1. 09 Feb, 2017 2 commits
    • David Daney's avatar
      Revert "hwrng: core - zeroize buffers with random data" · 3b802c94
      David Daney authored
      This reverts commit 2cc75154.
      
      With this commit in place I get on a Cavium ThunderX (arm64) system:
      
      $ if=/dev/hwrng bs=256 count=1 | od -t x1 -A x -v > rng-bad.txt
      1+0 records in
      1+0 records out
      256 bytes (256 B) copied, 9.1171e-05 s, 2.8 MB/s
      $ dd if=/dev/hwrng bs=256 count=1 | od -t x1 -A x -v >> rng-bad.txt
      1+0 records in
      1+0 records out
      256 bytes (256 B) copied, 9.6141e-05 s, 2.7 MB/s
      $ cat rng-bad.txt
      000000 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      000010 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      000020 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      000030 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      000040 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      000050 00 00 00 00 37 20 46 ae d0 fc 1c 55 25 6e b0 b8
      000060 7c 7e d7 d4 00 0f 6f b2 91 1e 30 a8 fa 3e 52 0e
      000070 06 2d 53 30 be a1 20 0f aa 56 6e 0e 44 6e f4 35
      000080 b7 6a fe d2 52 70 7e 58 56 02 41 ea d1 9c 6a 6a
      000090 d1 bd d8 4c da 35 45 ef 89 55 fc 59 d5 cd 57 ba
      0000a0 4e 3e 02 1c 12 76 43 37 23 e1 9f 7a 9f 9e 99 24
      0000b0 47 b2 de e3 79 85 f6 55 7e ad 76 13 4f a0 b5 41
      0000c0 c6 92 42 01 d9 12 de 8f b4 7b 6e ae d7 24 fc 65
      0000d0 4d af 0a aa 36 d9 17 8d 0e 8b 7a 3b b6 5f 96 47
      0000e0 46 f7 d8 ce 0b e8 3e c6 13 a6 2c b6 d6 cc 17 26
      0000f0 e3 c3 17 8e 9e 45 56 1e 41 ef 29 1a a8 65 c8 3a
      000100
      000000 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      000010 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      000020 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      000030 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      000040 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      000050 00 00 00 00 f4 90 65 aa 8b f2 5e 31 01 53 b4 d4
      000060 06 c0 23 a2 99 3d 01 e4 b0 c1 b1 55 0f 80 63 cf
      000070 33 24 d8 3a 1d 5e cd 2c ba c0 d0 18 6f bc 97 46
      000080 1e 19 51 b1 90 15 af 80 5e d1 08 0d eb b0 6c ab
      000090 6a b4 fe 62 37 c5 e1 ee 93 c3 58 78 91 2a d5 23
      0000a0 63 50 eb 1f 3b 84 35 18 cf b2 a4 b8 46 69 9e cf
      0000b0 0c 95 af 03 51 45 a8 42 f1 64 c9 55 fc 69 76 63
      0000c0 98 9d 82 fa 76 85 24 da 80 07 29 fe 4e 76 0c 61
      0000d0 ff 23 94 4f c8 5c ce 0b 50 e8 31 bc 9d ce f4 ca
      0000e0 be ca 28 da e6 fa cc 64 1c ec a8 41 db fe 42 bd
      0000f0 a0 e2 4b 32 b4 52 ba 03 70 8e c1 8e d0 50 3a c6
      000100
      
      To my untrained mental entropy detector, the first several bytes of
      each read from /dev/hwrng seem to not be very random (i.e. all zero).
      
      When I revert the patch (apply this patch), I get back to what we have
      in v4.9, which looks like (much more random appearing):
      
      $ dd if=/dev/hwrng bs=256 count=1 | od -t x1 -A x -v > rng-good.txt
      1+0 records in
      1+0 records out
      256 bytes (256 B) copied, 0.000252233 s, 1.0 MB/s
      $ dd if=/dev/hwrng bs=256 count=1 | od -t x1 -A x -v >> rng-good.txt
      1+0 records in
      1+0 records out
      256 bytes (256 B) copied, 0.000113571 s, 2.3 MB/s
      $ cat rng-good.txt
      000000 75 d1 2d 19 68 1f d2 26 a1 49 22 61 66 e8 09 e5
      000010 e0 4e 10 d0 1a 2c 45 5d 59 04 79 8e e2 b7 2c 2e
      000020 e8 ad da 34 d5 56 51 3d 58 29 c7 7a 8e ed 22 67
      000030 f9 25 b9 fb c6 b7 9c 35 1f 84 21 35 c1 1d 48 34
      000040 45 7c f6 f1 57 63 1a 88 38 e8 81 f0 a9 63 ad 0e
      000050 be 5d 3e 74 2e 4e cb 36 c2 01 a8 14 e1 38 e1 bb
      000060 23 79 09 56 77 19 ff 98 e8 44 f3 27 eb 6e 0a cb
      000070 c9 36 e3 2a 96 13 07 a0 90 3f 3b bd 1d 04 1d 67
      000080 be 33 14 f8 02 c2 a4 02 ab 8b 5b 74 86 17 f0 5e
      000090 a1 d7 aa ef a6 21 7b 93 d1 85 86 eb 4e 8c d0 4c
      0000a0 56 ac e4 45 27 44 84 9f 71 db 36 b9 f7 47 d7 b3
      0000b0 f2 9c 62 41 a3 46 2b 5b e3 80 63 a4 35 b5 3c f4
      0000c0 bc 1e 3a ad e4 59 4a 98 6c e8 8d ff 1b 16 f8 52
      0000d0 05 5c 2f 52 2a 0f 45 5b 51 fb 93 97 a4 49 4f 06
      0000e0 f3 a0 d1 1e ba 3d ed a7 60 8f bb 84 2c 21 94 2d
      0000f0 b3 66 a6 61 1e 58 30 24 85 f8 c8 18 c3 77 00 22
      000100
      000000 73 ca cc a1 d9 bb 21 8d c3 5c f3 ab 43 6d a7 a4
      000010 4a fd c5 f4 9c ba 4a 0f b1 2e 19 15 4e 84 26 e0
      000020 67 c9 f2 52 4d 65 1f 81 b7 8b 6d 2b 56 7b 99 75
      000030 2e cd d0 db 08 0c 4b df f3 83 c6 83 00 2e 2b b8
      000040 0f af 61 1d f2 02 35 74 b5 a4 6f 28 f3 a1 09 12
      000050 f2 53 b5 d2 da 45 01 e5 12 d6 46 f8 0b db ed 51
      000060 7b f4 0d 54 e0 63 ea 22 e2 1d d0 d6 d0 e7 7e e0
      000070 93 91 fb 87 95 43 41 28 de 3d 8b a3 a8 8f c4 9e
      000080 30 95 12 7a b2 27 28 ff 37 04 2e 09 7c dd 7c 12
      000090 e1 50 60 fb 6d 5f a8 65 14 40 89 e3 4c d2 87 8f
      0000a0 34 76 7e 66 7a 8e 6b a3 fc cf 38 52 2e f9 26 f0
      0000b0 98 63 15 06 34 99 b2 88 4f aa d8 14 88 71 f1 81
      0000c0 be 51 11 2b f4 7e a0 1e 12 b2 44 2e f6 8d 84 ea
      0000d0 63 82 2b 66 b3 9a fd 08 73 5a c2 cc ab 5a af b1
      0000e0 88 e3 a6 80 4b fc db ed 71 e0 ae c0 0a a4 8c 35
      0000f0 eb 89 f9 8a 4b 52 59 6f 09 7c 01 3f 56 e7 c7 bf
      000100
      Signed-off-by: default avatarDavid Daney <david.daney@cavium.com>
      Acked-by: default avatarHerbert Xu <herbert@gondor.apana.org.au>
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      3b802c94
    • Linus Torvalds's avatar
      Merge branch 'akpm' (patches from Andrew) · 507053d2
      Linus Torvalds authored
      Merge fixes from Andrew Morton:
       "4 fixes"
      
      * emailed patches from Andrew Morton <akpm@linux-foundation.org>:
        mm/slub.c: fix random_seq offset destruction
        cpumask: use nr_cpumask_bits for parsing functions
        mm: avoid returning VM_FAULT_RETRY from ->page_mkwrite handlers
        kernel/ucount.c: mark user_header with kmemleak_ignore()
      507053d2
  2. 08 Feb, 2017 9 commits
    • Sean Rees's avatar
      mm/slub.c: fix random_seq offset destruction · a810007a
      Sean Rees authored
      Commit 210e7a43 ("mm: SLUB freelist randomization") broke USB hub
      initialisation as described in
      
        https://bugzilla.kernel.org/show_bug.cgi?id=177551.
      
      Bail out early from init_cache_random_seq if s->random_seq is already
      initialised.  This prevents destroying the previously computed
      random_seq offsets later in the function.
      
      If the offsets are destroyed, then shuffle_freelist will truncate
      page->freelist to just the first object (orphaning the rest).
      
      Fixes: 210e7a43 ("mm: SLUB freelist randomization")
      Link: http://lkml.kernel.org/r/20170207140707.20824-1-sean@erifax.orgSigned-off-by: default avatarSean Rees <sean@erifax.org>
      Reported-by: <userwithuid@gmail.com>
      Cc: Christoph Lameter <cl@linux.com>
      Cc: Pekka Enberg <penberg@kernel.org>
      Cc: David Rientjes <rientjes@google.com>
      Cc: Joonsoo Kim <iamjoonsoo.kim@lge.com>
      Cc: Thomas Garnier <thgarnie@google.com>
      Cc: <stable@vger.kernel.org>
      Signed-off-by: default avatarAndrew Morton <akpm@linux-foundation.org>
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      a810007a
    • Tejun Heo's avatar
      cpumask: use nr_cpumask_bits for parsing functions · 4d59b6cc
      Tejun Heo authored
      Commit 513e3d2d ("cpumask: always use nr_cpu_ids in formatting and
      parsing functions") converted both cpumask printing and parsing
      functions to use nr_cpu_ids instead of nr_cpumask_bits.  While this was
      okay for the printing functions as it just picked one of the two output
      formats that we were alternating between depending on a kernel config,
      doing the same for parsing wasn't okay.
      
      nr_cpumask_bits can be either nr_cpu_ids or NR_CPUS.  We can always use
      nr_cpu_ids but that is a variable while NR_CPUS is a constant, so it can
      be more efficient to use NR_CPUS when we can get away with it.
      Converting the printing functions to nr_cpu_ids makes sense because it
      affects how the masks get presented to userspace and doesn't break
      anything; however, using nr_cpu_ids for parsing functions can
      incorrectly leave the higher bits uninitialized while reading in these
      masks from userland.  As all testing and comparison functions use
      nr_cpumask_bits which can be larger than nr_cpu_ids, the parsed cpumasks
      can erroneously yield false negative results.
      
      This made the taskstats interface incorrectly return -EINVAL even when
      the inputs were correct.
      
      Fix it by restoring the parse functions to use nr_cpumask_bits instead
      of nr_cpu_ids.
      
      Link: http://lkml.kernel.org/r/20170206182442.GB31078@htj.duckdns.org
      Fixes: 513e3d2d ("cpumask: always use nr_cpu_ids in formatting and parsing functions")
      Signed-off-by: default avatarTejun Heo <tj@kernel.org>
      Reported-by: default avatarMartin Steigerwald <martin.steigerwald@teamix.de>
      Debugged-by: default avatarBen Hutchings <ben.hutchings@codethink.co.uk>
      Cc: <stable@vger.kernel.org>	[4.0+]
      Signed-off-by: default avatarAndrew Morton <akpm@linux-foundation.org>
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      4d59b6cc
    • Jan Kara's avatar
      mm: avoid returning VM_FAULT_RETRY from ->page_mkwrite handlers · 0911d004
      Jan Kara authored
      Some ->page_mkwrite handlers may return VM_FAULT_RETRY as its return
      code (GFS2 or Lustre can definitely do this).  However VM_FAULT_RETRY
      from ->page_mkwrite is completely unhandled by the mm code and results
      in locking and writeably mapping the page which definitely is not what
      the caller wanted.
      
      Fix Lustre and block_page_mkwrite_ret() used by other filesystems
      (notably GFS2) to return VM_FAULT_NOPAGE instead which results in
      bailing out from the fault code, the CPU then retries the access, and we
      fault again effectively doing what the handler wanted.
      
      Link: http://lkml.kernel.org/r/20170203150729.15863-1-jack@suse.czSigned-off-by: default avatarJan Kara <jack@suse.cz>
      Reported-by: default avatarAl Viro <viro@ZenIV.linux.org.uk>
      Reviewed-by: default avatarJinshan Xiong <jinshan.xiong@intel.com>
      Cc: Matthew Wilcox <willy@infradead.org>
      Signed-off-by: default avatarAndrew Morton <akpm@linux-foundation.org>
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      0911d004
    • Luis R. Rodriguez's avatar
      kernel/ucount.c: mark user_header with kmemleak_ignore() · ed5bd7dc
      Luis R. Rodriguez authored
      The user_header gets caught by kmemleak with the following splat as
      missing a free:
      
        unreferenced object 0xffff99667a733d80 (size 96):
        comm "swapper/0", pid 1, jiffies 4294892317 (age 62191.468s)
        hex dump (first 32 bytes):
          a0 b6 92 b4 ff ff ff ff 00 00 00 00 01 00 00 00  ................
          01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
        backtrace:
           kmemleak_alloc+0x4a/0xa0
           __kmalloc+0x144/0x260
           __register_sysctl_table+0x54/0x5e0
           register_sysctl+0x1b/0x20
           user_namespace_sysctl_init+0x17/0x34
           do_one_initcall+0x52/0x1a0
           kernel_init_freeable+0x173/0x200
           kernel_init+0xe/0x100
           ret_from_fork+0x2c/0x40
      
      The BUG_ON()s are intended to crash so no need to clean up after
      ourselves on error there.  This is also a kernel/ subsys_init() we don't
      need a respective exit call here as this is never modular, so just white
      list it.
      
      Link: http://lkml.kernel.org/r/20170203211404.31458-1-mcgrof@kernel.orgSigned-off-by: default avatarLuis R. Rodriguez <mcgrof@kernel.org>
      Cc: Eric W. Biederman <ebiederm@xmission.com>
      Cc: Kees Cook <keescook@chromium.org>
      Cc: Nikolay Borisov <n.borisov.lkml@gmail.com>
      Cc: Serge Hallyn <serge@hallyn.com>
      Cc: Jan Kara <jack@suse.cz>
      Signed-off-by: default avatarAndrew Morton <akpm@linux-foundation.org>
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      ed5bd7dc
    • Linus Torvalds's avatar
      Merge tag 'pci-v4.10-fixes-3' of git://git.kernel.org/pub/scm/linux/kernel/git/helgaas/pci · be11f436
      Linus Torvalds authored
      Pull PCI fixes from Bjorn Helgaas:
      
       - check MSI affinity vs. number of vectors to avoid memory corruption
      
       - drop runtime power management for PCIe hotplug ports for now to avoid
         regressing hotplug via sysfs
      
      * tag 'pci-v4.10-fixes-3' of git://git.kernel.org/pub/scm/linux/kernel/git/helgaas/pci:
        Revert "PCI: pciehp: Add runtime PM support for PCIe hotplug ports"
        PCI/MSI: Don't apply affinity if there aren't enough vectors left
      be11f436
    • Linus Torvalds's avatar
      Merge tag 'fixes-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/arm/arm-soc · 472ff5be
      Linus Torvalds authored
      Pull ARM SoC fixes from Arnd Bergmann:
      
       - A relatively large patch restores booting on i.MX platforms that
         failed to boot after a cleanup was merged for v4.10.
      
       - A quirk for USB needs to be enabled on the STi platform
      
       - On the Meson platform, we saw memory corruption with part of the
         memory used by the secure monitor, so we have to stay out of that
         area.
      
       - The same platform also has a problem with ethernet under load, which
         is fixed by disabling EEE negotiation.
      
       - imx6dl has an incorrect pin configuration, which prevents SPI from
         working.
      
       - Two maintainers have lost their access to their email addresses, so
         we should update the MAINTAINERS file before the release
      
       - Renaming one of the orion5x linkstation models to help simplify the
         debian install.
      
       - A couple of fixes for build warnings that were introduced during
         v4.10-rc.
      
      * tag 'fixes-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/arm/arm-soc:
        ARM: defconfigs: make NF_CT_PROTO_SCTP and NF_CT_PROTO_UDPLITE built-in
        MAINTAINERS: socfpga: update email for Dinh Nguyen
        ARM: orion5x: fix Makefile for linkstation-lschl.dtb
        ARM: dts: orion5x-lschl: More consistent naming on linkstation series
        ARM: dts: orion5x-lschl: Fix model name
        MAINTAINERS: change email address from atmel to microchip
        MAINTAINERS: at91: change email address
        ARM64: dts: meson-gx: Add firmware reserved memory zones
        ARM64: dts: meson-gxbb-odroidc2: fix GbE tx link breakage
        ARM: dts: STiH407-family: set snps,dis_u3_susphy_quirk
        ARM: dts: imx: Pass 'chosen' and 'memory' nodes
        ARM: dts: imx6dl: fix GPIO4 range
        ARM: imx: hide unused variable in #ifdef
      472ff5be
    • Linus Torvalds's avatar
      Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/jmorris/linux-security · d3498fba
      Linus Torvalds authored
      Pull selinux fix from James Morris:
       "Fix off-by-one in setprocattr"
      
      * 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/jmorris/linux-security:
        selinux: fix off-by-one in setprocattr
      d3498fba
    • Linus Torvalds's avatar
      Merge branch 'for-linus' of git://git.kernel.dk/linux-block · 23fbe2cd
      Linus Torvalds authored
      Pull block fix from Jens Axboe:
       "A single fix that should go into 4.10, fixing a regression on some
        devices with the WRITE_SAME command"
      
      * 'for-linus' of git://git.kernel.dk/linux-block:
        block: don't try Write Same from __blkdev_issue_zeroout
      23fbe2cd
    • Stephen Smalley's avatar
      selinux: fix off-by-one in setprocattr · 0c461cb7
      Stephen Smalley authored
      SELinux tries to support setting/clearing of /proc/pid/attr attributes
      from the shell by ignoring terminating newlines and treating an
      attribute value that begins with a NUL or newline as an attempt to
      clear the attribute.  However, the test for clearing attributes has
      always been wrong; it has an off-by-one error, and this could further
      lead to reading past the end of the allocated buffer since commit
      bb646cdb ("proc_pid_attr_write():
      switch to memdup_user()").  Fix the off-by-one error.
      
      Even with this fix, setting and clearing /proc/pid/attr attributes
      from the shell is not straightforward since the interface does not
      support multiple write() calls (so shells that write the value and
      newline separately will set and then immediately clear the attribute,
      requiring use of echo -n to set the attribute), whereas trying to use
      echo -n "" to clear the attribute causes the shell to skip the
      write() call altogether since POSIX says that a zero-length write
      causes no side effects. Thus, one must use echo -n to set and echo
      without -n to clear, as in the following example:
      $ echo -n unconfined_u:object_r:user_home_t:s0 > /proc/$$/attr/fscreate
      $ cat /proc/$$/attr/fscreate
      unconfined_u:object_r:user_home_t:s0
      $ echo "" > /proc/$$/attr/fscreate
      $ cat /proc/$$/attr/fscreate
      
      Note the use of /proc/$$ rather than /proc/self, as otherwise
      the cat command will read its own attribute value, not that of the shell.
      
      There are no users of this facility to my knowledge; possibly we
      should just get rid of it.
      
      UPDATE: Upon further investigation it appears that a local process
      with the process:setfscreate permission can cause a kernel panic as a
      result of this bug.  This patch fixes CVE-2017-2618.
      Signed-off-by: default avatarStephen Smalley <sds@tycho.nsa.gov>
      [PM: added the update about CVE-2017-2618 to the commit description]
      Cc: stable@vger.kernel.org # 3.5: d6ea83ecSigned-off-by: default avatarPaul Moore <paul@paul-moore.com>
      Signed-off-by: default avatarJames Morris <james.l.morris@oracle.com>
      0c461cb7
  3. 07 Feb, 2017 17 commits
  4. 06 Feb, 2017 12 commits
    • Linus Torvalds's avatar
      Merge tag 'pm-4.10-rc8' of git://git.kernel.org/pub/scm/linux/kernel/git/rafael/linux-pm · f7d6040a
      Linus Torvalds authored
      Pull power management fixes from Rafael Wysocki:
       "These add a quirk to intel_pstate to work around a firmware setting
        that leads to frequency scaling issues (discovered recently) on some
        Intel Kaby Lake processors, fix up the recently added brcmstb-avs
        cpufreq driver and avoid false-positive warnings from the runtime PM
        framework triggered by recent changes in i915.
      
        Specifics:
      
         - Add an intel_pstate driver quirk to work around a firmware setting
           that leads to frequency scaling issues on desktop Intel Kaby Lake
           processors in some configurations if the hardware-managed P-states
           (HWP) feature is in use (Srinivas Pandruvada)
      
         - Fix up the recently added brcmstb-avs cpufreq driver: fix a bug
           related to system suspend and change the sysfs interface to match
           the user space expectations (Markus Mayer)
      
         - Modify the runtime PM framework to avoid false-positive warnings
           from the might_sleep_if() assertions in it (Rafael Wysocki)"
      
      * tag 'pm-4.10-rc8' of git://git.kernel.org/pub/scm/linux/kernel/git/rafael/linux-pm:
        PM / runtime: Avoid false-positive warnings from might_sleep_if()
        cpufreq: intel_pstate: Disable energy efficiency optimization
        cpufreq: brcmstb-avs-cpufreq: properly retrieve P-state upon suspend
        cpufreq: brcmstb-avs-cpufreq: extend sysfs entry brcm_avs_pmap
      f7d6040a
    • Linus Torvalds's avatar
      Merge tag 'dm-4.10-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/device-mapper/linux-dm · 50dcb6cd
      Linus Torvalds authored
      Pull device mapper fixes from Mike Snitzer:
      
       - a fix for a race in .request_fn request-based DM request handling vs
         DM device destruction
      
       - an RCU fix for dm-crypt's kernel keyring support that was included in
         4.10-rc1
      
       - a -Wbool-operation warning fix for DM multipath
      
      * tag 'dm-4.10-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/device-mapper/linux-dm:
        dm crypt: replace RCU read-side section with rwsem
        dm rq: cope with DM device destruction while in dm_old_request_fn()
        dm mpath: cleanup -Wbool-operation warning in choose_pgpath()
      50dcb6cd
    • Linus Torvalds's avatar
      Merge tag 'media/v4.10-3' of git://git.kernel.org/pub/scm/linux/kernel/git/mchehab/linux-media · 72df5eba
      Linus Torvalds authored
      Pull media fixes from Mauro Carvalho Chehab:
       "A few documentation fixes at CEC (with got promoted from staging for
        4.10), and one fix on its core."
      
      * tag 'media/v4.10-3' of git://git.kernel.org/pub/scm/linux/kernel/git/mchehab/linux-media:
        [media] cec: fix wrong last_la determination
        [media] cec-intro.rst: mention the v4l-utils package and CEC utilities
        [media] cec rst: remove "This API is not yet finalized" notice
      72df5eba
    • Linus Torvalds's avatar
      Merge branch 'linus' of git://git.kernel.org/pub/scm/linux/kernel/git/herbert/crypto-2.6 · 396bf4cd
      Linus Torvalds authored
      Pull crypto fixes from Herbert Xu:
      
       - use-after-free in algif_aead
      
       - modular aesni regression when pcbc is modular but absent
      
       - bug causing IO page faults in ccp
      
       - double list add in ccp
      
       - NULL pointer dereference in qat (two patches)
      
       - panic in chcr
      
       - NULL pointer dereference in chcr
      
       - out-of-bound access in chcr
      
      * 'linus' of git://git.kernel.org/pub/scm/linux/kernel/git/herbert/crypto-2.6:
        crypto: chcr - Fix key length for RFC4106
        crypto: algif_aead - Fix kernel panic on list_del
        crypto: aesni - Fix failure when pcbc module is absent
        crypto: ccp - Fix double add when creating new DMA command
        crypto: ccp - Fix DMA operations when IOMMU is enabled
        crypto: chcr - Check device is allocated before use
        crypto: chcr - Fix panic on dma_unmap_sg
        crypto: qat - zero esram only for DH85x devices
        crypto: qat - fix bar discovery for c62x
      396bf4cd
    • Arnd Bergmann's avatar
      hns: avoid stack overflow with CONFIG_KASAN · b3f2d07f
      Arnd Bergmann authored
      The use of ACCESS_ONCE() looks like a micro-optimization to force gcc to use
      an indexed load for the register address, but it has an absolutely detrimental
      effect on builds with gcc-5 and CONFIG_KASAN=y, leading to a very likely
      kernel stack overflow aside from very complex object code:
      
      hisilicon/hns/hns_dsaf_gmac.c: In function 'hns_gmac_update_stats':
      hisilicon/hns/hns_dsaf_gmac.c:419:1: error: the frame size of 2912 bytes is larger than 1024 bytes [-Werror=frame-larger-than=]
      hisilicon/hns/hns_dsaf_ppe.c: In function 'hns_ppe_reset_common':
      hisilicon/hns/hns_dsaf_ppe.c:390:1: error: the frame size of 1184 bytes is larger than 1024 bytes [-Werror=frame-larger-than=]
      hisilicon/hns/hns_dsaf_ppe.c: In function 'hns_ppe_get_regs':
      hisilicon/hns/hns_dsaf_ppe.c:621:1: error: the frame size of 3632 bytes is larger than 1024 bytes [-Werror=frame-larger-than=]
      hisilicon/hns/hns_dsaf_rcb.c: In function 'hns_rcb_get_common_regs':
      hisilicon/hns/hns_dsaf_rcb.c:970:1: error: the frame size of 2784 bytes is larger than 1024 bytes [-Werror=frame-larger-than=]
      hisilicon/hns/hns_dsaf_gmac.c: In function 'hns_gmac_get_regs':
      hisilicon/hns/hns_dsaf_gmac.c:641:1: error: the frame size of 5728 bytes is larger than 1024 bytes [-Werror=frame-larger-than=]
      hisilicon/hns/hns_dsaf_rcb.c: In function 'hns_rcb_get_ring_regs':
      hisilicon/hns/hns_dsaf_rcb.c:1021:1: error: the frame size of 2208 bytes is larger than 1024 bytes [-Werror=frame-larger-than=]
      hisilicon/hns/hns_dsaf_main.c: In function 'hns_dsaf_comm_init':
      hisilicon/hns/hns_dsaf_main.c:1209:1: error: the frame size of 1904 bytes is larger than 1024 bytes [-Werror=frame-larger-than=]
      hisilicon/hns/hns_dsaf_xgmac.c: In function 'hns_xgmac_get_regs':
      hisilicon/hns/hns_dsaf_xgmac.c:748:1: error: the frame size of 4704 bytes is larger than 1024 bytes [-Werror=frame-larger-than=]
      hisilicon/hns/hns_dsaf_main.c: In function 'hns_dsaf_update_stats':
      hisilicon/hns/hns_dsaf_main.c:2420:1: error: the frame size of 1088 bytes is larger than 1024 bytes [-Werror=frame-larger-than=]
      hisilicon/hns/hns_dsaf_main.c: In function 'hns_dsaf_get_regs':
      hisilicon/hns/hns_dsaf_main.c:2753:1: error: the frame size of 10768 bytes is larger than 1024 bytes [-Werror=frame-larger-than=]
      
      This does not seem to happen any more with gcc-7, but removing the ACCESS_ONCE
      seems safe anyway and it avoids a serious issue for some people. I have verified
      that with gcc-5.3.1, the object code we get is better in the new version
      both with and without CONFIG_KASAN, as we no longer allocate a 1344 byte
      stack frame for hns_dsaf_get_regs() but otherwise have practically identical
      object code.
      
      With gcc-7.0.0, removing ACCESS_ONCE has no effect, the object code is already
      good either way.
      
      This patch is probably not urgent to get into 4.11 as only KASAN=y builds
      with certain compilers are affected, but I still think it makes sense to
      backport into older kernels.
      
      Cc: stable@vger.kernel.org
      Fixes: 511e6bc0 ("net: add Hisilicon Network Subsystem DSAF support")
      Signed-off-by: default avatarArnd Bergmann <arnd@arndb.de>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      b3f2d07f
    • Linus Lüssing's avatar
      ipv6: Fix IPv6 packet loss in scenarios involving roaming + snooping switches · a088d1d7
      Linus Lüssing authored
      When for instance a mobile Linux device roams from one access point to
      another with both APs sharing the same broadcast domain and a
      multicast snooping switch in between:
      
      1)    (c) <~~~> (AP1) <--[SSW]--> (AP2)
      
      2)              (AP1) <--[SSW]--> (AP2) <~~~> (c)
      
      Then currently IPv6 multicast packets will get lost for (c) until an
      MLD Querier sends its next query message. The packet loss occurs
      because upon roaming the Linux host so far stayed silent regarding
      MLD and the snooping switch will therefore be unaware of the
      multicast topology change for a while.
      
      This patch fixes this by always resending MLD reports when an interface
      change happens, for instance from NO-CARRIER to CARRIER state.
      Signed-off-by: default avatarLinus Lüssing <linus.luessing@c0d3.blue>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      a088d1d7
    • Arnd Bergmann's avatar
      ARM: defconfigs: make NF_CT_PROTO_SCTP and NF_CT_PROTO_UDPLITE built-in · 5aff1d24
      Arnd Bergmann authored
      The symbols can no longer be used as loadable modules, leading to a harmless Kconfig
      warning:
      
      arch/arm/configs/imote2_defconfig:60:warning: symbol value 'm' invalid for NF_CT_PROTO_UDPLITE
      arch/arm/configs/imote2_defconfig:59:warning: symbol value 'm' invalid for NF_CT_PROTO_SCTP
      arch/arm/configs/ezx_defconfig:68:warning: symbol value 'm' invalid for NF_CT_PROTO_UDPLITE
      arch/arm/configs/ezx_defconfig:67:warning: symbol value 'm' invalid for NF_CT_PROTO_SCTP
      
      Let's make them built-in.
      Signed-off-by: default avatarArnd Bergmann <arnd@arndb.de>
      5aff1d24
    • Christoph Hellwig's avatar
      block: don't try Write Same from __blkdev_issue_zeroout · eeeefd41
      Christoph Hellwig authored
      Write Same can return an error asynchronously if it turns out the
      underlying SCSI device does not support Write Same, which makes a
      proper fallback to other methods in __blkdev_issue_zeroout impossible.
      Thus only issue a Write Same from blkdev_issue_zeroout an don't try it
      at all from __blkdev_issue_zeroout as a non-invasive workaround.
      Signed-off-by: default avatarChristoph Hellwig <hch@lst.de>
      Reported-by: default avatarJunichi Nomura <j-nomura@ce.jp.nec.com>
      Fixes: e73c23ff ("block: add async variant of blkdev_issue_zeroout")
      Tested-by: default avatarJunichi Nomura <j-nomura@ce.jp.nec.com>
      Signed-off-by: default avatarJens Axboe <axboe@fb.com>
      eeeefd41
    • Arnd Bergmann's avatar
      Merge tag 'mvebu-fixes-4.10-1' of git://git.infradead.org/linux-mvebu into fixes · a47b3fca
      Arnd Bergmann authored
      Pull "mvebu fixes for 4.10 (part 1)" from Gregory CLEMENT:
      
      More consistent naming for some orion5x based boards helping the
      switch to device tree for debian users.
      
      * tag 'mvebu-fixes-4.10-1' of git://git.infradead.org/linux-mvebu:
        ARM: orion5x: fix Makefile for linkstation-lschl.dtb
        ARM: dts: orion5x-lschl: More consistent naming on linkstation series
        ARM: dts: orion5x-lschl: Fix model name
      a47b3fca
    • Dinh Nguyen's avatar
      MAINTAINERS: socfpga: update email for Dinh Nguyen · 08b3b33f
      Dinh Nguyen authored
      My opensource.altera.com email will be going away soon.
      Signed-off-by: default avatarDinh Nguyen <dinguyen@kernel.org>
      Signed-off-by: default avatarArnd Bergmann <arnd@arndb.de>
      08b3b33f
    • David S. Miller's avatar
      Merge tag 'wireless-drivers-for-davem-2017-02-06' of... · 62f01db9
      David S. Miller authored
      Merge tag 'wireless-drivers-for-davem-2017-02-06' of git://git.kernel.org/pub/scm/linux/kernel/git/kvalo/wireless-drivers
      
      Kalle Valo says:
      
      ====================
      wireless-drivers fixes for 4.10
      
      Only one important fix for rtlwifi which fixes a regression introduced
      in 4.9 and which caused problems for many users.
      ====================
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      62f01db9
    • David S. Miller's avatar
      Merge tag 'mac80211-for-davem-2017-02-06' of... · 89389b4d
      David S. Miller authored
      Merge tag 'mac80211-for-davem-2017-02-06' of git://git.kernel.org/pub/scm/linux/kernel/git/jberg/mac80211
      
      Johannes Berg says:
      
      ====================
      A few simple fixes:
       * fix FILS AEAD cipher usage to use the correct AAD vectors
         and to use synchronous algorithms
       * fix using mesh HT operation data from userspace
       * fix adding mesh vendor elements to beacons & plink frames
      ====================
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      89389b4d