Fix description of some of the bpf_asm tool related jump instructions
and generally move them to format A <op> k.
Reported-by: NSebastian Amend <sebastian.amend@googlemail.com>
Signed-off-by: NDaniel Borkmann <daniel@iogearbox.net>
Acked-by: NAlexei Starovoitov <ast@kernel.org>
Signed-off-by: NDavid S. Miller <davem@davemloft.net>

This work adds a generic facility for use from eBPF JIT compilers
that allows for further hardening of JIT generated images through
blinding constants. In response to the original work on BPF JIT
spraying published by Keegan McAllister [1], most BPF JITs were
changed to make images read-only and start at a randomized offset
in the page, where the rest was filled with trap instructions. We
have this nowadays in x86, arm, arm64 and s390 JIT compilers.
Additionally, later work also made eBPF interpreter images read
only for kernels supporting DEBUG_SET_MODULE_RONX, that is, x86,
arm, arm64 and s390 archs as well currently. This is done by
default for mentioned JITs when JITing is enabled. Furthermore,
we had a generic and configurable constant blinding facility on our
todo for quite some time now to further make spraying harder, and
first implementation since around netconf 2016.

We found that for systems where untrusted users can load cBPF/eBPF
code where JIT is enabled, start offset randomization helps a bit
to make jumps into crafted payload harder, but in case where larger
programs that cross page boundary are injected, we again have some
part of the program opcodes at a page start offset. With improved
guessing and more reliable payload injection, chances can increase
to jump into such payload. Elena Reshetova recently wrote a test
case for it [2, 3]. Moreover, eBPF comes with 64 bit constants, which
can leave some more room for payloads. Note that for all this,
additional bugs in the kernel are still required to make the jump
(and of course to guess right, to not jump into a trap) and naturally
the JIT must be enabled, which is disabled by default.

For helping mitigation, the general idea is to provide an option
bpf_jit_harden that admins can tweak along with bpf_jit_enable, so
that for cases where JIT should be enabled for performance reasons,
the generated image can be further hardened with blinding constants
for unpriviledged users (bpf_jit_harden == 1), with trading off
performance for these, but not for privileged ones. We also added
the option of blinding for all users (bpf_jit_harden == 2), which
is quite helpful for testing f.e. with test_bpf.ko. There are no
further e.g. hardening levels of bpf_jit_harden switch intended,
rationale is to have it dead simple to use as on/off. Since this
functionality would need to be duplicated over and over for JIT
compilers to use, which are already complex enough, we provide a
generic eBPF byte-code level based blinding implementation, which is
then just transparently JITed. JIT compilers need to make only a few
changes to integrate this facility and can be migrated one by one.

This option is for eBPF JITs and will be used in x86, arm64, s390
without too much effort, and soon ppc64 JITs, thus that native eBPF
can be blinded as well as cBPF to eBPF migrations, so that both can
be covered with a single implementation. The rule for JITs is that
bpf_jit_blind_constants() must be called from bpf_int_jit_compile(),
and in case blinding is disabled, we follow normally with JITing the
passed program. In case blinding is enabled and we fail during the
process of blinding itself, we must return with the interpreter.
Similarly, in case the JITing process after the blinding failed, we
return normally to the interpreter with the non-blinded code. Meaning,
interpreter doesn't change in any way and operates on eBPF code as
usual. For doing this pre-JIT blinding step, we need to make use of
a helper/auxiliary register, here BPF_REG_AX. This is strictly internal
to the JIT and not in any way part of the eBPF architecture. Just like
in the same way as JITs internally make use of some helper registers
when emitting code, only that here the helper register is one
abstraction level higher in eBPF bytecode, but nevertheless in JIT
phase. That helper register is needed since f.e. manually written
program can issue loads to all registers of eBPF architecture.

The core concept with the additional register is: blind out all 32
and 64 bit constants by converting BPF_K based instructions into a
small sequence from K_VAL into ((RND ^ K_VAL) ^ RND). Therefore, this
is transformed into: BPF_REG_AX := (RND ^ K_VAL), BPF_REG_AX ^= RND,
and REG <OP> BPF_REG_AX, so actual operation on the target register
is translated from BPF_K into BPF_X one that is operating on
BPF_REG_AX's content. During rewriting phase when blinding, RND is
newly generated via prandom_u32() for each processed instruction.
64 bit loads are split into two 32 bit loads to make translation and
patching not too complex. Only basic thing required by JITs is to
call the helper bpf_jit_blind_constants()/bpf_jit_prog_release_other()
pair, and to map BPF_REG_AX into an unused register.

Small bpf_jit_disasm extract from [2] when applied to x86 JIT:

echo 0 > /proc/sys/net/core/bpf_jit_harden

  ffffffffa034f5e9 + <x>:
  [...]
  39:   mov    $0xa8909090,%eax
  3e:   mov    $0xa8909090,%eax
  43:   mov    $0xa8ff3148,%eax
  48:   mov    $0xa89081b4,%eax
  4d:   mov    $0xa8900bb0,%eax
  52:   mov    $0xa810e0c1,%eax
  57:   mov    $0xa8908eb4,%eax
  5c:   mov    $0xa89020b0,%eax
  [...]

echo 1 > /proc/sys/net/core/bpf_jit_harden

  ffffffffa034f1e5 + <x>:
  [...]
  39:   mov    $0xe1192563,%r10d
  3f:   xor    $0x4989b5f3,%r10d
  46:   mov    %r10d,%eax
  49:   mov    $0xb8296d93,%r10d
  4f:   xor    $0x10b9fd03,%r10d
  56:   mov    %r10d,%eax
  59:   mov    $0x8c381146,%r10d
  5f:   xor    $0x24c7200e,%r10d
  66:   mov    %r10d,%eax
  69:   mov    $0xeb2a830e,%r10d
  6f:   xor    $0x43ba02ba,%r10d
  76:   mov    %r10d,%eax
  79:   mov    $0xd9730af,%r10d
  7f:   xor    $0xa5073b1f,%r10d
  86:   mov    %r10d,%eax
  89:   mov    $0x9a45662b,%r10d
  8f:   xor    $0x325586ea,%r10d
  96:   mov    %r10d,%eax
  [...]

As can be seen, original constants that carry payload are hidden
when enabled, actual operations are transformed from constant-based
to register-based ones, making jumps into constants ineffective.
Above extract/example uses single BPF load instruction over and
over, but of course all instructions with constants are blinded.

Performance wise, JIT with blinding performs a bit slower than just
JIT and faster than interpreter case. This is expected, since we
still get all the performance benefits from JITing and in normal
use-cases not every single instruction needs to be blinded. Summing
up all 296 test cases averaged over multiple runs from test_bpf.ko
suite, interpreter was 55% slower than JIT only and JIT with blinding
was 8% slower than JIT only. Since there are also some extremes in
the test suite, I expect for ordinary workloads that the performance
for the JIT with blinding case is even closer to JIT only case,
f.e. nmap test case from suite has averaged timings in ns 29 (JIT),
35 (+ blinding), and 151 (interpreter).

BPF test suite, seccomp test suite, eBPF sample code and various
bigger networking eBPF programs have been tested with this and were
running fine. For testing purposes, I also adapted interpreter and
redirected blinded eBPF image to interpreter and also here all tests
pass.

  [1] http://mainisusuallyafunction.blogspot.com/2012/11/attacking-hardened-linux-systems-with.html
  [2] https://github.com/01org/jit-spray-poc-for-ksp/
  [3] http://www.openwall.com/lists/kernel-hardening/2016/05/03/5Signed-off-by: NDaniel Borkmann <daniel@iogearbox.net>
Reviewed-by: NElena Reshetova <elena.reshetova@intel.com>
Acked-by: NAlexei Starovoitov <ast@kernel.org>
Signed-off-by: NDavid S. Miller <davem@davemloft.net>

The framework only asserts (for now) that the reset gpio is not active.
Signed-off-by: NUwe Kleine-König <u.kleine-koenig@pengutronix.de>
Reviewed-by: NRoger Quadros <rogerq@ti.com>
Signed-off-by: NDavid S. Miller <davem@davemloft.net>

Some ethernet adapter vendors are supplying products which support optional
(payed license) features. On some adapters this includes a hardware iscsi
initiator.  The same adapters in a normal (no extra licenses) mode of
operation can be used as a software iscsi initiator.  In addition, software
iscsi boot initiators are becoming a standard part of many vendors uefi
implementations.  This is creating difficulties during early boot/install
determining the proper configuration method for these adapters when they
are used as a boot device.

The attached patch creates sysfs entries to expose information from the
acpi header of the ibft table.  This information allows for a method to
easily determining if an ibft table was created by a ethernet card's
firmware or the system uefi/bios.  In the case of a hardware initiator this
information in combination with the pci vendor and device id can be used
to ascertain any vendor specific behaviors that need to be accommodated.
Reviewed-by: NLee Duncan <lduncan@suse.com>
Signed-off-by: NDavid Bond <dbond@suse.com>
Signed-off-by: NKonrad Rzeszutek Wilk <konrad.wilk@oracle.com>

Correct what appears to be a typo in the name of the sd-uhs-sdr50.

Also fix mixed tab/space indentation.
Signed-off-by: NSimon Horman <horms+renesas@verge.net.au>
Signed-off-by: NUlf Hansson <ulf.hansson@linaro.org>

Resetting the switch is something the driver does, not the framework.
So move the parsing of this property into the driver.

There are no in kernel users of this property, so moving it does not
break anything. There is however a board which will make use of this
property making its way into the kernel.
Signed-off-by: NAndrew Lunn <andrew@lunn.ch>
Signed-off-by: NDavid S. Miller <davem@davemloft.net>

Allow Marvell switches to be mdio devices. Currently the driver just
allocate the private structure and detects what device is on the
bus. Later patches will make them register with the DSA framework.
Signed-off-by: NAndrew Lunn <andrew@lunn.ch>
Signed-off-by: NDavid S. Miller <davem@davemloft.net>

This patch adds the device tree bindings for the Western Digital's
MyBook Live memory-mapped GPIO controllers.

The gpios will be supported by gpio-mmio code of the
GPIO generic library.
Signed-off-by: NChristian Lamparter <chunkeey@googlemail.com>
Acked-by: NRob Herring <robh@kernel.org>
Reviewed-by: NAndy Shevchenko <andy.shevchenko@gmail.com>
Signed-off-by: NLinus Walleij <linus.walleij@linaro.org>

Make it possible to name the producer side of a GPIO line using
a "gpio-line-names" property array, modeled on the
"clock-output-names" property from the clock bindings.

This naming is especially useful for:

- Debugging: lines are named after function, not just opaque
  offset numbers.

- Exploration: systems where some or all GPIO lines are available
  to end users, such as prototyping, one-off's "makerspace usecases"
  users are helped by the names of the GPIO lines when tinkering.
  This usecase has been surfacing recently.

The gpio-line-names attribute is completely optional.

Example output from lsgpio on a patched Snowball tree:

GPIO chip: gpiochip6, "8000e180.gpio", 32 GPIO lines
        line  0: unnamed unused
        line  1: "AP_GPIO161" "extkb3" [kernel]
        line  2: "AP_GPIO162" "extkb4" [kernel]
        line  3: "ACCELEROMETER_INT1_RDY" unused [kernel]
        line  4: "ACCELEROMETER_INT2" unused
        line  5: "MAG_DRDY" unused [kernel]
        line  6: "GYRO_DRDY" unused [kernel]
        line  7: "RSTn_MLC" unused
        line  8: "RSTn_SLC" unused
        line  9: "GYRO_INT" unused
        line 10: "UART_WAKE" unused
        line 11: "GBF_RESET" unused
        line 12: unnamed unused

Cc: Grant Likely <grant.likely@linaro.org>
Cc: Amit Kucheria <amit.kucheria@linaro.org>
Cc: David Mandala <david.mandala@linaro.org>
Cc: Lee Campbell <leecam@google.com>
Cc: devicetree@vger.kernel.org
Acked-by: NRob Herring <robh@kernel.org>
Reviewed-by: NMichael Welling <mwelling@ieee.org>
Signed-off-by: NLinus Walleij <linus.walleij@linaro.org>

Allowing unprivileged kernel profiling lets any user dump follow kernel
control flow and dump kernel registers.  This most likely allows trivial
kASLR bypassing, and it may allow other mischief as well.  (Off the top
of my head, the PERF_SAMPLE_REGS_INTR output during /dev/urandom reads
could be quite interesting.)
Signed-off-by: NAndy Lutomirski <luto@kernel.org>
Acked-by: NKees Cook <keescook@chromium.org>
Signed-off-by: NLinus Torvalds <torvalds@linux-foundation.org>

With the new autoksyms support, we can run into a situation where
the v4l pci skeleton module is the only one using some exported
symbols that get dropped because they are never referenced by
the kernel otherwise, causing a build problem:

ERROR: "vb2_dma_contig_memops" [Documentation/video4linux/v4l2-pci-skeleton.ko] undefined!
ERROR: "vb2_dma_contig_init_ctx_attrs" [Documentation/video4linux/v4l2-pci-skeleton.ko] undefined!
ERROR: "v4l2_match_dv_timings" [Documentation/video4linux/v4l2-pci-skeleton.ko] undefined!
ERROR: "v4l2_find_dv_timings_cap" [Documentation/video4linux/v4l2-pci-skeleton.ko] undefined!
ERROR: "v4l2_valid_dv_timings" [Documentation/video4linux/v4l2-pci-skeleton.ko] undefined!
ERROR: "v4l2_enum_dv_timings_cap" [Documentation/video4linux/v4l2-pci-skeleton.ko] undefined!
ERROR: "vb2_dma_contig_cleanup_ctx" [Documentation/video4linux/v4l2-pci-skeleton.ko] undefined!

Specifically, we do look in the samples directory for users of
symbols, but not the Documentation directory.

This solves the build problem by moving the connector sample into
the same directory as the other samples.

Fixes: 23121ca2 ("kbuild: create/adjust generated/autoksyms.h")
Signed-off-by: NArnd Bergmann <arnd@arndb.de>

Hauppauge WinTV-dualHD is a USB 2.0 dual DVB-T/T2/C tuner with
following components:

USB bridge: Empia EM28274 (chip id is the same as EM28174)
Demodulator: 2x Silicon Labs Si2168-B40
Tuner: 2x Silicon Labs Si2157-A30

This patch adds support only for the first tuner.

The demodulator needs firmware, available for example here:
http://palosaari.fi/linux/v4l-dvb/firmware/Si2168/Si2168-B40/4.0.11/

The demodulators sit on the same I2C bus and their addresses
are 0x64 and 0x67. The tuners are behind the demodulators and
their addresses are 0x60 and 0x63.
Signed-off-by: NOlli Salonen <olli.salonen@iki.fi>
Signed-off-by: NMauro Carvalho Chehab <mchehab@osg.samsung.com>

Add missing USB id's for em281xx devices.
Signed-off-by: NMauro Carvalho Chehab <mchehab@osg.samsung.com>

Some new boards were added without updating those lists.
Signed-off-by: NMauro Carvalho Chehab <mchehab@osg.samsung.com>

Adding EZchip NPS400 support.
Internal interrupts are handled by Multi Thread Manager (MTM)
Once interrupt is serviced MTM is acked for deactivating the interrupt.
External interrupts are handled by MTM as well as at Global Interrupt
Controller (GIC) e.g. serial and network devices.
Signed-off-by: NNoam Camus <noamc@ezchip.com>
Acked-by: NMarc Zyngier <marc.zyngier@arm.com>
Acked-by: NVineet Gupta <vgupta@synopsys.com>
Acked-by: NJason Cooper <jason@lakedaemon.net>
Cc: Thomas Gleixner <tglx@linutronix.de>

Add internal tick generator which is shared by all cores.
Each cluster of cores view it through dedicated address.
This is used for SMP system where all CPUs synced by same
clock source.
Signed-off-by: NNoam Camus <noamc@ezchip.com>
Cc: Daniel Lezcano <daniel.lezcano@linaro.org>
Cc: Rob Herring <robh+dt@kernel.org>
Cc: Thomas Gleixner <tglx@linutronix.de>
Cc: John Stultz <john.stultz@linaro.org>
Acked-by: NVineet Gupta <vgupta@synopsys.com>
Acked-by: NDaniel Lezcano <daniel.lezcano@linaro.org>

Add EZchip to vendor prefixes list.
EZchip introduce the NPS platform for the ARC architecture.
Signed-off-by: NNoam Camus <noamc@ezchip.com>
Acked-by: NRob Herring <robh+dt@kernel.org>
Cc: Pawel Moll <pawel.moll@arm.com>

ARC Timers have historically been probed directly.
As precursor to start probing Timers thru DT introduce these bindings
Note that to keep series bisectable, these bindings are not yet used in
code.

Cc: Daniel Lezcano <daniel.lezcano@linaro.org>
Cc: devicetree@vger.kernel.org
Acked-by: NRob Herring <robh@kernel.org>
Signed-off-by: NVineet Gupta <vgupta@synopsys.com>

In few places the term "ones-complement sum" was used but the actual
meaning is "the complement of the ones-complement sum".

Also, avoid enclosing long statements with underscore, to ease
readability.
Signed-off-by: NShmulik Ladkani <shmulik.ladkani@gmail.com>
Acked-by: NEdward Cree <ecree@solarflare.com>
Signed-off-by: NDavid S. Miller <davem@davemloft.net>

explain how verifier checks safety of packet access
and update email addresses.
Signed-off-by: NAlexei Starovoitov <ast@kernel.org>
Acked-by: NDaniel Borkmann <daniel@iogearbox.net>
Signed-off-by: NDavid S. Miller <davem@davemloft.net>

Existing drivers and examples are updated to use the
module_rpmsg_driver helper macro.
Signed-off-by: NAndrew F. Davis <afd@ti.com>
Signed-off-by: NBjorn Andersson <bjorn.andersson@linaro.org>

An rpmsg_driver does not need to set an owner, it will be populated by
the driver core.
Signed-off-by: NAndrew F. Davis <afd@ti.com>
Signed-off-by: NBjorn Andersson <bjorn.andersson@linaro.org>

Add entries for all supported chip variants into the of_match list, so that
the matching driver_info can be selected when using dt.
Signed-off-by: NJulian Scheel <julian@jusst.de>
Signed-off-by: NMauro Carvalho Chehab <mchehab@osg.samsung.com>

Add device tree binding documentation for the adv7180 video decoder family.
Signed-off-by: NJulian Scheel <julian@jusst.de>
Signed-off-by: NMauro Carvalho Chehab <mchehab@osg.samsung.com>

Calling a GPIO LEDs is quite likely to work even if the kernel
has paniced, so they are ideal to blink in this situation.
This commit adds support for the new "panic-indicator"
firmware property, allowing to mark a given LED to blink on
a kernel panic.
Signed-off-by: NEzequiel Garcia <ezequiel@vanguardiasur.com.ar>
Reviewed-by: NMatthias Brugger <mbrugger@suse.com>
Acked-by: NPavel Machek <pavel@ucw.cz>
Signed-off-by: NJacek Anaszewski <j.anaszewski@samsung.com>

It's desirable to specify which LEDs are to be blinked on a kernel
panic. Therefore, introduce a devicetree boolean property to mark
which LEDs should be treated this way, if possible.
Signed-off-by: NEzequiel Garcia <ezequiel@vanguardiasur.com.ar>
Reviewed-by: NMatthias Brugger <mbrugger@suse.com>
Acked-by: NRob Herring <rob@kernel.org>
Acked-by: NPavel Machek <pavel@ucw.cz>
Signed-off-by: NJacek Anaszewski <j.anaszewski@samsung.com>

Signed-off-by: NEric Engestrom <eric@engestrom.ch>
Signed-off-by: NMike Snitzer <snitzer@redhat.com>

Also fix some typos and make all "smq" and "mq" references consistently
lowercase.
Signed-off-by: NMike Snitzer <snitzer@redhat.com>

Running self-tests for a short-lived KVM VM takes 28ms on my laptop.
This commit adds a flag 'cryptomgr.notests' which allows them to be
disabled.

However if fips=1 as well, we ignore this flag as FIPS mode mandates
that the self-tests are run.
Signed-off-by: NRichard W.M. Jones <rjones@redhat.com>
Signed-off-by: NHerbert Xu <herbert@gondor.apana.org.au>

This patch introduces acpi_osi=!! so that quirks may use it to revert
acpi_osi=!.
Tested-by: NLukas Wunner <lukas@wunner.de>
Tested-by: NChen Yu <yu.c.chen@intel.com>
Signed-off-by: NLv Zheng <lv.zheng@intel.com>
Signed-off-by: NRafael J. Wysocki <rafael.j.wysocki@intel.com>

Drivers that use LLTX need to update trans_start of the netdev_queue.
(Most drivers don't use LLTX; stack does this update if .ndo_start_xmit
 returned TX_OK).
Signed-off-by: NFlorian Westphal <fw@strlen.de>
Signed-off-by: NDavid S. Miller <davem@davemloft.net>

Some Layerscape SoCs use a simple MSI controller implementation.
It contains only two SCFG register to trigger and describe a
group 32 MSI interrupts. The patch adds bindings to describe
the controller.
Signed-off-by: NMinghuan Lian <Minghuan.Lian@nxp.com>
Acked-by: NRob Herring <robh@kernel.org>
Signed-off-by: NMarc Zyngier <marc.zyngier@arm.com>

This patch adds the detailed corrleation between sub-blocks and power line
for Exynos5422.
Signed-off-by: NChanwoo Choi <cw00.choi@samsung.com>
Acked-by: NMyungJoo Ham <myungjoo.ham@samsung.com>

This patch adds NoC (Network on Chip) Probe driver which provides
the primitive values to get the performance data. The packets that the Network
on Chip (NoC) probes detects are transported over the network infrastructure.
Exynos542x bus has multiple NoC probes to provide bandwidth information about
behavior of the SoC that you can use while analyzing system performance.
Signed-off-by: NChanwoo Choi <cw00.choi@samsung.com>
Tested-by: NMarkus Reichl <m.reichl@fivetechno.de>
Tested-by: NAnand Moon <linux.amoon@gmail.com>
Reviewed-by: NKrzysztof Kozlowski <k.kozlowski@samsung.com>

This patch adds the detailed correlation between sub-blocks and power line
for Exynos3250, Exynos4210 and Exynos4x12.
Signed-off-by: NChanwoo Choi <cw00.choi@samsung.com>
Acked-by: NMyungJoo Ham <myungjoo.ham@samsung.com>
Acked-by: NKrzysztof Kozlowski <k.kozlowski@samsung.com>

This patch updates the documentation for passive bus devices and adds the
detailed example of Exynos3250.
Signed-off-by: NChanwoo Choi <cw00.choi@samsung.com>
Acked-by: NMyungJoo Ham <myungjoo.ham@samsung.com>
Acked-by: NKrzysztof Kozlowski <k.kozlowski@samsung.com>

This patch adds the documentation for generic exynos bus frequency
driver.
Signed-off-by: NChanwoo Choi <cw00.choi@samsung.com>
Reviewed-by: NKrzysztof Kozlowski <k.kozlowski@samsung.com>
Signed-off-by: NMyungJoo Ham <myungjoo.ham@samsung.com>

Signed-off-by: NAl Viro <viro@zeniv.linux.org.uk>

New method: ->iterate_shared().  Same arguments as in ->iterate(),
called with the directory locked only shared.  Once all filesystems
switch, the old one will be gone.
Signed-off-by: NAl Viro <viro@zeniv.linux.org.uk>

ta-da!

The main issue is the lack of down_write_killable(), so the places
like readdir.c switched to plain inode_lock(); once killable
variants of rwsem primitives appear, that'll be dealt with.

lockdep side also might need more work
Signed-off-by: NAl Viro <viro@zeniv.linux.org.uk>