1. 21 Feb, 2019 9 commits
    • Qian Cai's avatar
      slub: fix SLAB_CONSISTENCY_CHECKS + KASAN_SW_TAGS · 338cfaad
      Qian Cai authored
      Enabling SLUB_DEBUG's SLAB_CONSISTENCY_CHECKS with KASAN_SW_TAGS
      triggers endless false positives during boot below due to
      check_valid_pointer() checks tagged pointers which have no addresses
      that is valid within slab pages:
      
        BUG radix_tree_node (Tainted: G    B            ): Freelist Pointer check fails
        -----------------------------------------------------------------------------
      
        INFO: Slab objects=69 used=69 fp=0x          (null) flags=0x7ffffffc000200
        INFO: Object @offset=15060037153926966016 fp=0x
      
        Redzone: bb bb bb bb bb bb bb bb bb bb bb bb bb bb bb bb  ................
        Object : 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
        Object : 00 00 00 00 00 00 00 00 18 6b 06 00 08 80 ff d0  .........k......
        Object : 18 6b 06 00 08 80 ff d0 00 00 00 00 00 00 00 00  .k..............
        Object : 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
        Object : 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
        Object : 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
        Object : 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
        Object : 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
        Object : 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
        Object : 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
        Object : 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
        Object : 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
        Object : 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
        Object : 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
        Object : 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
        Object : 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
        Object : 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
        Object : 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
        Object : 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
        Object : 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
        Object : 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
        Object : 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
        Object : 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
        Object : 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
        Object : 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
        Object : 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
        Object : 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
        Object : 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
        Object : 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
        Object : 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
        Object : 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
        Object : 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
        Object : 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
        Object : 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
        Object : 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
        Object : 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
        Redzone: bb bb bb bb bb bb bb bb                          ........
        Padding: 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a  ZZZZZZZZZZZZZZZZ
        CPU: 0 PID: 0 Comm: swapper/0 Tainted: G    B             5.0.0-rc5+ #18
        Call trace:
          dump_backtrace+0x0/0x450
          show_stack+0x20/0x2c
          __dump_stack+0x20/0x28
          dump_stack+0xa0/0xfc
          print_trailer+0x1bc/0x1d0
          object_err+0x40/0x50
          alloc_debug_processing+0xf0/0x19c
          ___slab_alloc+0x554/0x704
          kmem_cache_alloc+0x2f8/0x440
          radix_tree_node_alloc+0x90/0x2fc
          idr_get_free+0x1e8/0x6d0
          idr_alloc_u32+0x11c/0x2a4
          idr_alloc+0x74/0xe0
          worker_pool_assign_id+0x5c/0xbc
          workqueue_init_early+0x49c/0xd50
          start_kernel+0x52c/0xac4
        FIX radix_tree_node: Marking all objects used
      
      Link: http://lkml.kernel.org/r/20190209044128.3290-1-cai@lca.pwSigned-off-by: default avatarQian Cai <cai@lca.pw>
      Reviewed-by: default avatarAndrey Konovalov <andreyknvl@google.com>
      Cc: Christoph Lameter <cl@linux.com>
      Cc: Pekka Enberg <penberg@kernel.org>
      Cc: David Rientjes <rientjes@google.com>
      Cc: Joonsoo Kim <iamjoonsoo.kim@lge.com>
      Signed-off-by: default avatarAndrew Morton <akpm@linux-foundation.org>
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      338cfaad
    • Andrey Konovalov's avatar
      kasan, slub: fix more conflicts with CONFIG_SLAB_FREELIST_HARDENED · d36a63a9
      Andrey Konovalov authored
      When CONFIG_KASAN_SW_TAGS is enabled, ptr_addr might be tagged.  Normally,
      this doesn't cause any issues, as both set_freepointer() and
      get_freepointer() are called with a pointer with the same tag.  However,
      there are some issues with CONFIG_SLUB_DEBUG code.  For example, when
      __free_slub() iterates over objects in a cache, it passes untagged
      pointers to check_object().  check_object() in turns calls
      get_freepointer() with an untagged pointer, which causes the freepointer
      to be restored incorrectly.
      
      Add kasan_reset_tag to freelist_ptr(). Also add a detailed comment.
      
      Link: http://lkml.kernel.org/r/bf858f26ef32eb7bd24c665755b3aee4bc58d0e4.1550103861.git.andreyknvl@google.comSigned-off-by: default avatarAndrey Konovalov <andreyknvl@google.com>
      Reported-by: default avatarQian Cai <cai@lca.pw>
      Tested-by: default avatarQian Cai <cai@lca.pw>
      Cc: Andrey Ryabinin <aryabinin@virtuozzo.com>
      Cc: Alexander Potapenko <glider@google.com>
      Cc: Dmitry Vyukov <dvyukov@google.com>
      Signed-off-by: default avatarAndrew Morton <akpm@linux-foundation.org>
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      d36a63a9
    • Andrey Konovalov's avatar
      kasan, slub: fix conflicts with CONFIG_SLAB_FREELIST_HARDENED · 18e50661
      Andrey Konovalov authored
      CONFIG_SLAB_FREELIST_HARDENED hashes freelist pointer with the address of
      the object where the pointer gets stored.  With tag based KASAN we don't
      account for that when building freelist, as we call set_freepointer() with
      the first argument untagged.  This patch changes the code to properly
      propagate tags throughout the loop.
      
      Link: http://lkml.kernel.org/r/3df171559c52201376f246bf7ce3184fe21c1dc7.1549921721.git.andreyknvl@google.comSigned-off-by: default avatarAndrey Konovalov <andreyknvl@google.com>
      Reported-by: default avatarQian Cai <cai@lca.pw>
      Cc: Andrey Ryabinin <aryabinin@virtuozzo.com>
      Cc: Alexander Potapenko <glider@google.com>
      Cc: Dmitry Vyukov <dvyukov@google.com>
      Cc: Catalin Marinas <catalin.marinas@arm.com>
      Cc: Christoph Lameter <cl@linux.com>
      Cc: Pekka Enberg <penberg@kernel.org>
      Cc: David Rientjes <rientjes@google.com>
      Cc: Joonsoo Kim <iamjoonsoo.kim@lge.com>
      Cc: Vincenzo Frascino <vincenzo.frascino@arm.com>
      Cc: Kostya Serebryany <kcc@google.com>
      Cc: Evgeniy Stepanov <eugenis@google.com>
      Signed-off-by: default avatarAndrew Morton <akpm@linux-foundation.org>
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      18e50661
    • Andrey Konovalov's avatar
      kasan, slub: move kasan_poison_slab hook before page_address · a7101224
      Andrey Konovalov authored
      With tag based KASAN page_address() looks at the page flags to see whether
      the resulting pointer needs to have a tag set.  Since we don't want to set
      a tag when page_address() is called on SLAB pages, we call
      page_kasan_tag_reset() in kasan_poison_slab().  However in allocate_slab()
      page_address() is called before kasan_poison_slab().  Fix it by changing
      the order.
      
      [andreyknvl@google.com: fix compilation error when CONFIG_SLUB_DEBUG=n]
        Link: http://lkml.kernel.org/r/ac27cc0bbaeb414ed77bcd6671a877cf3546d56e.1550066133.git.andreyknvl@google.com
      Link: http://lkml.kernel.org/r/cd895d627465a3f1c712647072d17f10883be2a1.1549921721.git.andreyknvl@google.comSigned-off-by: default avatarAndrey Konovalov <andreyknvl@google.com>
      Cc: Alexander Potapenko <glider@google.com>
      Cc: Andrey Ryabinin <aryabinin@virtuozzo.com>
      Cc: Catalin Marinas <catalin.marinas@arm.com>
      Cc: Christoph Lameter <cl@linux.com>
      Cc: David Rientjes <rientjes@google.com>
      Cc: Dmitry Vyukov <dvyukov@google.com>
      Cc: Evgeniy Stepanov <eugenis@google.com>
      Cc: Joonsoo Kim <iamjoonsoo.kim@lge.com>
      Cc: Kostya Serebryany <kcc@google.com>
      Cc: Pekka Enberg <penberg@kernel.org>
      Cc: Qian Cai <cai@lca.pw>
      Cc: Vincenzo Frascino <vincenzo.frascino@arm.com>
      Signed-off-by: default avatarAndrew Morton <akpm@linux-foundation.org>
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      a7101224
    • Andrey Konovalov's avatar
      kmemleak: account for tagged pointers when calculating pointer range · a2f77575
      Andrey Konovalov authored
      kmemleak keeps two global variables, min_addr and max_addr, which store
      the range of valid (encountered by kmemleak) pointer values, which it
      later uses to speed up pointer lookup when scanning blocks.
      
      With tagged pointers this range will get bigger than it needs to be.  This
      patch makes kmemleak untag pointers before saving them to min_addr and
      max_addr and when performing a lookup.
      
      Link: http://lkml.kernel.org/r/16e887d442986ab87fe87a755815ad92fa431a5f.1550066133.git.andreyknvl@google.comSigned-off-by: default avatarAndrey Konovalov <andreyknvl@google.com>
      Tested-by: default avatarQian Cai <cai@lca.pw>
      Acked-by: default avatarCatalin Marinas <catalin.marinas@arm.com>
      Cc: Alexander Potapenko <glider@google.com>
      Cc: Andrey Ryabinin <aryabinin@virtuozzo.com>
      Cc: Christoph Lameter <cl@linux.com>
      Cc: David Rientjes <rientjes@google.com>
      Cc: Dmitry Vyukov <dvyukov@google.com>
      Cc: Evgeniy Stepanov <eugenis@google.com>
      Cc: Joonsoo Kim <iamjoonsoo.kim@lge.com>
      Cc: Kostya Serebryany <kcc@google.com>
      Cc: Pekka Enberg <penberg@kernel.org>
      Cc: Vincenzo Frascino <vincenzo.frascino@arm.com>
      Signed-off-by: default avatarAndrew Morton <akpm@linux-foundation.org>
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      a2f77575
    • Andrey Konovalov's avatar
      kasan, kmemleak: pass tagged pointers to kmemleak · 53128245
      Andrey Konovalov authored
      Right now we call kmemleak hooks before assigning tags to pointers in
      KASAN hooks.  As a result, when an objects gets allocated, kmemleak sees a
      differently tagged pointer, compared to the one it sees when the object
      gets freed.  Fix it by calling KASAN hooks before kmemleak's ones.
      
      Link: http://lkml.kernel.org/r/cd825aa4897b0fc37d3316838993881daccbe9f5.1549921721.git.andreyknvl@google.comSigned-off-by: default avatarAndrey Konovalov <andreyknvl@google.com>
      Reported-by: default avatarQian Cai <cai@lca.pw>
      Cc: Alexander Potapenko <glider@google.com>
      Cc: Andrey Ryabinin <aryabinin@virtuozzo.com>
      Cc: Catalin Marinas <catalin.marinas@arm.com>
      Cc: Christoph Lameter <cl@linux.com>
      Cc: David Rientjes <rientjes@google.com>
      Cc: Dmitry Vyukov <dvyukov@google.com>
      Cc: Evgeniy Stepanov <eugenis@google.com>
      Cc: Joonsoo Kim <iamjoonsoo.kim@lge.com>
      Cc: Kostya Serebryany <kcc@google.com>
      Cc: Pekka Enberg <penberg@kernel.org>
      Cc: Vincenzo Frascino <vincenzo.frascino@arm.com>
      Signed-off-by: default avatarAndrew Morton <akpm@linux-foundation.org>
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      53128245
    • Andrey Konovalov's avatar
      kasan: fix assigning tags twice · e1db95be
      Andrey Konovalov authored
      When an object is kmalloc()'ed, two hooks are called: kasan_slab_alloc()
      and kasan_kmalloc().  Right now we assign a tag twice, once in each of the
      hooks.  Fix it by assigning a tag only in the former hook.
      
      Link: http://lkml.kernel.org/r/ce8c6431da735aa7ec051fd6497153df690eb021.1549921721.git.andreyknvl@google.comSigned-off-by: default avatarAndrey Konovalov <andreyknvl@google.com>
      Cc: Alexander Potapenko <glider@google.com>
      Cc: Andrey Ryabinin <aryabinin@virtuozzo.com>
      Cc: Catalin Marinas <catalin.marinas@arm.com>
      Cc: Christoph Lameter <cl@linux.com>
      Cc: David Rientjes <rientjes@google.com>
      Cc: Dmitry Vyukov <dvyukov@google.com>
      Cc: Evgeniy Stepanov <eugenis@google.com>
      Cc: Joonsoo Kim <iamjoonsoo.kim@lge.com>
      Cc: Kostya Serebryany <kcc@google.com>
      Cc: Pekka Enberg <penberg@kernel.org>
      Cc: Qian Cai <cai@lca.pw>
      Cc: Vincenzo Frascino <vincenzo.frascino@arm.com>
      Signed-off-by: default avatarAndrew Morton <akpm@linux-foundation.org>
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      e1db95be
    • Ralph Campbell's avatar
      numa: change get_mempolicy() to use nr_node_ids instead of MAX_NUMNODES · 050c17f2
      Ralph Campbell authored
      The system call, get_mempolicy() [1], passes an unsigned long *nodemask
      pointer and an unsigned long maxnode argument which specifies the length
      of the user's nodemask array in bits (which is rounded up).  The manual
      page says that if the maxnode value is too small, get_mempolicy will
      return EINVAL but there is no system call to return this minimum value.
      To determine this value, some programs search /proc/<pid>/status for a
      line starting with "Mems_allowed:" and use the number of digits in the
      mask to determine the minimum value.  A recent change to the way this line
      is formatted [2] causes these programs to compute a value less than
      MAX_NUMNODES so get_mempolicy() returns EINVAL.
      
      Change get_mempolicy(), the older compat version of get_mempolicy(), and
      the copy_nodes_to_user() function to use nr_node_ids instead of
      MAX_NUMNODES, thus preserving the defacto method of computing the minimum
      size for the nodemask array and the maxnode argument.
      
      [1] http://man7.org/linux/man-pages/man2/get_mempolicy.2.html
      [2] https://lore.kernel.org/lkml/1545405631-6808-1-git-send-email-longman@redhat.com
      
      Link: http://lkml.kernel.org/r/20190211180245.22295-1-rcampbell@nvidia.com
      Fixes: 4fb8e5b89bcbbbb ("include/linux/nodemask.h: use nr_node_ids (not MAX_NUMNODES) in __nodemask_pr_numnodes()")
      Signed-off-by: default avatarRalph Campbell <rcampbell@nvidia.com>
      Suggested-by: default avatarAlexander Duyck <alexander.duyck@gmail.com>
      Cc: Waiman Long <longman@redhat.com>
      Cc: <stable@vger.kernel.org>
      Signed-off-by: default avatarAndrew Morton <akpm@linux-foundation.org>
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      050c17f2
    • Andrew Morton's avatar
      revert "initramfs: cleanup incomplete rootfs" · a841c673
      Andrew Morton authored
      Revert ff1522bb ("initramfs: cleanup incomplete rootfs").
      
      Andy reports
      
      : This breaks my setup where I have U-boot provided more size of initramfs
      : than needed.  This allows a bit of flexibility to increase or decrease
      : initramfs compressed image without taking care of bootloader.  The proper
      : solution is to do this if we sure that we didn't get enough memory,
      : otherwise I can't consider the error fatal to clean up rootfs.
      
      Fixes: ff1522bb ("initramfs: cleanup incomplete rootfs")
      Reported-by: default avatarAndy Shevchenko <andy.shevchenko@gmail.com>
      Tested-by: default avatarAndy Shevchenko <andy.shevchenko@gmail.com>
      Cc: David Engraf <david.engraf@sysgo.com>
      Cc: Dominik Brodowski <linux@dominikbrodowski.net>
      Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
      Cc: Philippe Ombredanne <pombredanne@nexb.com>
      Cc: Arnd Bergmann <arnd@arndb.de>
      Cc: Luc Van Oostenryck <luc.vanoostenryck@gmail.com>
      Signed-off-by: default avatarAndrew Morton <akpm@linux-foundation.org>
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      a841c673
  2. 20 Feb, 2019 6 commits
    • Linus Torvalds's avatar
      Merge tag 'sound-5.0' of git://git.kernel.org/pub/scm/linux/kernel/git/tiwai/sound · 2137397c
      Linus Torvalds authored
      Pull sound fixes from Takashi Iwai:
       "Here are a few last-minute fixes for 5.0.
      
        The most significant one is the OF-node refcount fix for ASoC
        simple-card, which could be triggered on many boards. Another fix for
        ASoC core is for the error handling in topology, while others are
        device-specific fixes for Samsung and HD-audio"
      
      * tag 'sound-5.0' of git://git.kernel.org/pub/scm/linux/kernel/git/tiwai/sound:
        ASoC: simple-card: fixup refcount_t underflow
        ASoC: topology: free created components in tplg load error
        ALSA: hda/realtek: Disable PC beep in passthrough on alc285
        ALSA: hda/realtek - Headset microphone and internal speaker support for System76 oryp5
        ASoC: samsung: i2s: Fix prescaler setting for the secondary DAI
      2137397c
    • Linus Torvalds's avatar
      Merge tag 'pinctrl-v5.0-3' of git://git.kernel.org/pub/scm/linux/kernel/git/linusw/linux-pinctrl · fb83f15e
      Linus Torvalds authored
      Pull pin control fixes from Linus Walleij:
       "Some final pin control fixes (I hope) to round off the v5.0 pin
        control development cycle.
      
        Only driver fixes, one for stable:
      
         - Meson8B fixup for the sdc pins
      
         - Fix SDC tile position for Qualcomm QCS404"
      
      * tag 'pinctrl-v5.0-3' of git://git.kernel.org/pub/scm/linux/kernel/git/linusw/linux-pinctrl:
        pinctrl: meson: meson8b: fix the sdxc_a data 1..3 pins
        pinctrl: qcom: qcs404: Correct SDC tile
      fb83f15e
    • Linus Torvalds's avatar
      Merge tag 'gpio-v5.0-4' of git://git.kernel.org/pub/scm/linux/kernel/git/linusw/linux-gpio · c828c265
      Linus Torvalds authored
      Pull GPIO fixes from Linus Walleij:
       "Two GPIO fixes for the v5.0 series:
      
         - Per-instance irqchip on the MT7621
      
         - Avoid direction setting using pin control on MMP2"
      
      * tag 'gpio-v5.0-4' of git://git.kernel.org/pub/scm/linux/kernel/git/linusw/linux-gpio:
        gpio: pxa: avoid attempting to set pin direction via pinctrl on MMP2
        gpio: MT7621: use a per instance irq_chip structure
      c828c265
    • Linus Torvalds's avatar
      Merge tag 'mtd/fixes-for-5.0-rc8' of git://git.infradead.org/linux-mtd · 7d9d592c
      Linus Torvalds authored
      Pull MTD fixes from Boris Brezillon:
      
       - Don't add a digit to MTD-backed nvmem device names
      
       - Make sure powernv flash names are unique
      
      * tag 'mtd/fixes-for-5.0-rc8' of git://git.infradead.org/linux-mtd:
        mtd: powernv_flash: Fix device registration error
        mtd: Use mtd->name when registering nvmem device
      7d9d592c
    • Linus Torvalds's avatar
      Merge branch 'fixes-v5.1-rc6' of... · 1f5a018c
      Linus Torvalds authored
      Merge branch 'fixes-v5.1-rc6' of git://git.kernel.org/pub/scm/linux/kernel/git/jmorris/linux-security
      
      Pull keys fixes from James Morris:
      
       - Handle quotas better, allowing full quota to be reached.
      
       - Fix the creation of shortcuts in the assoc_array internal
         representation when the index key needs to be an exact multiple of
         the machine word size.
      
       - Fix a dependency loop between the request_key contruction record and
         the request_key authentication key. The construction record isn't
         really necessary and can be dispensed with.
      
       - Set the timestamp on a new key rather than leaving it as 0. This
         would ordinarily be fine - provided the system clock is never set to
         a time before 1970
      
      * 'fixes-v5.1-rc6' of git://git.kernel.org/pub/scm/linux/kernel/git/jmorris/linux-security:
        keys: Timestamp new keys
        keys: Fix dependency loop between construction record and auth key
        assoc_array: Fix shortcut creation
        KEYS: allow reaching the keys quotas exactly
      1f5a018c
    • Linus Torvalds's avatar
      Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net · 40e196a9
      Linus Torvalds authored
      Pull networking fixes from David Miller:
      
       1) Fix suspend and resume in mt76x0u USB driver, from Stanislaw
          Gruszka.
      
       2) Missing memory barriers in xsk, from Magnus Karlsson.
      
       3) rhashtable fixes in mac80211 from Herbert Xu.
      
       4) 32-bit MIPS eBPF JIT fixes from Paul Burton.
      
       5) Fix for_each_netdev_feature() on big endian, from Hauke Mehrtens.
      
       6) GSO validation fixes from Willem de Bruijn.
      
       7) Endianness fix for dwmac4 timestamp handling, from Alexandre Torgue.
      
       8) More strict checks in tcp_v4_err(), from Eric Dumazet.
      
       9) af_alg_release should NULL out the sk after the sock_put(), from Mao
          Wenan.
      
      10) Missing unlock in mac80211 mesh error path, from Wei Yongjun.
      
      11) Missing device put in hns driver, from Salil Mehta.
      
      * git://git.kernel.org/pub/scm/linux/kernel/git/davem/net: (44 commits)
        sky2: Increase D3 delay again
        vhost: correctly check the return value of translate_desc() in log_used()
        net: netcp: Fix ethss driver probe issue
        net: hns: Fixes the missing put_device in positive leg for roce reset
        net: stmmac: Fix a race in EEE enable callback
        qed: Fix iWARP syn packet mac address validation.
        qed: Fix iWARP buffer size provided for syn packet processing.
        r8152: Add support for MAC address pass through on RTL8153-BD
        mac80211: mesh: fix missing unlock on error in table_path_del()
        net/mlx4_en: fix spelling mistake: "quiting" -> "quitting"
        net: crypto set sk to NULL when af_alg_release.
        net: Do not allocate page fragments that are not skb aligned
        mm: Use fixed constant in page_frag_alloc instead of size + 1
        tcp: tcp_v4_err() should be more careful
        tcp: clear icsk_backoff in tcp_write_queue_purge()
        net: mv643xx_eth: disable clk on error path in mv643xx_eth_shared_probe()
        qmi_wwan: apply SET_DTR quirk to Sierra WP7607
        net: stmmac: handle endianness in dwmac4_get_timestamp
        doc: Mention MSG_ZEROCOPY implementation for UDP
        mlxsw: __mlxsw_sp_port_headroom_set(): Fix a use of local variable
        ...
      40e196a9
  3. 19 Feb, 2019 14 commits
  4. 18 Feb, 2019 10 commits
    • Colin Ian King's avatar
      net/mlx4_en: fix spelling mistake: "quiting" -> "quitting" · 21d2cb49
      Colin Ian King authored
      There is a spelling mistake in a en_err error message. Fix it.
      Signed-off-by: default avatarColin Ian King <colin.king@canonical.com>
      Reviewed-by: default avatarTariq Toukan <tariqt@mellanox.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      21d2cb49
    • Mao Wenan's avatar
      net: crypto set sk to NULL when af_alg_release. · 9060cb71
      Mao Wenan authored
      KASAN has found use-after-free in sockfs_setattr.
      The existed commit 6d8c50dc ("socket: close race condition between sock_close()
      and sockfs_setattr()") is to fix this simillar issue, but it seems to ignore
      that crypto module forgets to set the sk to NULL after af_alg_release.
      
      KASAN report details as below:
      BUG: KASAN: use-after-free in sockfs_setattr+0x120/0x150
      Write of size 4 at addr ffff88837b956128 by task syz-executor0/4186
      
      CPU: 2 PID: 4186 Comm: syz-executor0 Not tainted xxx + #1
      Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS
      1.10.2-1ubuntu1 04/01/2014
      Call Trace:
       dump_stack+0xca/0x13e
       print_address_description+0x79/0x330
       ? vprintk_func+0x5e/0xf0
       kasan_report+0x18a/0x2e0
       ? sockfs_setattr+0x120/0x150
       sockfs_setattr+0x120/0x150
       ? sock_register+0x2d0/0x2d0
       notify_change+0x90c/0xd40
       ? chown_common+0x2ef/0x510
       chown_common+0x2ef/0x510
       ? chmod_common+0x3b0/0x3b0
       ? __lock_is_held+0xbc/0x160
       ? __sb_start_write+0x13d/0x2b0
       ? __mnt_want_write+0x19a/0x250
       do_fchownat+0x15c/0x190
       ? __ia32_sys_chmod+0x80/0x80
       ? trace_hardirqs_on_thunk+0x1a/0x1c
       __x64_sys_fchownat+0xbf/0x160
       ? lockdep_hardirqs_on+0x39a/0x5e0
       do_syscall_64+0xc8/0x580
       entry_SYSCALL_64_after_hwframe+0x49/0xbe
      RIP: 0033:0x462589
      Code: f7 d8 64 89 02 b8 ff ff ff ff c3 66 0f 1f 44 00 00 48 89 f8 48 89
      f7 48 89 d6 48 89
      ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3
      48 c7 c1 bc ff ff
      ff f7 d8 64 89 01 48
      RSP: 002b:00007fb4b2c83c58 EFLAGS: 00000246 ORIG_RAX: 0000000000000104
      RAX: ffffffffffffffda RBX: 000000000072bfa0 RCX: 0000000000462589
      RDX: 0000000000000000 RSI: 00000000200000c0 RDI: 0000000000000007
      RBP: 0000000000000005 R08: 0000000000001000 R09: 0000000000000000
      R10: 0000000000000000 R11: 0000000000000246 R12: 00007fb4b2c846bc
      R13: 00000000004bc733 R14: 00000000006f5138 R15: 00000000ffffffff
      
      Allocated by task 4185:
       kasan_kmalloc+0xa0/0xd0
       __kmalloc+0x14a/0x350
       sk_prot_alloc+0xf6/0x290
       sk_alloc+0x3d/0xc00
       af_alg_accept+0x9e/0x670
       hash_accept+0x4a3/0x650
       __sys_accept4+0x306/0x5c0
       __x64_sys_accept4+0x98/0x100
       do_syscall_64+0xc8/0x580
       entry_SYSCALL_64_after_hwframe+0x49/0xbe
      
      Freed by task 4184:
       __kasan_slab_free+0x12e/0x180
       kfree+0xeb/0x2f0
       __sk_destruct+0x4e6/0x6a0
       sk_destruct+0x48/0x70
       __sk_free+0xa9/0x270
       sk_free+0x2a/0x30
       af_alg_release+0x5c/0x70
       __sock_release+0xd3/0x280
       sock_close+0x1a/0x20
       __fput+0x27f/0x7f0
       task_work_run+0x136/0x1b0
       exit_to_usermode_loop+0x1a7/0x1d0
       do_syscall_64+0x461/0x580
       entry_SYSCALL_64_after_hwframe+0x49/0xbe
      
      Syzkaller reproducer:
      r0 = perf_event_open(&(0x7f0000000000)={0x0, 0x70, 0x0, 0x0, 0x0, 0x0,
      0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0,
      0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0,
      0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0x0,
      0xffffffffffffffff, 0x0)
      r1 = socket$alg(0x26, 0x5, 0x0)
      getrusage(0x0, 0x0)
      bind(r1, &(0x7f00000001c0)=@alg={0x26, 'hash\x00', 0x0, 0x0,
      'sha256-ssse3\x00'}, 0x80)
      r2 = accept(r1, 0x0, 0x0)
      r3 = accept4$unix(r2, 0x0, 0x0, 0x0)
      r4 = dup3(r3, r0, 0x0)
      fchownat(r4, &(0x7f00000000c0)='\x00', 0x0, 0x0, 0x1000)
      
      Fixes: 6d8c50dc ("socket: close race condition between sock_close() and sockfs_setattr()")
      Signed-off-by: default avatarMao Wenan <maowenan@huawei.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      9060cb71
    • Kuninori Morimoto's avatar
      ASoC: simple-card: fixup refcount_t underflow · 19dd0777
      Kuninori Morimoto authored
      commit da215354 ("ASoC: simple-card: merge simple-scu-card")
      merged simple-card and simple-scu-card. Then it had refcount
      underflow bug. This patch fixup it.
      We will get below error without this patch.
      
      	OF: ERROR: Bad of_node_put() on /sound
      	CPU: 3 PID: 237 Comm: kworker/3:1 Not tainted 5.0.0-rc6+ #1514
      	Hardware name: Renesas H3ULCB Kingfisher board based on r8a7795 ES2.0+ (DT)
      	Workqueue: events deferred_probe_work_func
      	Call trace:
      	 dump_backtrace+0x0/0x150
      	 show_stack+0x24/0x30
      	 dump_stack+0xb0/0xec
      	 of_node_release+0xd0/0xd8
      	 kobject_put+0x74/0xe8
      	 of_node_put+0x24/0x30
      	 __of_get_next_child+0x50/0x70
      	 of_get_next_child+0x40/0x68
      	 asoc_simple_card_probe+0x604/0x730
      	 platform_drv_probe+0x58/0xa8
      	 ...
      Reported-by: default avatarVicente Bergas <vicencb@gmail.com>
      Signed-off-by: default avatarKuninori Morimoto <kuninori.morimoto.gx@renesas.com>
      Signed-off-by: default avatarMark Brown <broonie@kernel.org>
      19dd0777
    • Bard liao's avatar
      ASoC: topology: free created components in tplg load error · 304017d3
      Bard liao authored
      Topology resources are no longer needed if any element failed to load.
      Signed-off-by: default avatarBard liao <yung-chuan.liao@linux.intel.com>
      Signed-off-by: default avatarMark Brown <broonie@kernel.org>
      304017d3
    • Linus Torvalds's avatar
      Merge tag 'mailbox-fixes-v5.0-rc7' of... · 301e3610
      Linus Torvalds authored
      Merge tag 'mailbox-fixes-v5.0-rc7' of git://git.linaro.org/landing-teams/working/fujitsu/integration
      
      Pull mailbox fixes from Jassi Brar:
      
       - API: Fix build breakge by exporting the function mbox_flush
      
       - BRCM: Fix FlexRM ring flush timeout issue
      
      * tag 'mailbox-fixes-v5.0-rc7' of git://git.linaro.org/landing-teams/working/fujitsu/integration:
        mailbox: bcm-flexrm-mailbox: Fix FlexRM ring flush timeout issue
        mailbox: Export mbox_flush()
      301e3610
    • Linus Torvalds's avatar
      Merge tag 'for-linus' of git://git.armlinux.org.uk/~rmk/linux-arm · 3ddc14e2
      Linus Torvalds authored
      Pull ARM fixes from Russell King:
       "A few ARM fixes:
      
         - Dietmar Eggemann noticed an issue with IRQ migration during CPU
           hotplug stress testing.
      
         - Mathieu Desnoyers noticed that a previous fix broke optimised
           kprobes.
      
         - Robin Murphy noticed a case where we were not clearing the dma_ops"
      
      * tag 'for-linus' of git://git.armlinux.org.uk/~rmk/linux-arm:
        ARM: 8835/1: dma-mapping: Clear DMA ops on teardown
        ARM: 8834/1: Fix: kprobes: optimized kprobes illegal instruction
        ARM: 8824/1: fix a migrating irq bug when hotplug cpu
      3ddc14e2
    • Linus Torvalds's avatar
      Merge tag 'trace-v5.0-rc4-3' of git://git.kernel.org/pub/scm/linux/kernel/git/rostedt/linux-trace · 10f49021
      Linus Torvalds authored
      Pull tracing fixes from Steven Rostedt:
       "Two more tracing fixes
      
         - Have kprobes not use copy_from_user() to access kernel addresses,
           because kprobes can legitimately poke at bad kernel memory, which
           will fault. Copy from user code should never fault in kernel space.
           Using probe_mem_read() can handle kernel address space faulting.
      
         - Put back the entries counter in the tracing output that was
           accidentally removed"
      
      * tag 'trace-v5.0-rc4-3' of git://git.kernel.org/pub/scm/linux/kernel/git/rostedt/linux-trace:
        tracing: Fix number of entries in trace header
        kprobe: Do not use uaccess functions to access kernel memory that can fault
      10f49021
    • Rayagonda Kokatanur's avatar
      mailbox: bcm-flexrm-mailbox: Fix FlexRM ring flush timeout issue · d7bf31a0
      Rayagonda Kokatanur authored
      RING_CONTROL reg was not written due to wrong address, hence all
      the subsequent ring flush was timing out.
      
      Fixes: a371c10e ("mailbox: bcm-flexrm-mailbox: Fix FlexRM ring flush sequence")
      Signed-off-by: default avatarRayagonda Kokatanur <rayagonda.kokatanur@broadcom.com>
      Signed-off-by: default avatarRay Jui <ray.jui@broadcom.com>
      Reviewed-by: default avatarScott Branden <scott.branden@broadcom.com>
      Signed-off-by: default avatarJassi Brar <jaswinder.singh@linaro.org>
      d7bf31a0
    • Thierry Reding's avatar
      mailbox: Export mbox_flush() · 4f055779
      Thierry Reding authored
      The mbox_flush() function can be used by drivers that are built as
      modules, so the function needs to be exported.
      Reported-by: default avatarMark Brown <broonie@kernel.org>
      Signed-off-by: default avatarThierry Reding <treding@nvidia.com>
      Signed-off-by: default avatarJassi Brar <jaswinder.singh@linaro.org>
      4f055779
    • Linus Torvalds's avatar
      Linux 5.0-rc7 · a3b22b9f
      Linus Torvalds authored
      a3b22b9f
  5. 17 Feb, 2019 1 commit
    • David S. Miller's avatar
      Merge branch 'netdev-page_frag_alloc-fixes' · 254a1a2b
      David S. Miller authored
      Alexander Duyck says:
      
      ====================
      Address recent issues found in netdev page_frag_alloc usage
      
      This patch set addresses a couple of issues that I had pointed out to Jann
      Horn in response to a recent patch submission.
      
      The first issue is that I wanted to avoid the need to read/modify/write the
      size value in order to generate the value for pagecnt_bias. Instead we can
      just use a fixed constant which reduces the need for memory read operations
      and the overall number of instructions to update the pagecnt bias values.
      
      The other, and more important issue is, that apparently we were letting tun
      access the napi_alloc_cache indirectly through netdev_alloc_frag and as a
      result letting it create unaligned accesses via unaligned allocations. In
      order to prevent this I have added a call to SKB_DATA_ALIGN for the fragsz
      field so that we will keep the offset in the napi_alloc_cache
      SMP_CACHE_BYTES aligned.
      ====================
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      254a1a2b