1. 15 8月, 2018 3 次提交
  2. 03 8月, 2018 22 次提交
  3. 02 8月, 2018 15 次提交
    • D
      Revert "net/ipv6: fix metrics leak" · e6aed040
      David S. Miller 提交于
      This reverts commit df18b504.
      
      This change causes other problems and use-after-free situations as
      found by syzbot.
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      e6aed040
    • L
      Merge branch 'fixes' of git://git.armlinux.org.uk/~rmk/linux-arm · 6b470376
      Linus Torvalds 提交于
      Pull ARM fix from Russell King:
       "Just a single fix this time around for recent binutils causing build
        problems when generating Thumb-2 code"
      
      * 'fixes' of git://git.armlinux.org.uk/~rmk/linux-arm:
        ARM: 8781/1: Fix Thumb-2 syscall return for binutils 2.29+
      6b470376
    • L
      mm: do not initialize TLB stack vma's with vma_init() · 8b11ec1b
      Linus Torvalds 提交于
      Commit 2c4541e2 ("mm: use vma_init() to initialize VMAs on stack and
      data segments") tried to initialize various left-over ad-hoc vma's
      "properly", but actually made things worse for the temporary vma's used
      for TLB flushing.
      
      vma_init() doesn't actually initialize all of the vma, just a few
      fields, so doing something like
      
         -       struct vm_area_struct vma = { .vm_mm = tlb->mm, };
         +       struct vm_area_struct vma;
         +
         +       vma_init(&vma, tlb->mm);
      
      was actually very bad: instead of having a nicely initialized vma with
      every field but "vm_mm" zeroed, you'd have an entirely uninitialized vma
      with only a couple of fields initialized.  And they weren't even fields
      that the code in question mostly cared about.
      
      The flush_tlb_range() function takes a "struct vma" rather than a
      "struct mm_struct", because a few architectures actually care about what
      kind of range it is - being able to only do an ITLB flush if it's a
      range that doesn't have data accesses enabled, for example.  And all the
      normal users already have the vma for doing the range invalidation.
      
      But a few people want to call flush_tlb_range() with a range they just
      made up, so they also end up using a made-up vma.  x86 just has a
      special "flush_tlb_mm_range()" function for this, but other
      architectures (arm and ia64) do the "use fake vma" thing instead, and
      thus got caught up in the vma_init() changes.
      
      At the same time, the TLB flushing code really doesn't care about most
      other fields in the vma, so vma_init() is just unnecessary and
      pointless.
      
      This fixes things by having an explicit "this is just an initializer for
      the TLB flush" initializer macro, which is used by the arm/arm64/ia64
      people who mis-use this interface with just a dummy vma.
      
      Fixes: 2c4541e2 ("mm: use vma_init() to initialize VMAs on stack and data segments")
      Cc: Dmitry Vyukov <dvyukov@google.com>
      Cc: Oleg Nesterov <oleg@redhat.com>
      Cc: Andrea Arcangeli <aarcange@redhat.com>
      Cc: Kirill Shutemov <kirill.shutemov@linux.intel.com>
      Cc: Andrew Morton <akpm@linux-foundation.org>
      Cc: John Stultz <john.stultz@linaro.org>
      Cc: Hugh Dickins <hughd@google.com>
      Signed-off-by: NLinus Torvalds <torvalds@linux-foundation.org>
      8b11ec1b
    • H
      mm: delete historical BUG from zap_pmd_range() · 53406ed1
      Hugh Dickins 提交于
      Delete the old VM_BUG_ON_VMA() from zap_pmd_range(), which asserted
      that mmap_sem must be held when splitting an "anonymous" vma there.
      Whether that's still strictly true nowadays is not entirely clear,
      but the danger of sometimes crashing on the BUG is now fairly clear.
      
      Even with the new stricter rules for anonymous vma marking, the
      condition it checks for can possible trigger. Commit 44960f2a
      ("staging: ashmem: Fix SIGBUS crash when traversing mmaped ashmem
      pages") is good, and originally I thought it was safe from that
      VM_BUG_ON_VMA(), because the /dev/ashmem fd exposed to the user is
      disconnected from the vm_file in the vma, and madvise(,,MADV_REMOVE)
      insists on VM_SHARED.
      
      But after I read John's earlier mail, drawing attention to the
      vfs_fallocate() in there: I may be wrong, and I don't know if Android
      has THP in the config anyway, but it looks to me like an
      unmap_mapping_range() from ashmem's vfs_fallocate() could hit precisely
      the VM_BUG_ON_VMA(), once it's vma_is_anonymous().
      Signed-off-by: NHugh Dickins <hughd@google.com>
      Cc: John Stultz <john.stultz@linaro.org>
      Cc: Kirill Shutemov <kirill.shutemov@linux.intel.com>
      Cc: Andrew Morton <akpm@linux-foundation.org>
      Signed-off-by: NLinus Torvalds <torvalds@linux-foundation.org>
      53406ed1
    • Y
      rxrpc: Fix user call ID check in rxrpc_service_prealloc_one · c01f6c9b
      YueHaibing 提交于
      There just check the user call ID isn't already in use, hence should
      compare user_call_ID with xcall->user_call_ID, which is current
      node's user_call_ID.
      
      Fixes: 540b1c48 ("rxrpc: Fix deadlock between call creation and sendmsg/recvmsg")
      Suggested-by: NDavid Howells <dhowells@redhat.com>
      Signed-off-by: NYueHaibing <yuehaibing@huawei.com>
      Signed-off-by: NDavid Howells <dhowells@redhat.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      c01f6c9b
    • L
      Merge tag 'mmc-v4.18-rc5' of git://git.kernel.org/pub/scm/linux/kernel/git/ulfh/mmc · 9a97ebf7
      Linus Torvalds 提交于
      Pull MMC fix from Ulf Hansson:
       "MMC host: mxcmmc: Fix build error for powerpc"
      
      * tag 'mmc-v4.18-rc5' of git://git.kernel.org/pub/scm/linux/kernel/git/ulfh/mmc:
        mmc: mxcmmc: Fix missing parentheses and brace
      9a97ebf7
    • L
      Merge tag 'pm-urgent-4.18' of git://git.kernel.org/pub/scm/linux/kernel/git/rafael/linux-pm · f390b7bf
      Linus Torvalds 提交于
      Pull power management fixes from Rafael Wysocki:
       "These fix the scope of a recent intel_pstate driver optimization used
        incorrectly on some systems due to processor identification ambiguity
        and fix a few issues in the turbostat utility, including three recent
        regressions.
      
        Specifics:
      
         - Use ACPI FADT preferred PM Profile to distinguish Skylake desktop
           processors from some server ones with the same model number in
           order to limit the scope of the recent IO-wait boost optimization
           to servers, as intended (Srinivas Pandruvada).
      
         - Fix several issues in the turbostat utility:
            * Fix the -S option on 1-CPU systems (Len Brown).
            * Fix computations using incorrect processor core counts (Artem
              Bityutskiy).
            * Fix the x2apic debug message (Len Brown).
            * Fix logical node enumeration to allow for non-sequential
              physical nodes (Prarit Bhargava).
            * Fix reported family on modern AMD processors (Calvin Walton).
            * Clarify the RAPL column information in the man page (Len Brown)"
      
      * tag 'pm-urgent-4.18' of git://git.kernel.org/pub/scm/linux/kernel/git/rafael/linux-pm:
        cpufreq: intel_pstate: Limit the scope of HWP dynamic boost platforms
        tools/power turbostat: version 18.07.27
        tools/power turbostat: Read extended processor family from CPUID
        tools/power turbostat: Fix logical node enumeration to allow for non-sequential physical nodes
        tools/power turbostat: fix x2apic debug message output file
        tools/power turbostat: fix bogus summary values
        tools/power turbostat: fix -S on UP systems
        tools/power turbostat: Update turbostat(8) RAPL throttling column description
      f390b7bf
    • L
      squashfs metadata 2: electric boogaloo · cdbb65c4
      Linus Torvalds 提交于
      Anatoly continues to find issues with fuzzed squashfs images.
      
      This time, corrupt, missing, or undersized data for the page filling
      wasn't checked for, because the squashfs_{copy,read}_cache() functions
      did the squashfs_copy_data() call without checking the resulting data
      size.
      
      Which could result in the page cache pages being incompletely filled in,
      and no error indication to the user space reading garbage data.
      
      So make a helper function for the "fill in pages" case, because the
      exact same incomplete sequence existed in two places.
      
      [ I should have made a squashfs branch for these things, but I didn't
        intend to start doing them in the first place.
      
        My historical connection through cramfs is why I got into looking at
        these issues at all, and every time I (continue to) think it's a
        one-off.
      
        Because _this_ time is always the last time. Right?   - Linus ]
      Reported-by: NAnatoly Trosinenko <anatoly.trosinenko@gmail.com>
      Tested-by: NWilly Tarreau <w@1wt.eu>
      Cc: Al Viro <viro@zeniv.linux.org.uk>
      Cc: Phillip Lougher <phillip@squashfs.org.uk>
      Signed-off-by: NLinus Torvalds <torvalds@linux-foundation.org>
      cdbb65c4
    • J
      staging: ashmem: Fix SIGBUS crash when traversing mmaped ashmem pages · 44960f2a
      John Stultz 提交于
      Amit Pundir and Youling in parallel reported crashes with recent
      mainline kernels running Android:
      
        F DEBUG   : *** *** *** *** *** *** *** *** *** *** *** *** *** *** *** ***
        F DEBUG   : Build fingerprint: 'Android/db410c32_only/db410c32_only:Q/OC-MR1/102:userdebug/test-key
        F DEBUG   : Revision: '0'
        F DEBUG   : ABI: 'arm'
        F DEBUG   : pid: 2261, tid: 2261, name: zygote  >>> zygote <<<
        F DEBUG   : signal 7 (SIGBUS), code 2 (BUS_ADRERR), fault addr 0xec00008
        ... <snip> ...
        F DEBUG   : backtrace:
        F DEBUG   :     #00 pc 00001c04  /system/lib/libc.so (memset+48)
        F DEBUG   :     #1 pc 0010c513  /system/lib/libart.so (create_mspace_with_base+82)
        F DEBUG   :     #2 pc 0015c601  /system/lib/libart.so (art::gc::space::DlMallocSpace::CreateMspace(void*, unsigned int, unsigned int)+40)
        F DEBUG   :     #3 pc 0015c3ed  /system/lib/libart.so (art::gc::space::DlMallocSpace::CreateFromMemMap(art::MemMap*, std::__1::basic_string<char, std::__ 1::char_traits<char>, std::__1::allocator<char>> const&, unsigned int, unsigned int, unsigned int, unsigned int, bool)+36)
        ...
      
      This was bisected back to commit bfd40eaf ("mm: fix
      vma_is_anonymous() false-positives").
      
      create_mspace_with_base() in the trace above, utilizes ashmem, and with
      ashmem, for shared mappings we use shmem_zero_setup(), which sets the
      vma->vm_ops to &shmem_vm_ops.  But for private ashmem mappings nothing
      sets the vma->vm_ops.
      
      Looking at the problematic patch, it seems to add a requirement that one
      call vma_set_anonymous() on a vma, otherwise the dummy_vm_ops will be
      used.  Using the dummy_vm_ops seem to triggger SIGBUS when traversing
      unmapped pages.
      
      Thus, this patch adds a call to vma_set_anonymous() for ashmem private
      mappings and seems to avoid the reported problem.
      
      Fixes: bfd40eaf ("mm: fix vma_is_anonymous() false-positives")
      Cc: Kirill Shutemov <kirill.shutemov@linux.intel.com>
      Cc: Andrew Morton <akpm@linux-foundation.org>
      Cc: Dmitry Vyukov <dvyukov@google.com>
      Cc: Oleg Nesterov <oleg@redhat.com>
      Cc: Andrea Arcangeli <aarcange@redhat.com>
      Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
      Cc: Hugh Dickins <hughd@google.com>
      Cc: Joel Fernandes <joelaf@google.com>
      Cc: Colin Cross <ccross@google.com>
      Cc: Matthew Wilcox <willy@infradead.org>
      Reported-by: NAmit Pundir <amit.pundir@linaro.org>
      Reported-by: NYouling 257 <youling257@gmail.com>
      Signed-off-by: NJohn Stultz <john.stultz@linaro.org>
      Signed-off-by: NLinus Torvalds <torvalds@linux-foundation.org>
      44960f2a
    • L
      ia64: mark special ia64 memory areas anonymous · ebad825c
      Linus Torvalds 提交于
      Commit bfd40eaf ("mm: fix vma_is_anonymous() false-positives") made
      newly allocated vma's have a dummy vm_ops field so that they wouldn't be
      mistaken for anonymous mappings, and if you wanted an anonymous vma you
      had to explicitly say so by calling "vma_set_anonymous()" on it.
      
      However, it missed the two special vmas that ia64 processes have: the
      register backing store and the NaT page.  So they wouldn't actually act
      like anonymous ranges, and page faults on them caused a SIGBUS rather
      than the creation of a new anon page in them.
      
      That obviously will make any ia64 binary very unhappy indeed, and the
      boot fails early.
      
      Fixes: bfd40eaf ("mm: fix vma_is_anonymous() false-positives")
      Reported-by: NTony Luck <tony.luck@intel.com>
      Cc: Kirill Shutemov <kirill.shutemov@linux.intel.com>
      Cc: Andrew Morton <akpm@linux-foundation.org>
      Cc: Dmitry Vyukov <dvyukov@google.com>
      Cc: Oleg Nesterov <oleg@redhat.com>
      Cc: Andrea Arcangeli <aarcange@redhat.com>
      Cc: John Stultz <john.stultz@linaro.org>
      Signed-off-by: NLinus Torvalds <torvalds@linux-foundation.org>
      ebad825c
    • F
      net: dsa: Do not suspend/resume closed slave_dev · a94c689e
      Florian Fainelli 提交于
      If a DSA slave network device was previously disabled, there is no need
      to suspend or resume it.
      
      Fixes: 24462549 ("net: dsa: allow switch drivers to implement suspend/resume hooks")
      Signed-off-by: NFlorian Fainelli <f.fainelli@gmail.com>
      Reviewed-by: NAndrew Lunn <andrew@lunn.ch>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      a94c689e
    • J
      netlink: Fix spectre v1 gadget in netlink_create() · bc5b6c0b
      Jeremy Cline 提交于
      'protocol' is a user-controlled value, so sanitize it after the bounds
      check to avoid using it for speculative out-of-bounds access to arrays
      indexed by it.
      
      This addresses the following accesses detected with the help of smatch:
      
      * net/netlink/af_netlink.c:654 __netlink_create() warn: potential
        spectre issue 'nlk_cb_mutex_keys' [w]
      
      * net/netlink/af_netlink.c:654 __netlink_create() warn: potential
        spectre issue 'nlk_cb_mutex_key_strings' [w]
      
      * net/netlink/af_netlink.c:685 netlink_create() warn: potential spectre
        issue 'nl_table' [w] (local cap)
      
      Cc: Josh Poimboeuf <jpoimboe@redhat.com>
      Signed-off-by: NJeremy Cline <jcline@redhat.com>
      Reviewed-by: NJosh Poimboeuf <jpoimboe@redhat.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      bc5b6c0b
    • I
      Documentation: dpaa2: Use correct heading adornment · e02ee981
      Ioana Ciornei 提交于
      Add overline heading adornment to document title in order to comply
      with kernel doc requirements.
      
      Fixes: 60b91319 staging: fsl-mc: Convert documentation to rst format
      Signed-off-by: NIoana Ciornei <ioana.ciornei@nxp.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      e02ee981
    • J
      net: stmmac: Fix WoL for PCI-based setups · b7d0f08e
      Jose Abreu 提交于
      WoL won't work in PCI-based setups because we are not saving the PCI EP
      state before entering suspend state and not allowing D3 wake.
      
      Fix this by using a wrapper around stmmac_{suspend/resume} which
      correctly sets the PCI EP state.
      Signed-off-by: NJose Abreu <joabreu@synopsys.com>
      Cc: David S. Miller <davem@davemloft.net>
      Cc: Joao Pinto <jpinto@synopsys.com>
      Cc: Giuseppe Cavallaro <peppe.cavallaro@st.com>
      Cc: Alexandre Torgue <alexandre.torgue@st.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      b7d0f08e
    • E
      bonding: avoid lockdep confusion in bond_get_stats() · 7e2556e4
      Eric Dumazet 提交于
      syzbot found that the following sequence produces a LOCKDEP splat [1]
      
      ip link add bond10 type bond
      ip link add bond11 type bond
      ip link set bond11 master bond10
      
      To fix this, we can use the already provided nest_level.
      
      This patch also provides correct nesting for dev->addr_list_lock
      
      [1]
      WARNING: possible recursive locking detected
      4.18.0-rc6+ #167 Not tainted
      --------------------------------------------
      syz-executor751/4439 is trying to acquire lock:
      (____ptrval____) (&(&bond->stats_lock)->rlock){+.+.}, at: spin_lock include/linux/spinlock.h:310 [inline]
      (____ptrval____) (&(&bond->stats_lock)->rlock){+.+.}, at: bond_get_stats+0xb4/0x560 drivers/net/bonding/bond_main.c:3426
      
      but task is already holding lock:
      (____ptrval____) (&(&bond->stats_lock)->rlock){+.+.}, at: spin_lock include/linux/spinlock.h:310 [inline]
      (____ptrval____) (&(&bond->stats_lock)->rlock){+.+.}, at: bond_get_stats+0xb4/0x560 drivers/net/bonding/bond_main.c:3426
      
      other info that might help us debug this:
       Possible unsafe locking scenario:
      
             CPU0
             ----
        lock(&(&bond->stats_lock)->rlock);
        lock(&(&bond->stats_lock)->rlock);
      
       *** DEADLOCK ***
      
       May be due to missing lock nesting notation
      
      3 locks held by syz-executor751/4439:
       #0: (____ptrval____) (rtnl_mutex){+.+.}, at: rtnl_lock+0x17/0x20 net/core/rtnetlink.c:77
       #1: (____ptrval____) (&(&bond->stats_lock)->rlock){+.+.}, at: spin_lock include/linux/spinlock.h:310 [inline]
       #1: (____ptrval____) (&(&bond->stats_lock)->rlock){+.+.}, at: bond_get_stats+0xb4/0x560 drivers/net/bonding/bond_main.c:3426
       #2: (____ptrval____) (rcu_read_lock){....}, at: bond_get_stats+0x0/0x560 include/linux/compiler.h:215
      
      stack backtrace:
      CPU: 0 PID: 4439 Comm: syz-executor751 Not tainted 4.18.0-rc6+ #167
      Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
      Call Trace:
       __dump_stack lib/dump_stack.c:77 [inline]
       dump_stack+0x1c9/0x2b4 lib/dump_stack.c:113
       print_deadlock_bug kernel/locking/lockdep.c:1765 [inline]
       check_deadlock kernel/locking/lockdep.c:1809 [inline]
       validate_chain kernel/locking/lockdep.c:2405 [inline]
       __lock_acquire.cold.64+0x1fb/0x486 kernel/locking/lockdep.c:3435
       lock_acquire+0x1e4/0x540 kernel/locking/lockdep.c:3924
       __raw_spin_lock include/linux/spinlock_api_smp.h:142 [inline]
       _raw_spin_lock+0x2a/0x40 kernel/locking/spinlock.c:144
       spin_lock include/linux/spinlock.h:310 [inline]
       bond_get_stats+0xb4/0x560 drivers/net/bonding/bond_main.c:3426
       dev_get_stats+0x10f/0x470 net/core/dev.c:8316
       bond_get_stats+0x232/0x560 drivers/net/bonding/bond_main.c:3432
       dev_get_stats+0x10f/0x470 net/core/dev.c:8316
       rtnl_fill_stats+0x4d/0xac0 net/core/rtnetlink.c:1169
       rtnl_fill_ifinfo+0x1aa6/0x3fb0 net/core/rtnetlink.c:1611
       rtmsg_ifinfo_build_skb+0xc8/0x190 net/core/rtnetlink.c:3268
       rtmsg_ifinfo_event.part.30+0x45/0xe0 net/core/rtnetlink.c:3300
       rtmsg_ifinfo_event net/core/rtnetlink.c:3297 [inline]
       rtnetlink_event+0x144/0x170 net/core/rtnetlink.c:4716
       notifier_call_chain+0x180/0x390 kernel/notifier.c:93
       __raw_notifier_call_chain kernel/notifier.c:394 [inline]
       raw_notifier_call_chain+0x2d/0x40 kernel/notifier.c:401
       call_netdevice_notifiers_info+0x3f/0x90 net/core/dev.c:1735
       call_netdevice_notifiers net/core/dev.c:1753 [inline]
       netdev_features_change net/core/dev.c:1321 [inline]
       netdev_change_features+0xb3/0x110 net/core/dev.c:7759
       bond_compute_features.isra.47+0x585/0xa50 drivers/net/bonding/bond_main.c:1120
       bond_enslave+0x1b25/0x5da0 drivers/net/bonding/bond_main.c:1755
       bond_do_ioctl+0x7cb/0xae0 drivers/net/bonding/bond_main.c:3528
       dev_ifsioc+0x43c/0xb30 net/core/dev_ioctl.c:327
       dev_ioctl+0x1b5/0xcc0 net/core/dev_ioctl.c:493
       sock_do_ioctl+0x1d3/0x3e0 net/socket.c:992
       sock_ioctl+0x30d/0x680 net/socket.c:1093
       vfs_ioctl fs/ioctl.c:46 [inline]
       file_ioctl fs/ioctl.c:500 [inline]
       do_vfs_ioctl+0x1de/0x1720 fs/ioctl.c:684
       ksys_ioctl+0xa9/0xd0 fs/ioctl.c:701
       __do_sys_ioctl fs/ioctl.c:708 [inline]
       __se_sys_ioctl fs/ioctl.c:706 [inline]
       __x64_sys_ioctl+0x73/0xb0 fs/ioctl.c:706
       do_syscall_64+0x1b9/0x820 arch/x86/entry/common.c:290
       entry_SYSCALL_64_after_hwframe+0x49/0xbe
      RIP: 0033:0x440859
      Code: e8 2c af 02 00 48 83 c4 18 c3 0f 1f 80 00 00 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 3b 10 fc ff c3 66 2e 0f 1f 84 00 00 00 00
      RSP: 002b:00007ffc51a92878 EFLAGS: 00000213 ORIG_RAX: 0000000000000010
      RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 0000000000440859
      RDX: 0000000020000040 RSI: 0000000000008990 RDI: 0000000000000003
      RBP: 0000000000000000 R08: 00000000004002c8 R09: 00000000004002c8
      R10: 00000000022d5880 R11: 0000000000000213 R12: 0000000000007390
      R13: 0000000000401db0 R14: 0000000000000000 R15: 0000000000000000
      Signed-off-by: NEric Dumazet <edumazet@google.com>
      Cc: Jay Vosburgh <j.vosburgh@gmail.com>
      Cc: Veaceslav Falico <vfalico@gmail.com>
      Cc: Andy Gospodarek <andy@greyhouse.net>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      7e2556e4