 from older cifs dialect"
      
      * tag 'smb3-security-fixes-for-4.13' of git://git.samba.org/sfrench/cifs-2.6:
        cifs: Clean up unused variables in smb2pdu.c
        [SMB3] Improve security, move default dialect to SMB3 from old CIFS
        [SMB3] Remove ifdef since SMB3 (and later) now STRONGLY preferred
        CIFS: Reconnect expired SMB sessions
        CIFS: Display SMB2 error codes in the hex format
        cifs: Use smb 2 - 3 and cifsacl mount options setacl function
        cifs: prototype declaration and definition to set acl for smb 2 - 3 and cifsacl mount options
      908b852d
    • Linus Torvalds's avatar
      Merge tag 'ceph-for-4.13-rc1' of git://github.com/ceph/ceph-client · 3bf7878f
      Linus Torvalds authored
      Pull ceph updates from Ilya Dryomov:
       "The main item here is support for v12.y.z ("Luminous") clusters:
        RESEND_ON_SPLIT, RADOS_BACKOFF, OSDMAP_PG_UPMAP and CRUSH_CHOOSE_ARGS
        feature bits, and various other changes in the RADOS client protocol.
      
        On top of that we have a new fsc mount option to allow supplying
        fscache uniquifier (similar to NFS) and the usual pile of filesystem
        fixes from Zheng"
      
      * tag 'ceph-for-4.13-rc1' of git://github.com/ceph/ceph-client: (44 commits)
        libceph: advertise support for NEW_OSDOP_ENCODING and SERVER_LUMINOUS
        libceph: osd_state is 32 bits wide in luminous
        crush: remove an obsolete comment
        crush: crush_init_workspace starts with struct crush_work
        libceph, crush: per-pool crush_choose_arg_map for crush_do_rule()
        crush: implement weight and id overrides for straw2
        libceph: apply_upmap()
        libceph: compute actual pgid in ceph_pg_to_up_acting_osds()
        libceph: pg_upmap[_items] infrastructure
        libceph: ceph_decode_skip_* helpers
        libceph: kill __{insert,lookup,remove}_pg_mapping()
        libceph: introduce and switch to decode_pg_mapping()
        libceph: don't pass pgid by value
        libceph: respect RADOS_BACKOFF backoffs
        libceph: make DEFINE_RB_* helpers more general
        libceph: avoid unnecessary pi lookups in calc_target()
        libceph: use target pi for calc_target() calculations
        libceph: always populate t->target_{oid,oloc} in calc_target()
        libceph: make sure need_resend targets reflect latest map
        libceph: delete from need_resend_linger before check_linger_pool_dne()
        ...
      3bf7878f
    • Linus Torvalds's avatar
      Merge git://www.linux-watchdog.org/linux-watchdog · 07d306c8
      Linus Torvalds authored
      Pull watchdog updates from Wim Van Sebroeck:
      
       - Add Renesas RZ/A WDT Watchdog driver
      
       - STM32 Independent WatchDoG (IWDG) support
      
       - UniPhier watchdog support
      
       - Add F71868 support
      
       - Add support for NCT6793D and NCT6795D
      
       - dw_wdt: add reset lines support
      
       - core: add option to avoid early handling of watchdog
      
       - core: introduce watchdog_worker_should_ping helper
      
       - Cleanups and improvements for sama5d4, intel-mid_wdt, s3c2410_wdt,
         orion_wdt, gpio_wdt, it87_wdt, meson_wdt, davinci_wdt, bcm47xx_wdt,
         zx2967_wdt, cadence_wdt
      
      * git://www.linux-watchdog.org/linux-watchdog: (32 commits)
        watchdog: introduce watchdog_worker_should_ping helper
        watchdog: uniphier: add UniPhier watchdog driver
        dt-bindings: watchdog: add description for UniPhier WDT controller
        watchdog: cadence_wdt: make of_device_ids const.
        watchdog: zx2967: constify zx2967_wdt_ops.
        watchdog: bcm47xx_wdt: constify bcm47xx_wdt_hard_ops and bcm47xx_wdt_soft_ops
        watchdog: davinci: Add missing clk_disable_unprepare().
        watchdog: davinci: Handle return value of clk_prepare_enable
        watchdog: meson: Handle return value of clk_prepare_enable
        watchdog: it87: Add support for various Super-IO chips
        watchdog: it87: Use infrastructure to stop watchdog on reboot
        watchdog: it87: Drop support for resetting watchdog though CIR and Game port
        watchdog: it87: Convert to use watchdog core infrastructure
        watchdog: it87: Drop FSF mailing address
        watchdog: dw_wdt: get reset lines from dt
        watchdog: bindings: dw_wdt: add reset lines
        watchdog: w83627hf: Add support for NCT6793D and NCT6795D
        watchdog: core: add option to avoid early handling of watchdog
        watchdog: f71808e_wdt: Add F71868 support
        watchdog: Add STM32 IWDG driver
        ...
      07d306c8
    • Linus Torvalds's avatar
      Merge tag 'chrome-platform-for-linus-4.13' of... · a3ddacba
      Linus Torvalds authored
      Merge tag 'chrome-platform-for-linus-4.13' of git://git.kernel.org/pub/scm/linux/kernel/git/bleung/chrome-platform
      
      Pull chrome platform updates from Benson Leung:
       "Changes in this pull request are around catching up cros_ec with the
        internal chromeos-kernel versions of cros_ec, cros_ec_lpc, and
        cros_ec_lightbar.
      
        Also, switching maintainership from olof to bleung"
      
      * tag 'chrome-platform-for-linus-4.13' of git://git.kernel.org/pub/scm/linux/kernel/git/bleung/chrome-platform:
        platform/chrome : Add myself as Maintainer
        platform/chrome: cros_ec_lightbar - hide unused PM functions
        cros_ec: Don't signal wake event for non-wake host events
        cros_ec: Fix deadlock when EC is not responsive at probe
        cros_ec: Don't return error when checking command version
        platform/chrome: cros_ec_lightbar - Avoid I2C xfer to EC during suspend
        platform/chrome: cros_ec_lightbar - Add userspace lightbar control bit to EC
        platform/chrome: cros_ec_lightbar - Control of suspend/resume lightbar sequence
        platform/chrome: cros_ec_lightbar - Add lightbar program feature to sysfs
        platform/chrome: cros_ec_lpc: Add MKBP events support over ACPI
        platform/chrome: cros_ec_lpc: Add power management ops
        platform/chrome: cros_ec_lpc: Add support for GOOG004 ACPI device
        platform/chrome: cros_ec_lpc: Add support for mec1322 EC
        platform/chrome: cros_ec_lpc: Add R/W helpers to LPC protocol variants
        mfd: cros_ec: Add support for dumping panic information
        cros_ec_debugfs: Pass proper struct sizes to cros_ec_cmd_xfer()
        mfd: cros_ec: add debugfs, console log file
        mfd: cros_ec: Add EC console read structures definitions
        mfd: cros_ec: Add helper for event notifier.
      a3ddacba
    • Linus Torvalds's avatar
      Merge branch 'for-next' of git://git.kernel.org/pub/scm/linux/kernel/git/gerg/m68knommu · a0188177
      Linus Torvalds authored
      Pull x86nommu update from Greg Ungerer:
       "Only a single change, to remove old Kconfig options from defconfigs"
      
      * 'for-next' of git://git.kernel.org/pub/scm/linux/kernel/git/gerg/m68knommu:
        m68k: defconfig: Cleanup from old Kconfig options
      a0188177
  5. 10 Jul, 2017 14 commits
    • Linus Torvalds's avatar
      Merge branch 'akpm' (patches from Andrew) · 9967468c
      Linus Torvalds authored
      Merge more updates from Andrew Morton:
      
       - most of the rest of MM
      
       - KASAN updates
      
       - lib/ updates
      
       - checkpatch updates
      
       - some binfmt_elf changes
      
       - various misc bits
      
      * emailed patches from Andrew Morton <akpm@linux-foundation.org>: (115 commits)
        kernel/exit.c: avoid undefined behaviour when calling wait4()
        kernel/signal.c: avoid undefined behaviour in kill_something_info
        binfmt_elf: safely increment argv pointers
        s390: reduce ELF_ET_DYN_BASE
        powerpc: move ELF_ET_DYN_BASE to 4GB / 4MB
        arm64: move ELF_ET_DYN_BASE to 4GB / 4MB
        arm: move ELF_ET_DYN_BASE to 4MB
        binfmt_elf: use ELF_ET_DYN_BASE only for PIE
        fs, epoll: short circuit fetching events if thread has been killed
        checkpatch: improve multi-line alignment test
        checkpatch: improve macro reuse test
        checkpatch: change format of --color argument to --color[=WHEN]
        checkpatch: silence perl 5.26.0 unescaped left brace warnings
        checkpatch: improve tests for multiple line function definitions
        checkpatch: remove false warning for commit reference
        checkpatch: fix stepping through statements with $stat and ctx_statement_block
        checkpatch: [HLP]LIST_HEAD is also declaration
        checkpatch: warn when a MAINTAINERS entry isn't [A-Z]:\t
        checkpatch: improve the unnecessary OOM message test
        lib/bsearch.c: micro-optimize pivot position calculation
        ...
      9967468c
    • zhongjiang's avatar
      kernel/exit.c: avoid undefined behaviour when calling wait4() · dd83c161
      zhongjiang authored
      wait4(-2147483648, 0x20, 0, 0xdd0000) triggers:
      UBSAN: Undefined behaviour in kernel/exit.c:1651:9
      
      The related calltrace is as follows:
      
        negation of -2147483648 cannot be represented in type 'int':
        CPU: 9 PID: 16482 Comm: zj Tainted: G    B          ---- -------   3.10.0-327.53.58.71.x86_64+ #66
        Hardware name: Huawei Technologies Co., Ltd. Tecal RH2285          /BC11BTSA              , BIOS CTSAV036 04/27/2011
        Call Trace:
          dump_stack+0x19/0x1b
          ubsan_epilogue+0xd/0x50
          __ubsan_handle_negate_overflow+0x109/0x14e
          SyS_wait4+0x1cb/0x1e0
          system_call_fastpath+0x16/0x1b
      
      Exclude the overflow to avoid the UBSAN warning.
      
      Link: http://lkml.kernel.org/r/1497264618-20212-1-git-send-email-zhongjiang@huawei.comSigned-off-by: default avatarzhongjiang <zhongjiang@huawei.com>
      Cc: Oleg Nesterov <oleg@redhat.com>
      Cc: David Rientjes <rientjes@google.com>
      Cc: Aneesh Kumar K.V <aneesh.kumar@linux.vnet.ibm.com>
      Cc: Kirill A. Shutemov <kirill.shutemov@linux.intel.com>
      Cc: Xishi Qiu <qiuxishi@huawei.com>
      Signed-off-by: default avatarAndrew Morton <akpm@linux-foundation.org>
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      dd83c161
    • zhongjiang's avatar
      kernel/signal.c: avoid undefined behaviour in kill_something_info · 4ea77014
      zhongjiang authored
      When running kill(72057458746458112, 0) in userspace I hit the following
      issue.
      
        UBSAN: Undefined behaviour in kernel/signal.c:1462:11
        negation of -2147483648 cannot be represented in type 'int':
        CPU: 226 PID: 9849 Comm: test Tainted: G    B          ---- -------   3.10.0-327.53.58.70.x86_64_ubsan+ #116
        Hardware name: Huawei Technologies Co., Ltd. RH8100 V3/BC61PBIA, BIOS BLHSV028 11/11/2014
        Call Trace:
          dump_stack+0x19/0x1b
          ubsan_epilogue+0xd/0x50
          __ubsan_handle_negate_overflow+0x109/0x14e
          SYSC_kill+0x43e/0x4d0
          SyS_kill+0xe/0x10
          system_call_fastpath+0x16/0x1b
      
      Add code to avoid the UBSAN detection.
      
      [akpm@linux-foundation.org: tweak comment]
      Link: http://lkml.kernel.org/r/1496670008-59084-1-git-send-email-zhongjiang@huawei.comSigned-off-by: default avatarzhongjiang <zhongjiang@huawei.com>
      Cc: Oleg Nesterov <oleg@redhat.com>
      Cc: Michal Hocko <mhocko@kernel.org>
      Cc: Vlastimil Babka <vbabka@suse.cz>
      Cc: Xishi Qiu <qiuxishi@huawei.com>
      Signed-off-by: default avatarAndrew Morton <akpm@linux-foundation.org>
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      4ea77014
    • Kees Cook's avatar
      binfmt_elf: safely increment argv pointers · 67c6777a
      Kees Cook authored
      When building the argv/envp pointers, the envp is needlessly
      pre-incremented instead of just continuing after the argv pointers are
      finished.  In some (likely impossible) race where the strings could be
      changed from userspace between copy_strings() and here, it might be
      possible to confuse the envp position.  Instead, just use sp like
      everything else.
      
      Link: http://lkml.kernel.org/r/20170622173838.GA43308@beastSigned-off-by: default avatarKees Cook <keescook@chromium.org>
      Cc: Rik van Riel <riel@redhat.com>
      Cc: Daniel Micay <danielmicay@gmail.com>
      Cc: Qualys Security Advisory <qsa@qualys.com>
      Cc: Thomas Gleixner <tglx@linutronix.de>
      Cc: Ingo Molnar <mingo@redhat.com>
      Cc: "H. Peter Anvin" <hpa@zytor.com>
      Cc: Alexander Viro <viro@zeniv.linux.org.uk>
      Cc: Dmitry Safonov <dsafonov@virtuozzo.com>
      Cc: Andy Lutomirski <luto@amacapital.net>
      Cc: Grzegorz Andrejczuk <grzegorz.andrejczuk@intel.com>
      Cc: Masahiro Yamada <yamada.masahiro@socionext.com>
      Signed-off-by: default avatarAndrew Morton <akpm@linux-foundation.org>
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      67c6777a
    • Kees Cook's avatar
      s390: reduce ELF_ET_DYN_BASE · a73dc537
      Kees Cook authored
      Now that explicitly executed loaders are loaded in the mmap region, we
      have more freedom to decide where we position PIE binaries in the
      address space to avoid possible collisions with mmap or stack regions.
      
      For 64-bit, align to 4GB to allow runtimes to use the entire 32-bit
      address space for 32-bit pointers.  On 32-bit use 4MB, which is the
      traditional x86 minimum load location, likely to avoid historically
      requiring a 4MB page table entry when only a portion of the first 4MB
      would be used (since the NULL address is avoided).  For s390 the
      position could be 0x10000, but that is needlessly close to the NULL
      address.
      
      Link: http://lkml.kernel.org/r/1498154792-49952-5-git-send-email-keescook@chromium.orgSigned-off-by: default avatarKees Cook <keescook@chromium.org>
      Cc: Russell King <linux@armlinux.org.uk>
      Cc: Catalin Marinas <catalin.marinas@arm.com>
      Cc: Will Deacon <will.deacon@arm.com>
      Cc: Benjamin Herrenschmidt <benh@kernel.crashing.org>
      Cc: Paul Mackerras <paulus@samba.org>
      Cc: Michael Ellerman <mpe@ellerman.id.au>
      Cc: Martin Schwidefsky <schwidefsky@de.ibm.com>
      Cc: Heiko Carstens <heiko.carstens@de.ibm.com>
      Cc: James Hogan <james.hogan@imgtec.com>
      Cc: Pratyush Anand <panand@redhat.com>
      Cc: Ingo Molnar <mingo@kernel.org>
      Cc: <stable@vger.kernel.org>
      Signed-off-by: default avatarAndrew Morton <akpm@linux-foundation.org>
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      a73dc537
    • Kees Cook's avatar
      powerpc: move ELF_ET_DYN_BASE to 4GB / 4MB · 47ebb09d
      Kees Cook authored
      Now that explicitly executed loaders are loaded in the mmap region, we
      have more freedom to decide where we position PIE binaries in the
      address space to avoid possible collisions with mmap or stack regions.
      
      For 64-bit, align to 4GB to allow runtimes to use the entire 32-bit
      address space for 32-bit pointers.  On 32-bit use 4MB, which is the
      traditional x86 minimum load location, likely to avoid historically
      requiring a 4MB page table entry when only a portion of the first 4MB
      would be used (since the NULL address is avoided).
      
      Link: http://lkml.kernel.org/r/1498154792-49952-4-git-send-email-keescook@chromium.orgSigned-off-by: default avatarKees Cook <keescook@chromium.org>
      Tested-by: default avatarMichael Ellerman <mpe@ellerman.id.au>
      Acked-by: default avatarMichael Ellerman <mpe@ellerman.id.au>
      Cc: Russell King <linux@armlinux.org.uk>
      Cc: Catalin Marinas <catalin.marinas@arm.com>
      Cc: Will Deacon <will.deacon@arm.com>
      Cc: Benjamin Herrenschmidt <benh@kernel.crashing.org>
      Cc: Paul Mackerras <paulus@samba.org>
      Cc: Martin Schwidefsky <schwidefsky@de.ibm.com>
      Cc: Heiko Carstens <heiko.carstens@de.ibm.com>
      Cc: James Hogan <james.hogan@imgtec.com>
      Cc: Pratyush Anand <panand@redhat.com>
      Cc: Ingo Molnar <mingo@kernel.org>
      Cc: <stable@vger.kernel.org>
      Signed-off-by: default avatarAndrew Morton <akpm@linux-foundation.org>
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      47ebb09d
    • Kees Cook's avatar
      arm64: move ELF_ET_DYN_BASE to 4GB / 4MB · 02445990
      Kees Cook authored
      Now that explicitly executed loaders are loaded in the mmap region, we
      have more freedom to decide where we position PIE binaries in the
      address space to avoid possible collisions with mmap or stack regions.
      
      For 64-bit, align to 4GB to allow runtimes to use the entire 32-bit
      address space for 32-bit pointers.  On 32-bit use 4MB, to match ARM.
      This could be 0x8000, the standard ET_EXEC load address, but that is
      needlessly close to the NULL address, and anyone running arm compat PIE
      will have an MMU, so the tight mapping is not needed.
      
      Link: http://lkml.kernel.org/r/1498251600-132458-4-git-send-email-keescook@chromium.orgSigned-off-by: default avatarKees Cook <keescook@chromium.org>
      Cc: Ard Biesheuvel <ard.biesheuvel@linaro.org>
      Cc: Catalin Marinas <catalin.marinas@arm.com>
      Cc: Mark Rutland <mark.rutland@arm.com>
      Cc: <stable@vger.kernel.org>
      Signed-off-by: default avatarAndrew Morton <akpm@linux-foundation.org>
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      02445990
    • Kees Cook's avatar
      arm: move ELF_ET_DYN_BASE to 4MB · 6a9af90a
      Kees Cook authored
      Now that explicitly executed loaders are loaded in the mmap region, we
      have more freedom to decide where we position PIE binaries in the
      address space to avoid possible collisions with mmap or stack regions.
      
      4MB is chosen here mainly to have parity with x86, where this is the
      traditional minimum load location, likely to avoid historically
      requiring a 4MB page table entry when only a portion of the first 4MB
      would be used (since the NULL address is avoided).
      
      For ARM the position could be 0x8000, the standard ET_EXEC load address,
      but that is needlessly close to the NULL address, and anyone running PIE
      on 32-bit ARM will have an MMU, so the tight mapping is not needed.
      
      Link: http://lkml.kernel.org/r/1498154792-49952-2-git-send-email-keescook@chromium.orgSigned-off-by: default avatarKees Cook <keescook@chromium.org>
      Cc: Russell King <linux@armlinux.org.uk>
      Cc: Catalin Marinas <catalin.marinas@arm.com>
      Cc: Will Deacon <will.deacon@arm.com>
      Cc: Benjamin Herrenschmidt <benh@kernel.crashing.org>
      Cc: Paul Mackerras <paulus@samba.org>
      Cc: Michael Ellerman <mpe@ellerman.id.au>
      Cc: Martin Schwidefsky <schwidefsky@de.ibm.com>
      Cc: Heiko Carstens <heiko.carstens@de.ibm.com>
      Cc: James Hogan <james.hogan@imgtec.com>
      Cc: Pratyush Anand <panand@redhat.com>
      Cc: Ingo Molnar <mingo@kernel.org>
      Cc: "H. Peter Anvin" <hpa@zytor.com>
      Cc: Alexander Viro <viro@zeniv.linux.org.uk>
      Cc: Andy Lutomirski <luto@amacapital.net>
      Cc: Daniel Micay <danielmicay@gmail.com>
      Cc: Dmitry Safonov <dsafonov@virtuozzo.com>
      Cc: Grzegorz Andrejczuk <grzegorz.andrejczuk@intel.com>
      Cc: Kees Cook <keescook@chromium.org>
      Cc: Masahiro Yamada <yamada.masahiro@socionext.com>
      Cc: Qualys Security Advisory <qsa@qualys.com>
      Cc: Rik van Riel <riel@redhat.com>
      Cc: Thomas Gleixner <tglx@linutronix.de>
      Cc: <stable@vger.kernel.org>
      Signed-off-by: default avatarAndrew Morton <akpm@linux-foundation.org>
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      6a9af90a
    • Kees Cook's avatar
      binfmt_elf: use ELF_ET_DYN_BASE only for PIE · eab09532
      Kees Cook authored
      The ELF_ET_DYN_BASE position was originally intended to keep loaders
      away from ET_EXEC binaries.  (For example, running "/lib/ld-linux.so.2
      /bin/cat" might cause the subsequent load of /bin/cat into where the
      loader had been loaded.)
      
      With the advent of PIE (ET_DYN binaries with an INTERP Program Header),
      ELF_ET_DYN_BASE continued to be used since the kernel was only looking
      at ET_DYN.  However, since ELF_ET_DYN_BASE is traditionally set at the
      top 1/3rd of the TASK_SIZE, a substantial portion of the address space
      is unused.
      
      For 32-bit tasks when RLIMIT_STACK is set to RLIM_INFINITY, programs are
      loaded above the mmap region.  This means they can be made to collide
      (CVE-2017-1000370) or nearly collide (CVE-2017-1000371) with
      pathological stack regions.
      
      Lowering ELF_ET_DYN_BASE solves both by moving programs below the mmap
      region in all cases, and will now additionally avoid programs falling
      back to the mmap region by enforcing MAP_FIXED for program loads (i.e.
      if it would have collided with the stack, now it will fail to load
      instead of falling back to the mmap region).
      
      To allow for a lower ELF_ET_DYN_BASE, loaders (ET_DYN without INTERP)
      are loaded into the mmap region, leaving space available for either an
      ET_EXEC binary with a fixed location or PIE being loaded into mmap by
      the loader.  Only PIE programs are loaded offset from ELF_ET_DYN_BASE,
      which means architectures can now safely lower their values without risk
      of loaders colliding with their subsequently loaded programs.
      
      For 64-bit, ELF_ET_DYN_BASE is best set to 4GB to allow runtimes to use
      the entire 32-bit address space for 32-bit pointers.
      
      Thanks to PaX Team, Daniel Micay, and Rik van Riel for inspiration and
      suggestions on how to implement this solution.
      
      Fixes: d1fd836d ("mm: split ET_DYN ASLR from mmap ASLR")
      Link: http://lkml.kernel.org/r/20170621173201.GA114489@beastSigned-off-by: default avatarKees Cook <keescook@chromium.org>
      Acked-by: default avatarRik van Riel <riel@redhat.com>
      Cc: Daniel Micay <danielmicay@gmail.com>
      Cc: Qualys Security Advisory <qsa@qualys.com>
      Cc: Thomas Gleixner <tglx@linutronix.de>
      Cc: Ingo Molnar <mingo@redhat.com>
      Cc: "H. Peter Anvin" <hpa@zytor.com>
      Cc: Alexander Viro <viro@zeniv.linux.org.uk>
      Cc: Dmitry Safonov <dsafonov@virtuozzo.com>
      Cc: Andy Lutomirski <luto@amacapital.net>
      Cc: Grzegorz Andrejczuk <grzegorz.andrejczuk@intel.com>
      Cc: Masahiro Yamada <yamada.masahiro@socionext.com>
      Cc: Benjamin Herrenschmidt <benh@kernel.crashing.org>
      Cc: Catalin Marinas <catalin.marinas@arm.com>
      Cc: Heiko Carstens <heiko.carstens@de.ibm.com>
      Cc: James Hogan <james.hogan@imgtec.com>
      Cc: Martin Schwidefsky <schwidefsky@de.ibm.com>
      Cc: Michael Ellerman <mpe@ellerman.id.au>
      Cc: Paul Mackerras <paulus@samba.org>
      Cc: Pratyush Anand <panand@redhat.com>
      Cc: Russell King <linux@armlinux.org.uk>
      Cc: Will Deacon <will.deacon@arm.com>
      Cc: <stable@vger.kernel.org>
      Signed-off-by: default avatarAndrew Morton <akpm@linux-foundation.org>
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      eab09532
    • David Rientjes's avatar
      fs, epoll: short circuit fetching events if thread has been killed · c257a340
      David Rientjes authored
      We've encountered zombies that are waiting for a thread to exit that are
      looping in ep_poll() almost endlessly although there is a pending
      SIGKILL as a result of a group exit.
      
      This happens because we always find ep_events_available() and fetch more
      events and never are able to check for signal_pending() that would break
      from the loop and return -EINTR.
      
      Special case fatal signals and break immediately to guarantee that we
      loop to fetch more events and delay making a timely exit.
      
      It would also be possible to simply move the check for signal_pending()
      higher than checking for ep_events_available(), but there have been no
      reports of delayed signal handling other than SIGKILL preventing zombies
      from exiting that would be fixed by this.
      
      It fixes an issue for us where we have witnessed zombies sticking around
      for at least O(minutes), but considering the code has been like this
      forever and nobody else has complained that I have found, I would simply
      queue it up for 4.12.
      
      Link: http://lkml.kernel.org/r/alpine.DEB.2.10.1705031722350.76784@chino.kir.corp.google.comSigned-off-by: default avatarDavid Rientjes <rientjes@google.com>
      Cc: Alexander Viro <viro@zeniv.linux.org.uk>
      Cc: Jan Kara <jack@suse.cz>
      Cc: Davide Libenzi <davidel@xmailserver.org>
      Signed-off-by: default avatarAndrew Morton <akpm@linux-foundation.org>
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      c257a340
    • Joe Perches's avatar
      checkpatch: improve multi-line alignment test · fd71f632
      Joe Perches authored
      The current test fails to warn about improper alignment with code like
      
      	foo->bar = func(arg1,
      				arg2);
      
      because foo->bar is not a single identifier.
      
      Convert the $Ident to $Lval which allows for multiple dereferences.
      
      Link: http://lkml.kernel.org/r/01c35b9b6a12a415e57746d45d589bfaad39952a.1498841563.git.joe@perches.comSigned-off-by: default avatarJoe Perches <joe@perches.com>
      Signed-off-by: default avatarAndrew Morton <akpm@linux-foundation.org>
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      fd71f632
    • Joe Perches's avatar
      checkpatch: improve macro reuse test · 7fe528a2
      Joe Perches authored
      checkpatch reports a false positive when using token pasting argument
      multiple times in a macro.
      
      Fix it.
      
      Miscellanea:
      
      o Make the $tmp variable name used in the macro argument tests
        a bit more descriptive
      
      Link: http://lkml.kernel.org/r/cf434ae7602838388c7cb49d42bca93ab88527e7.1498483044.git.joe@perches.comSigned-off-by: default avatarJoe Perches <joe@perches.com>
      Reported-by: default avatarJohannes Berg <johannes@sipsolutions.net>
      Signed-off-by: default avatarAndrew Morton <akpm@linux-foundation.org>
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      7fe528a2
    • John Brooks's avatar
      checkpatch: change format of --color argument to --color[=WHEN] · 737c0767
      John Brooks authored
      The boolean --color argument did not offer the ability to force
      colourized output even if stdout is not a terminal.  Change the format
      of the argument to the familiar --color[=WHEN] construct as seen in
      common Linux utilities such as git, ls and dmesg, which allows the user
      to specify whether to colourize output "always", "never", or "auto" when
      the output is a terminal.  The default is "auto".
      
      The old command-line uses of --color and --no-color are unchanged.
      
      Link: http://lkml.kernel.org/r/efe43bdbad400f39ba691ae663044462493b0773.1496799721.git.joe@perches.comSigned-off-by: default avatarJohn Brooks <john@fastquake.com>
      Signed-off-by: default avatarJoe Perches <joe@perches.com>
      Signed-off-by: default avatarAndrew Morton <akpm@linux-foundation.org>
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      737c0767
    • Cyril Bur's avatar
      checkpatch: silence perl 5.26.0 unescaped left brace warnings · 8d81ae05
      Cyril Bur authored
      As of perl 5, version 26, subversion 0 (v5.26.0) some new warnings have
      occurred when running checkpatch.
      
      Unescaped left brace in regex is deprecated here (and will be fatal in
      Perl 5.30), passed through in regex; marked by <-- HERE in m/^(.\s*){
      <-- HERE \s*/ at scripts/checkpatch.pl line 3544.
      
      Unescaped left brace in regex is deprecated here (and will be fatal in
      Perl 5.30), passed through in regex; marked by <-- HERE in m/^(.\s*){
      <-- HERE \s*/ at scripts/checkpatch.pl line 3885.
      
      Unescaped left brace in regex is deprecated here (and will be fatal in
      Perl 5.30), passed through in regex; marked by <-- HERE in
      m/^(\+.*(?:do|\))){ <-- HERE / at scripts/checkpatch.pl line 4374.
      
      It seems perfectly reasonable to do as the warning suggests and simply
      escape the left brace in these three locations.
      
      Link: http://lkml.kernel.org/r/20170607060135.17384-1-cyrilbur@gmail.comSigned-off-by: default avatarCyril Bur <cyrilbur@gmail.com>
      Acked-by: default avatarJoe Perches <joe@perches.com>
      Cc: <stable@vger.kernel.org>
      Signed-off-by: default avatarAndrew Morton <akpm@linux-foundation.org>
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      8d81ae05