Commit Graph

722901 Commits

Author SHA1 Message Date
Linus Torvalds 9c02e0601b ARM: SoC fixes for 4.15-rc
ARM SoC fixes for this merge window:
 
  - A revert of all SCPI changes from the 4.15 merge window. They had
    regressions on the Amlogic platforms, and the submaintainer isn't
    around to fix these bugs due to vacation, etc. So we agreed to revert
    and revisit in next release cycle.
 
  - A series fixing a number of bugs for ARM CCN interconnect, around
    module unload, smp_processor_id() in preemptable context, and fixing
    some memory allocation failure checks.
 
  - A handful of devicetree fixes for different platforms, fixing
    warnings and errors that were previously ignored by the compiler.
 
  - The usual set of mostly minor fixes for different platforms.
 -----BEGIN PGP SIGNATURE-----
 
 iQJDBAABCAAtFiEElf+HevZ4QCAJmMQ+jBrnPN6EHHcFAloswBYPHG9sb2ZAbGl4
 b20ubmV0AAoJEIwa5zzehBx3bFoP/R6fAth5zVuUveykTbHYSs1Oz5XsLw4X77mA
 vg9Y2bBiz82/R7/weISxn28iXd29FQk0inbohI3bGsqJ+OInKiBNJ4UDrvuvrG39
 F2ifH7bjg6x9aooXx0VRXdECckO6klVhe8kjRovRZv712bWUA5uRG/6YUxnyC5LX
 6smrhFUAhj5StUqaY8rFlF8Pob9ftee0aM8/C3LAggQBhwqU5RXY8HgL0jLb919q
 ewOuDgO3FtfrigtOlDWkrQLRe+sY2b5D97Z4amIe4rojqvD6i7grRFBfkfDb4gR2
 7Vc0FZmk7OaaOLsLChv8H8atCxpDJ6KPpg5NAfXk4KM2kbWLbinkLPMbXxSXB4bC
 Q26PPZhKP1OupsSl/9fewHbZeaMZSY0kQXHxBIXCtyMV110TsLVmdFTksbV0gVKk
 x0lBAttX2RZiRU0bFxOHACEXnRTS4/uDCxBvxh5othQZg5EqAEqcFoium2psMvsJ
 XzFPNetyqPE2KhOUMfwUbOtWs2js5E4HaxwyF9xduw32g10NxtRTKGUMeDrxdtW3
 dHQZMr33yLkSkk08S4LMdwUrlONieyJZYeVZ2Jxd+Lv4bn4ZX8mDbLU24BCtLwUI
 wR+8zS2YSVfer/t5JC+dIJzKAiufeOFovNurlsoFJsE2yNLfekZcZ/x63ZdVQnve
 8f0mibwa
 =DIHP
 -----END PGP SIGNATURE-----

Merge tag 'armsoc-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/arm/arm-soc

Pull ARM SoC fixes from Olof Johansson:

 - A revert of all SCPI changes from the 4.15 merge window. They had
   regressions on the Amlogic platforms, and the submaintainer isn't
   around to fix these bugs due to vacation, etc. So we agreed to revert
   and revisit in next release cycle.

 - A series fixing a number of bugs for ARM CCN interconnect, around
   module unload, smp_processor_id() in preemptable context, and fixing
   some memory allocation failure checks.

 - A handful of devicetree fixes for different platforms, fixing
   warnings and errors that were previously ignored by the compiler.

 - The usual set of mostly minor fixes for different platforms.

* tag 'armsoc-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/arm/arm-soc: (42 commits)
  ARM64: dts: meson-gx: fix UART pclk clock name
  ARM: omap2: hide omap3_save_secure_ram on non-OMAP3 builds
  arm: dts: nspire: Add missing #phy-cells to usb-nop-xceiv
  ARM: dts: Fix dm814x missing phy-cells property
  ARM: dts: Fix elm interrupt compiler warning
  bus: arm-ccn: fix module unloading Error: Removing state 147 which has instances left.
  bus: arm-cci: Fix use of smp_processor_id() in preemptible context
  bus: arm-ccn: Fix use of smp_processor_id() in preemptible context
  bus: arm-ccn: Simplify code
  bus: arm-ccn: Check memory allocation failure
  bus: arm-ccn: constify attribute_group structures.
  firmware: arm_scpi: Revert updates made during v4.15 merge window
  arm: dts: marvell: Add missing #phy-cells to usb-nop-xceiv
  arm64: dts: sort vendor subdirectories in Makefile alphabetically
  meson-gx-socinfo: Fix package id parsing
  ARM: meson: fix spelling mistake: "Couln't" -> "Couldn't"
  ARM: dts: meson: fix the memory region of the GPIO interrupt controller
  ARM: dts: meson: correct the sort order for the the gpio_intc node
  MAINTAINERS: exclude other Socionext SoC DT files from ARM/UNIPHIER entry
  arm64: dts: uniphier: remove unnecessary interrupt-parent
  ...
2017-12-10 08:26:59 -08:00
Linus Torvalds c465fc11e5 KVM fixes for v4.15-rc3
ARM:
  * A number of issues in the vgic discovered using SMATCH
  * A bit one-off calculation in out stage base address mask (32-bit and
    64-bit)
  * Fixes to single-step debugging instructions that trap for other
    reasons such as MMMIO aborts
  * Printing unavailable hyp mode as error
  * Potential spinlock deadlock in the vgic
  * Avoid calling vgic vcpu free more than once
  * Broken bit calculation for big endian systems
 
 s390:
  * SPDX tags
  * Fence storage key accesses from problem state
  * Make sure that irq_state.flags is not used in the future
 
 x86:
  * Intercept port 0x80 accesses to prevent host instability (CVE)
  * Use userspace FPU context for guest FPU (mainly an optimization that
    fixes a double use of kernel FPU)
  * Do not leak one page per module load
  * Flush APIC page address cache from MMU invalidation notifiers
 -----BEGIN PGP SIGNATURE-----
 
 iQEcBAABCAAGBQJaLA93AAoJEED/6hsPKofo9msH/2DrqT2FOKfLuxNR2FeUGWr3
 lqFoBRUXrVDMINGStnWrV36h/xYzlgJl9jtSDS8dr3VxLqtrNLlDg9NmGeogoZ+k
 /xewr/jFYoSRfffsvrbkzORUfvu6zqvJwufiwBEJwAfcswiLqPizdFXcxtUL4eZE
 9s9sIweo5zp2Xjg5yLOEkyanePKMEht/81zPkHyM+g0ZMoaPam3qZHA0lLzdyRgd
 G9LpSyiMFHguYYgbwipaVue3zgMY1EdmKQ8C2hEPmZd8nVau26YDwRnAwwLrmVkW
 sFhGO1Xi18TzQPokzALC25c9v0fqgxL5+fNyFNgWwTc2n9PSwO+IHcy699UH+3A=
 =Qcqd
 -----END PGP SIGNATURE-----

Merge tag 'for-linus' of git://git.kernel.org/pub/scm/virt/kvm/kvm

Pull KVM fixes from Radim Krčmář:
 "ARM:
   - A number of issues in the vgic discovered using SMATCH
   - A bit one-off calculation in out stage base address mask (32-bit
     and 64-bit)
   - Fixes to single-step debugging instructions that trap for other
     reasons such as MMMIO aborts
   - Printing unavailable hyp mode as error
   - Potential spinlock deadlock in the vgic
   - Avoid calling vgic vcpu free more than once
   - Broken bit calculation for big endian systems

 s390:
   - SPDX tags
   - Fence storage key accesses from problem state
   - Make sure that irq_state.flags is not used in the future

  x86:
   - Intercept port 0x80 accesses to prevent host instability (CVE)
   - Use userspace FPU context for guest FPU (mainly an optimization
     that fixes a double use of kernel FPU)
   - Do not leak one page per module load
   - Flush APIC page address cache from MMU invalidation notifiers"

* tag 'for-linus' of git://git.kernel.org/pub/scm/virt/kvm/kvm: (28 commits)
  KVM: x86: fix APIC page invalidation
  KVM: s390: Fix skey emulation permission check
  KVM: s390: mark irq_state.flags as non-usable
  KVM: s390: Remove redundant license text
  KVM: s390: add SPDX identifiers to the remaining files
  KVM: VMX: fix page leak in hardware_setup()
  KVM: VMX: remove I/O port 0x80 bypass on Intel hosts
  x86,kvm: remove KVM emulator get_fpu / put_fpu
  x86,kvm: move qemu/guest FPU switching out to vcpu_run
  KVM: arm/arm64: Fix broken GICH_ELRSR big endian conversion
  KVM: arm/arm64: kvm_arch_destroy_vm cleanups
  KVM: arm/arm64: Fix spinlock acquisition in vgic_set_owner
  kvm: arm: don't treat unavailable HYP mode as an error
  KVM: arm/arm64: Avoid attempting to load timer vgic state without a vgic
  kvm: arm64: handle single-step of hyp emulated mmio instructions
  kvm: arm64: handle single-step during SError exceptions
  kvm: arm64: handle single-step of userspace mmio instructions
  kvm: arm64: handle single-stepping trapped instructions
  KVM: arm/arm64: debug: Introduce helper for single-step
  arm: KVM: Fix VTTBR_BADDR_MASK BUG_ON off-by-one
  ...
2017-12-10 08:24:16 -08:00
Olof Johansson 8be0b9886b Merge branch 'fixes' into for-next
* fixes:
  ARM64: dts: meson-gx: fix UART pclk clock name
  ARM: dts: Fix dm814x missing phy-cells property
  ARM: dts: Fix elm interrupt compiler warning
  bus: arm-ccn: fix module unloading Error: Removing state 147 which has instances left.
  bus: arm-cci: Fix use of smp_processor_id() in preemptible context
  bus: arm-ccn: Fix use of smp_processor_id() in preemptible context
  bus: arm-ccn: Simplify code
  bus: arm-ccn: Check memory allocation failure
  bus: arm-ccn: constify attribute_group structures.
  meson-gx-socinfo: Fix package id parsing
  ARM: meson: fix spelling mistake: "Couln't" -> "Couldn't"
  ARM: dts: meson: fix the memory region of the GPIO interrupt controller
  ARM: dts: meson: correct the sort order for the the gpio_intc node
2017-12-09 20:23:58 -08:00
Olof Johansson ce39882eb1 Amlogic fixes for v4.15-rc
- GPIO interrupt fixes
 - socinfo fix for GX series
 - fix typo
 -----BEGIN PGP SIGNATURE-----
 
 iQIzBAABCAAdFiEEe4dGDhaSf6n1v/EMWTcYmtP7xmUFAloq33MACgkQWTcYmtP7
 xmVqdxAAjP5E/B52UpRqDDxANPrhUPDHLVI+JkJqtmAEn7G9+eyf/WOOJXLsdJTY
 1JEqBd2cg2Gnj5VhhfVZDFVVebGboYB6OJPgPlvL+EjYShPf2P0Xug2xFxuxFMOA
 ed48amV2cz+/3AXGuKmDcUKdN6LAcF1ax7kXCUSQKUbK/s4EmuYXjwHRJrvw1PrH
 4Rpt5Zw6u1t5na26KDBit9OkRL5g0o8SX829MhbHqPScDvAi2wYy95i+Ay1PNFin
 uUojff5V1OBbeYZMamUIjl3e2/BCecPdaBwDFsnz+SlFfYQIy6g0zQEjRa9BGnMi
 i/LQOr09l/Dl1Wlexl0rwq3vEXr5hT9JfA9IpLBOJRccG6RUl/TarjpwSqtPPFmf
 eMdIGZd9S+06+vRtJxaFEW+AJ9qFg3EtQCU4EWuzsE1UABa3q5KnIRr5fh5X85N2
 HIJmDbnVsVLDv3gAkQykaHkO9YLjFS8Cq58ILWBEFCMKZUL2JanZAB/s5+3xTf+w
 Y+jQQA8LQ5NgvhcH+iBt+7brkBFcxbWrvgMxnWEsIxR+vFbTF/Dq52foJsjnK7kQ
 xXa/hyE52EsRiUPXLGJ5Gj+Z89VYfkjmqvLCBVIdpkyfhaOvRse82UcoPDnV0+Dt
 RiLZ0CS7z432CMLfJAy+YnbdSK/6/Kxv8BeK5DAeY2CvtXl+SYE=
 =xHta
 -----END PGP SIGNATURE-----

Merge tag 'amlogic-fixes-1' of git://git.kernel.org/pub/scm/linux/kernel/git/khilman/linux-amlogic into fixes

Amlogic fixes for v4.15-rc
- GPIO interrupt fixes
- socinfo fix for GX series
- fix typo

* tag 'amlogic-fixes-1' of git://git.kernel.org/pub/scm/linux/kernel/git/khilman/linux-amlogic:
  ARM64: dts: meson-gx: fix UART pclk clock name
  meson-gx-socinfo: Fix package id parsing
  ARM: meson: fix spelling mistake: "Couln't" -> "Couldn't"
  ARM: dts: meson: fix the memory region of the GPIO interrupt controller
  ARM: dts: meson: correct the sort order for the the gpio_intc node

Signed-off-by: Olof Johansson <olof@lixom.net>
2017-12-09 20:23:29 -08:00
Olof Johansson 3dda7f63e0 bus: ARM CCN and CCI PMU driver fixes
This is a bunch of fixes CCN and (guest starring this time) CCI drivers.
 
 * Check for potential of failed allocation for the driver name string
 * Manage CPU ID properly at allocation (both CCN and CCI)
 * Fix module unload warnings related to objects release order
 * Small improvements like using allocating printfs and proper
   attributes constification
 
 The one fixing potential issues have been cc-ed to stable.
 -----BEGIN PGP SIGNATURE-----
 
 iQEwBAABCAAaBQJaJYRMExxwYXdlbC5tb2xsQGFybS5jb20ACgkQv2NFol9drk+D
 MAf7BbBQS5Bx2cT8gb7hlOFQa72io5i26E6vw46xumS6LmycynK1MuX9NSNpClYN
 zRNT6qitovWwLeicd+Dh5XL2371rjORa7TNfZt/CiyRB8W+fix5RnlZuSfpEeCcc
 dGGtUoz0PETblp9ovCAqWEmxUn2vs9+hRlPg+fxIJBDP34MnwwLTaDioalaBLbn5
 GxDBwwrdv1PEnOL0dwuhNcg94+pdHqg21BXIfDwcbzus/fiTcCUbjsoMr7TXPmCY
 0PaEOrTIdPIBxvpeZogqZ2GkQQucW+4FKq281UXCDmS7BsP3V7OsqhelSVAwe2jE
 LjzCJlf6YBTIx7OXffB7yukvnw==
 =K2m2
 -----END PGP SIGNATURE-----

Merge tag 'ccn/fixes-for-4.15' of git://git.linaro.org/people/pawel.moll/linux into fixes

bus: ARM CCN and CCI PMU driver fixes

This is a bunch of fixes CCN and (guest starring this time) CCI drivers.

* Check for potential of failed allocation for the driver name string
* Manage CPU ID properly at allocation (both CCN and CCI)
* Fix module unload warnings related to objects release order
* Small improvements like using allocating printfs and proper
  attributes constification

The one fixing potential issues have been cc-ed to stable.

* tag 'ccn/fixes-for-4.15' of git://git.linaro.org/people/pawel.moll/linux:
  bus: arm-ccn: fix module unloading Error: Removing state 147 which has instances left.
  bus: arm-cci: Fix use of smp_processor_id() in preemptible context
  bus: arm-ccn: Fix use of smp_processor_id() in preemptible context
  bus: arm-ccn: Simplify code
  bus: arm-ccn: Check memory allocation failure
  bus: arm-ccn: constify attribute_group structures.

Signed-off-by: Olof Johansson <olof@lixom.net>
2017-12-09 20:22:46 -08:00
Olof Johansson 69b8df5d6a Two fixes for dts compiler warnings
These recently started showing up with better dtc checks being
 introduced.
 -----BEGIN PGP SIGNATURE-----
 
 iQJFBAABCAAvFiEEkgNvrZJU/QSQYIcQG9Q+yVyrpXMFAlomypwRHHRvbnlAYXRv
 bWlkZS5jb20ACgkQG9Q+yVyrpXNVDA//XzuwM4eH7SPQGI2gTiZ21WUU+n1zDzjD
 bCaHMgtz8rmifFVVBjP9cWIEKyhlUt3owuY3gfaSvzOcL9a4WfVDwS6hAb4TtjVa
 0o6oEralG7D/L7QyIGJM3abGdDvKXs3HGyUuqpkt61TnmstJQXWjz6vRFroIP6bl
 ogn++GFiigBdF+HC555QCMNvWMotN8C7qDbqugmkhE5JBF+1HkQOAFuYb2YT8w2A
 DxWRgMrR0sS+kVLtJVSFOCluaALmxHICkjbPApS0xXBrvbjBnwx74tdT3Tikd1uu
 tBniisQU/AMN/HmhsyPP1G8oZYcwhHxEgVZQXCeBK5H2RsCZQTzCP5iywuh3gvzG
 MUctaPIHkyhx1FvYlSQ9G7SygZDBxSlhz1gIZ4+3a9ZEaH+hZmONJ0tyTPBD78CU
 yVugCSD2o9Tz0qNGGVcEUI79uGTFiKFt5M5V6WWVgjpFjfMC/Nir+LAUTH8/KiRZ
 CKkm1Tr6zJwkI50h3vlJLF3nYTDBEZSsQhICGu6wN/0sWqXruLWNty0lKv2HLpEi
 8rpNBlz/cmTVFa8X3IlwI9tYt+ZkABWd52FUCQHoXFLDRR6W87VFPLHhWJl7sVnL
 qvsoo0dvlJVdTHISJgjP5VJdK4Ed2mq3dCHBqFLAcNPndO4Ifjncm8fIWjCJW2T4
 rKk/6enGmFU=
 =BHn4
 -----END PGP SIGNATURE-----

Merge tag 'omap-for-v4.15/fixes-dt-warnings' of git://git.kernel.org/pub/scm/linux/kernel/git/tmlind/linux-omap into fixes

Two fixes for dts compiler warnings

These recently started showing up with better dtc checks being
introduced.

* tag 'omap-for-v4.15/fixes-dt-warnings' of git://git.kernel.org/pub/scm/linux/kernel/git/tmlind/linux-omap:
  ARM: dts: Fix dm814x missing phy-cells property
  ARM: dts: Fix elm interrupt compiler warning

Signed-off-by: Olof Johansson <olof@lixom.net>
2017-12-09 20:22:01 -08:00
James Morris 4ded3bec65 Keyrings fixes
-----BEGIN PGP SIGNATURE-----
 
 iQIVAwUAWiqvvPSw1s6N8H32AQLq0Q/+LaD+nbuVGCnTSQ1h3QyU2xJrvhnjJseU
 CpsMctc4XT4iyI7VjhhVZQBQm7bnS3ZEFSz95aDpNsTA8z4VTF3loVvqaaRV2k3q
 dBciol9sqPbzSLLvS49lxoa4ZfxATvwvzhiVq5yi1XavWhl1svf42kH27J3PJ+DV
 IzzaARNZ4GmiJOx4TUfN7jypro6Vc0k6oILAKUjifJ9mCh9eYUoHILzzlOg+FqtY
 OIFcHdc7kbNDJwHaChZDxMK/jbp87feQ6z+H66zoIClV405g9MBIO21xVnikL1fK
 4SHdfLPy4XVgLVYqseAMoAcm7ZIxF/WYBDpfdd77urCc5FPifILWDJ4sn4SPRTZT
 2eE761RmyH3TB6Xe6TyCL7NjpFruI7X2hFExgDVYnbsAlPlMvHB2BvcBMaeFDTnn
 Gh7w+FX4LT9hC9hNyOEop5fB0Bi3A53/3W4vQWStTMNslDh7at9p1SJlcFf/Ix6M
 P1TcsaPR3P0juZ4Klku3JOIyU8e1ogji1W+vjGe/2fCSS5dTZnsF4wOd8dqCc/PB
 gZJk6MDt8CIm7amTEj50Pp+35MlOolnM+TC4DLZ9i8nZf73Ec9SIbuXfX3wKK1JX
 5pde9oUlX3/QTQPso2Dt7Yzl5Vnhwro48Hf5IHV45wyp1stFggB0t4AmpAxA1g87
 odyy5L1AESw=
 =Yz52
 -----END PGP SIGNATURE-----

Merge tag 'keys-fixes-20171208' of git://git.kernel.org/pub/scm/linux/kernel/git/dhowells/linux-fs into keys-for-linus

Assorted fixes for keyrings, ASN.1, X.509 and PKCS#7.
2017-12-09 14:39:48 +11:00
Michal Hocko f335195adf kmemcheck: rip it out for real
Commit 4675ff05de ("kmemcheck: rip it out") has removed the code but
for some reason SPDX header stayed in place.  This looks like a rebase
mistake in the mmotm tree or the merge mistake.  Let's drop those
leftovers as well.

Signed-off-by: Michal Hocko <mhocko@suse.com>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
2017-12-08 13:40:17 -08:00
Linus Torvalds e9ef1fe312 Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net
Pull networking fixes from David Miller:

 1) CAN fixes from Martin Kelly (cancel URBs properly in all the CAN usb
    drivers).

 2) Revert returning -EEXIST from __dev_alloc_name() as this propagates
    to userspace and broke some apps. From Johannes Berg.

 3) Fix conn memory leaks and crashes in TIPC, from Jon Malloc and Cong
    Wang.

 4) Gianfar MAC can't do EEE so don't advertise it by default, from
    Claudiu Manoil.

 5) Relax strict netlink attribute validation, but emit a warning. From
    David Ahern.

 6) Fix regression in checksum offload of thunderx driver, from Florian
    Westphal.

 7) Fix UAPI bpf issues on s390, from Hendrik Brueckner.

 8) New card support in iwlwifi, from Ihab Zhaika.

 9) BBR congestion control bug fixes from Neal Cardwell.

10) Fix port stats in nfp driver, from Pieter Jansen van Vuuren.

11) Fix leaks in qualcomm rmnet, from Subash Abhinov Kasiviswanathan.

12) Fix DMA API handling in sh_eth driver, from Thomas Petazzoni.

13) Fix spurious netpoll warnings in bnxt_en, from Calvin Owens.

* git://git.kernel.org/pub/scm/linux/kernel/git/davem/net: (67 commits)
  net: mvpp2: fix the RSS table entry offset
  tcp: evaluate packet losses upon RTT change
  tcp: fix off-by-one bug in RACK
  tcp: always evaluate losses in RACK upon undo
  tcp: correctly test congestion state in RACK
  bnxt_en: Fix sources of spurious netpoll warnings
  tcp_bbr: reset long-term bandwidth sampling on loss recovery undo
  tcp_bbr: reset full pipe detection on loss recovery undo
  tcp_bbr: record "full bw reached" decision in new full_bw_reached bit
  sfc: pass valid pointers from efx_enqueue_unwind
  gianfar: Disable EEE autoneg by default
  tcp: invalidate rate samples during SACK reneging
  can: peak/pcie_fd: fix potential bug in restarting tx queue
  can: usb_8dev: cancel urb on -EPIPE and -EPROTO
  can: kvaser_usb: cancel urb on -EPIPE and -EPROTO
  can: esd_usb2: cancel urb on -EPIPE and -EPROTO
  can: ems_usb: cancel urb on -EPIPE and -EPROTO
  can: mcba_usb: cancel urb on -EPROTO
  usbnet: fix alignment for frames with no ethernet header
  tcp: use current time in tcp_rcv_space_adjust()
  ...
2017-12-08 13:32:44 -08:00
Linus Torvalds 77071bc6c4 media fixes for v4.15-rc3
-----BEGIN PGP SIGNATURE-----
 
 iQIcBAABAgAGBQJaKrOpAAoJEAhfPr2O5OEVK5sP/iHWDJtRw/WWBYOqF9cGFl0o
 ssh1iXJAsOmLjaARMOkxQBPLwTvVMreux2fHow/mukrXB8BIR7OmflBaQRLM3lbW
 xm9G4yarXf7xgkxngisemQrJiweNyaNDX9P0BqJLV55Xhp+rO2Q6rutspho3xzoo
 Pmz7bgnt0FjBKz+0LWnKnzozdNinj2uhTdBOTgm9rUuUUGiAVTAQSNUq2e5Gzw3m
 DhO4UPOJDRmnZ6Rqldq2pD2wzmRfbVonirz7IEh7j2opcAoCM2TnmM+Z9C5zjlUj
 XVFagiR+XG8lsh2zvHdweter4X9DqLBlMbBDVAQ+vH+xhBuz63Yqq1pSIvXA342U
 rs1X182FSyE+pOxipuae94csHkyzlb9tmzoiUoItU+QXi8Wlg8pLH6GFQe/72t/g
 HpcXMBq2lflc2KDstx+QGs/G+1EYtz64vUXZ4pvuIitrhdbd5ulLh7Y7nb7qfEym
 WEHpaJwxh4MZh6RzB2tq+Tvy0/sD1krNjPTXtf2CuTdFNUuvk8QenRW1q2YVA06L
 UOTxRpfPYUPwhGKOoKb2IJ5g1xoztoqMaafdsUJ16H7fcuVtE9xQayVCVhaBuo08
 4g7SFCb7MhNLFG1Su291u9PKYlvGhCJaDPKE/6E+IM6szxt7h/kveYsdb05yWOoB
 di+cIWZkCRUzbO7fxz4J
 =xoHW
 -----END PGP SIGNATURE-----

Merge tag 'media/v4.15-2' of git://git.kernel.org/pub/scm/linux/kernel/git/mchehab/linux-media

Pull media fixes from Mauro Carvalho Chehab:

 "A series of fixes for the media subsytem:

   - The largest amount of fixes in this series is with regards to
     comments that aren't kernel-doc, but start with "/**".

     A new check added for 4.15 makes it to produce a *huge* amount of
     new warnings (I'm compiling here with W=1). Most of the patches in
     this series fix those.

     No code changes - just comment changes at the source files

   - rc: some fixed in order to better handle RC repetition codes

   - v4l-async: use the v4l2_dev from the root notifier when matching
     sub-devices

   - v4l2-fwnode: Check subdev count after checking port

   - ov 13858 and et8ek8: compilation fix with randconfigs

   - usbtv: a trivial new USB ID addition

   - dibusb-common: don't do DMA on stack on firmware load

   - imx274: Fix error handling, add MAINTAINERS entry

   - sir_ir: detect presence of port"

* tag 'media/v4.15-2' of git://git.kernel.org/pub/scm/linux/kernel/git/mchehab/linux-media: (50 commits)
  media: imx274: Fix error handling, add MAINTAINERS entry
  media: v4l: async: use the v4l2_dev from the root notifier when matching sub-devices
  media: v4l2-fwnode: Check subdev count after checking port
  media: et8ek8: select V4L2_FWNODE
  media: ov13858: Select V4L2_FWNODE
  media: rc: partial revert of "media: rc: per-protocol repeat period"
  media: dvb: i2c transfers over usb cannot be done from stack
  media: dvb-frontends: complete kernel-doc markups
  media: docs: add documentation for frontend attach info
  media: dvb_frontends: fix kernel-doc macros
  media: drivers: remove "/**" from non-kernel-doc comments
  media: lm3560: add a missing kernel-doc parameter
  media: rcar_jpu: fix two kernel-doc markups
  media: vsp1: add a missing kernel-doc parameter
  media: soc_camera: fix a kernel-doc markup
  media: mt2063: fix some kernel-doc warnings
  media: radio-wl1273: fix a parameter name at kernel-doc macro
  media: s3c-camif: add missing description at s3c_camif_find_format()
  media: mtk-vpu: add description for wdt fields at struct mtk_vpu
  media: vdec: fix some kernel-doc warnings
  ...
2017-12-08 13:18:47 -08:00
Linus Torvalds 4066aa72f9 i915, amdgpu + misc fixes
-----BEGIN PGP SIGNATURE-----
 
 iQIcBAABAgAGBQJaKedrAAoJEAx081l5xIa+CLkP/AkLTMW17WT/aktLfq4/+NQV
 WGcLxQw+SB9iYMffFUNdQdMqv3pKsDzeatifxNuoRnjvK6rNZDUFK11SoTEFCdA+
 opI3zBPiyMVv71LtLF/r2kj3Vw5rnARdCg24FIzptGg/4j+G0EOb9uzd9qjmjof1
 r2XD1f0mjIG6SREMYCZPJj/Q/ZGfWFKXxcatmf87sAoq4o2nfoQ1Sl0T4cnMV7yp
 FzzFKA/j6OaiVa0Tb1KiJOl8VnW5f9STanUynFcPtKd2mhDcVaEP4lAfBhHgccd8
 ufmsyPJDadGQDT0iQY5E8n+ht124wg4gW8TKGqyxDfxuzTFj2k62WOUMH4eSjGSt
 x7SHEewTQLoV5kIPp0y00T2NWuA4/jmjjgllQZgqSFwnsv8fQ9/GwLNPWrUGM0+z
 6sqzj7QRyn8GGuYblqVghVYj0bX3ovmYlLzOaKZ+pNSM34hLBFRenZQ5mKJ6WrcE
 SIKzuQm3HEC8KwNw72zZ6+zz5fc7x9KuURztwEPt6vOMnxz1PtjWSdHzfvja4cH2
 6D2t0lZSqkM244FFG4ImFP6CDF+8vaY7i9YybjYteycWH7o9haVa869vCxUdNUWo
 DDghWKPRjbl7LJLJ14BxMrg0+sk+XWYcoZXjUAM0rYFFOWoFkVAlF8Sy3kgb5Pky
 wMLalQohWFbkZY60q02h
 =2f34
 -----END PGP SIGNATURE-----

Merge tag 'drm-fixes-for-v4.15-rc3' of git://people.freedesktop.org/~airlied/linux

Pull drm fixes from Dave Airlie:
 "This pull is a bit larger than I'd like but a large bunch of it is
  license fixes, AMD wanted to fix the licenses for a bunch of files
  that were missing them,

 Otherwise a bunch of TTM regression fix since the hugepage support,
 some i915 and gvt fixes, a core connector free in a safe context fix,
 and one bridge fix"

* tag 'drm-fixes-for-v4.15-rc3' of git://people.freedesktop.org/~airlied/linux: (26 commits)
  drm/bridge: analogix dp: Fix runtime PM state in get_modes() callback
  Revert "drm/i915: Display WA #1133 WaFbcSkipSegments:cnl, glk"
  drm/vc4: Fix false positive WARN() backtrace on refcount_inc() usage
  drm/i915: Call i915_gem_init_userptr() before taking struct_mutex
  drm/exynos: remove unnecessary function declaration
  drm/exynos: remove unnecessary descrptions
  drm/exynos: gem: Drop NONCONTIG flag for buffers allocated without IOMMU
  drm/exynos: Fix dma-buf import
  drm/ttm: swap consecutive allocated pooled pages v4
  drm: safely free connectors from connector_iter
  drm/i915/gvt: set max priority for gvt context
  drm/i915/gvt: Don't mark vgpu context as inactive when preempted
  drm/i915/gvt: Limit read hw reg to active vgpu
  drm/i915/gvt: Export intel_gvt_render_mmio_to_ring_id()
  drm/i915/gvt: Emulate PCI expansion ROM base address register
  drm/ttm: swap consecutive allocated cached pages v3
  drm/ttm: roundup the shrink request to prevent skip huge pool
  drm/ttm: add page order support in ttm_pages_put
  drm/ttm: add set_pages_wb for handling page order more than zero
  drm/ttm: add page order in page pool
  ...
2017-12-08 13:11:57 -08:00
Linus Torvalds 7267212c80 Merge tag 'md/4.15-rc2' of git://git.kernel.org/pub/scm/linux/kernel/git/shli/md
Pull md fixes from Shaohua Li:
 "Some MD fixes.

  The notable one is a raid5-cache deadlock bug with dm-raid, others are
  not significant"

* tag 'md/4.15-rc2' of git://git.kernel.org/pub/scm/linux/kernel/git/shli/md:
  md/raid1/10: add missed blk plug
  md: limit mdstat resync progress to max_sectors
  md/r5cache: move mddev_lock() out of r5c_journal_mode_set()
  md/raid5: correct degraded calculation in raid5_error
2017-12-08 13:03:02 -08:00
Linus Torvalds 78d9b04844 DeviceTree fixes for v4.15 (part2):
- Fixes from overlay code rework. A trifecta of fixes to the locking,
   an out of bounds access, and a memory leak in of_overlay_apply().
 
 - Clean-up at25 eeprom binding document
 
 - Remove leading '0x' in unit-addresses from binding docs
 -----BEGIN PGP SIGNATURE-----
 
 iQItBAABCAAXBQJaKrC8EBxyb2JoQGtlcm5lbC5vcmcACgkQ+vtdtY28YcPY7Q/9
 GOZDOhajewVoYo+LkKl8+1wtdih7QHOvziKY8Jn1Nd/o6ASXU5ltOxvk5iF/q4tz
 x7JFKMkUo8eyOy5p5XnkqAzOnQ+rP+aRvHxjeAiMtQZRtMcDJ6bv4FRMI4/hq610
 QocAcxzblXJayy/Ad2sbuMr34O6QBkvnicMiLHZNb2IhCgk0nxBbyiNJDr868XE6
 CwlkKgo+y0fFJKkW3y4v4jaMdMlmcxTPTY+4jOJoGnnD1LgNwNRgkTFCzRQLebBk
 E5D6XweMS7G0IOO8wLYEn70JYsNk4wRGjIvlZGR1e5REQNgT9H+1J8rXLxlWc5rk
 l2o4V3+nrBj3BpVCG5oQWBrwVsMZS8ExdnRnrGmZJ25C1EFzlRHGYtsvo6fvXsLs
 T2VfYPEDhN5IHZiUU/rcHfz1VpHjuBrtFStPQkFTSTfO52n22Q5KWBxHUqUjXbBZ
 phcPoHcDm+FfO4swkLuIP0wDAiNj8SJpJJNnHLrgIuy52UvXe/VD5BlY5RgXIZbg
 XhxAcsNKrqfH8ggfbM7ndXkUoFrDyl/dOupfwbtwzNqDQiPGvpjkr9hmE7XIL2aJ
 tyGahgkpZ3n49oGJPe5rTHKJacZBkl6rNI2CFQfERXyGYUmQSEU6AViSSyRG6ljK
 kXLmIzNPgJJF/I9YC3q8Wr6FUoOAapE7Zww/Cc83xJ8=
 =vBBN
 -----END PGP SIGNATURE-----

Merge tag 'devicetree-fixes-for-4.15-part2' of git://git.kernel.org/pub/scm/linux/kernel/git/robh/linux

Pull DeviceTree fixes from Rob Herring:
 "Another set of DT fixes:

   - Fixes from overlay code rework. A trifecta of fixes to the locking,
     an out of bounds access, and a memory leak in of_overlay_apply()

   - Clean-up at25 eeprom binding document

   - Remove leading '0x' in unit-addresses from binding docs"

* tag 'devicetree-fixes-for-4.15-part2' of git://git.kernel.org/pub/scm/linux/kernel/git/robh/linux:
  of: overlay: Make node skipping in init_overlay_changeset() clearer
  of: overlay: Fix out-of-bounds write in init_overlay_changeset()
  of: overlay: Fix (un)locking in of_overlay_apply()
  of: overlay: Fix memory leak in of_overlay_apply() error path
  dt-bindings: eeprom: at25: Document device-specific compatible values
  dt-bindings: eeprom: at25: Grammar s/are can/can/
  dt-bindings: Remove leading 0x from bindings notation
  of: overlay: Remove else after goto
  of: Spelling s/changset/changeset/
  of: unittest: Remove bogus overlay mutex release from overlay_data_add()
2017-12-08 13:00:51 -08:00
Linus Torvalds 900add27f5 virtio: bugfixes
A couple of minor bugfixes.
 
 Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
 -----BEGIN PGP SIGNATURE-----
 
 iQEcBAABAgAGBQJaKW26AAoJECgfDbjSjVRpDwIH/1tq1vcjd5i00nh+gQD7jWm2
 qWrpcKbsS0ANTvhm9UNFY24BVoPuNpNrApQpuBxmgxE/XGqx7A+8xXhwPAM5lLiG
 uDSPB2nsfjvEUOde7bgeR+t6ay+Ki2UWKzY46lSoCTcIN7BSVFWQZonsGu2xLDzz
 kKpCtlobXRnXzeWm+fh1oOZu/cn/TuAF0mbb+6TUQqSsHAt6PQ3Hwsly2EmQV5xR
 of6Si/TnxFOkhZUKpezbuTU/g/20ZkHUSzgfrOuZLGonaIvZIE6BUm8m21/IgCbw
 WnwSqe66WsWF2vd0RDLFq4L3qaRyGn+W7iYo3KPbwIPEEotSRFMUgixBWBB3IgU=
 =Pf4w
 -----END PGP SIGNATURE-----

Merge tag 'for_linus' of git://git.kernel.org/pub/scm/linux/kernel/git/mst/vhost

Pull virtio bugfixes from Michael Tsirkin:
 "A couple of minor bugfixes"

* tag 'for_linus' of git://git.kernel.org/pub/scm/linux/kernel/git/mst/vhost:
  virtio_net: fix return value check in receive_mergeable()
  virtio_mmio: add cleanup for virtio_mmio_remove
  virtio_mmio: add cleanup for virtio_mmio_probe
2017-12-08 12:58:51 -08:00
Linus Torvalds 32abeb09ab xen: fixes for 4.15-rc3
-----BEGIN PGP SIGNATURE-----
 Version: GnuPG v2
 
 iQEcBAABAgAGBQJaKlu/AAoJELDendYovxMvaqoH/i7gN9xry7QkUM6RkwddGwYY
 v0rqaUo4WCW27yFOE7Bzej9Y+W92/eFPJnVUhc/quTVfV+uEjbs4PiAwuxSr+lIU
 X+BhBNbEi9C5RlRL1z75J0ZySyu6WXL2hsmPbc0wrrqdQikfiZ7bnRjdGAHh5C5C
 TijKQKGZTt6ccjIPUEZTIqeajOt/p7uxkCXPWhHQA1mudf9PVhsKyYnGdYp5gp8X
 KID+8XmKtAcSwPUz+eG9vGlGwmP28mH0BfCT0suC2uUI4o+PJFPqBTlfsco2kfHO
 NqVCgnMZs31Js8mdEVz8h2ZO8m2T5m1oml1zOeyDbgTJ8yjqgADy8K6Lm38clko=
 =ZHtb
 -----END PGP SIGNATURE-----

Merge tag 'for-linus-4.15-rc3-tag' of git://git.kernel.org/pub/scm/linux/kernel/git/xen/tip

Pull xen fixes from Juergen Gross:
 "Just two small fixes for the new pvcalls frontend driver"

* tag 'for-linus-4.15-rc3-tag' of git://git.kernel.org/pub/scm/linux/kernel/git/xen/tip:
  xen/pvcalls: Fix a check in pvcalls_front_remove()
  xen/pvcalls: check for xenbus_read() errors
2017-12-08 12:53:43 -08:00
Linus Torvalds d90696ed61 powerpc fixes for 4.15 #4
One notable fix for kexec on Power9, where we were not clearing MMU PID properly
 which sometimes leads to hangs. Finally debugged to a root cause by Nick.
 
 A revert of a patch which tried to rework our panic handling to get more output
 on the console, but inadvertently broke reporting the panic to the hypervisor,
 which apparently people care about.
 
 Then a fix for an oops in the PMU code, and finally some s/%p/%px/ in xmon.
 
 Thanks to:
   David Gibson, Nicholas Piggin, Ravi Bangoria.
 -----BEGIN PGP SIGNATURE-----
 
 iQIwBAABCAAaBQJaKoWXExxtcGVAZWxsZXJtYW4uaWQuYXUACgkQUevqPMjhpYAp
 Rw/+KRvwt1jt3vFKrWlcXQ4Mx4UTseSaBO7FsGwyANqNGUNvkIEIAZYu6M9x0LLh
 tfVowZdJ2vQrgdZy4Rd5zhIjzVaybyENMAMZFmGCxQUidORdibP2qT+3612FmQl0
 rczQB4Ra1Jymw+42iwe4WQfyta9cvVgfk7D+1KVWaCXQ0lx8DynZ75yK+U0fensz
 FPQNdtkfC2D37IFrqtgGBS5YLkeQpfftm8C/eBG0n2tv8PO1KM5xwVU8Ovf5LoIm
 8NbWL//H+zUOoU2jCGHDMfg1qLv9owScTMRtquQSmrE1i21mE2lLOSDSM105+AP2
 7CVRMMkth8V9w/nauPq0a5OGyzJWtClI9qj2ZPWS2wPF331g58GUNJsEy7OQAJgO
 QZoqcCkpT5qarmxkcKJlYZGF6AZ/4mIBL9mucfQc/afEgRUqksaUKck0qD5SW28j
 fm3pPjlMyf2vMRKGgaE9/+by5N/Bmxy2VCoFSuhm1ZrQsIpZXtp/Mfylqz0msdhU
 VCt4T229S7rdCQTn2TyMNW+iVmjlgvR4OUXvba/eBz67gzGk4huLNB4EnEwHA/SK
 qhkTJqYbP9B/MBD9GrNLFzG5yZTTv+3OA/aehL0PEGouV7cgMEqyGtYw2afwggRC
 sf+veK/2apPMnlA5WItEa7JPWaTLsxljZ65acskb7S/4W8g=
 =wU60
 -----END PGP SIGNATURE-----

Merge tag 'powerpc-4.15-4' of git://git.kernel.org/pub/scm/linux/kernel/git/powerpc/linux

Pull powerpc fixes from Michael Ellerman:

 "One notable fix for kexec on Power9, where we were not clearing MMU
  PID properly which sometimes leads to hangs. Finally debugged to a
  root cause by Nick.

  A revert of a patch which tried to rework our panic handling to get
  more output on the console, but inadvertently broke reporting the
  panic to the hypervisor, which apparently people care about.

  Then a fix for an oops in the PMU code, and finally some s/%p/%px/ in
  xmon.

  Thanks to: David Gibson, Nicholas Piggin, Ravi Bangoria"

* tag 'powerpc-4.15-4' of git://git.kernel.org/pub/scm/linux/kernel/git/powerpc/linux:
  powerpc/xmon: Don't print hashed pointers in xmon
  powerpc/64s: Initialize ISAv3 MMU registers before setting partition table
  Revert "powerpc: Do not call ppc_md.panic in fadump panic notifier"
  powerpc/perf: Fix oops when grouping different pmu events
2017-12-08 12:52:09 -08:00
David S. Miller fd29117aeb linux-can-fixes-for-4.15-20171208
-----BEGIN PGP SIGNATURE-----
 
 iQFHBAABCgAxFiEE4bay/IylYqM/npjQHv7KIOw4HPYFAloqeVYTHG1rbEBwZW5n
 dXRyb25peC5kZQAKCRAe/sog7Dgc9tiqCADK4f/QYW5q5jC93A6JZSItI8vAK2+h
 0s4MRTj9x+thBIGIhJ59uYBSTd374bvsWmrGdV7CBoGX4TnEJfGiMV77lpGnGRVG
 jpzk9cSFoAnE5UW2qZlF+JM8SNEFlU18MCQQlnMzKbSGerUAlveK+mcF5sJrqrQh
 CGZ9MH1Bp4Fz3WMRQ9hHzKWjTOhhM54qjPceCVTZM6I0RJam6I2lpVZPQeom9uVa
 r+F5Lv2ZOpNZc+8Pbu+L95YyivKKaQOPzeP4btFLNEHUyFDygHcv2iKRIn9MdEu2
 2XfaDVKk2Ey/qWc782SLBxLOihnhWltwC7Kg1ZnrLhNZ6V5UbYQ5FzF4
 =OMZE
 -----END PGP SIGNATURE-----

Merge tag 'linux-can-fixes-for-4.15-20171208' of git://git.kernel.org/pub/scm/linux/kernel/git/mkl/linux-can

Marc Kleine-Budde says:

====================
pull-request: can 2017-12-08

this is a pull request of 6 patches for net/master.

Martin Kelly provides 5 patches for various USB based CAN drivers, that
properly cancel the URBs on adapter unplug, so that the driver doesn't
end up in an endless loop. Stephane Grosjean provides a patch to restart
the tx queue if zero length packages are transmitted.
====================

Signed-off-by: David S. Miller <davem@davemloft.net>
2017-12-08 14:53:54 -05:00
David S. Miller 03afb6e43a wireless-drivers fixes for 4.15
Second set of fixes for 4.15. This time a lot of iwlwifi patches and
 two brcmfmac patches. Most important here are the MIC and IVC fixes
 for iwlwifi to unbreak 9000 series.
 
 iwlwifi
 
 * fix rate-scaling to not start lowest possible rate
 
 * fix the TX queue hang detection for AP/GO modes
 
 * fix the TX queue hang timeout in monitor interfaces
 
 * fix packet injection
 
 * remove a wrong error message when dumping PCI registers
 
 * fix race condition with RF-kill
 
 * tell mac80211 when the MIC has been stripped (9000 series)
 
 * tell mac80211 when the IVC has been stripped (9000 series)
 
 * add 2 new PCI IDs, one for 9000 and one for 22000
 
 * fix a queue hang due during a P2P Remain-on-Channel operation
 
 brcmfmac
 
 * fix a race which sometimes caused a crash during sdio unbind
 
 * fix a kernel-doc related build error
 -----BEGIN PGP SIGNATURE-----
 Version: GnuPG v1
 
 iQEcBAABAgAGBQJaKp9UAAoJEG4XJFUm622bhXgH+wTtTVEH0lAOTtK+PyBkxkRH
 Q+55Yf1XZ9lNYxmfXhYgObusSbmeL8tClMuISCcQS9gX0um1Vuuud4CLemgO2V7R
 V1xuWTKjanaKf8PouKx9SUt1Fx6CsFdwlivJX+eZTfKlKYtwNbNX4onWl9GN2jVZ
 5/2l+m3MJbTMMzarZTGLkBJqpTk8DGTNINtKeRd+VF+717SlbqpRlw1TTlbVJcR2
 nHcJ3p5JGbU/+hOTroOWUr7kGdpdYlWLfcyOL8iT3rZXtAzH/POjPAmQv9VVRaC+
 anm5zn+gZ5GH9XF+pc3nrGOEZ2Ei4LtszMQjdo4Zo9V3ngCj/0OoEnkto6VLbkw=
 =lzG8
 -----END PGP SIGNATURE-----

Merge tag 'wireless-drivers-for-davem-2017-12-08' of git://git.kernel.org/pub/scm/linux/kernel/git/kvalo/wireless-drivers

Kalle Valo says:

====================
wireless-drivers fixes for 4.15

Second set of fixes for 4.15. This time a lot of iwlwifi patches and
two brcmfmac patches. Most important here are the MIC and IVC fixes
for iwlwifi to unbreak 9000 series.

iwlwifi

* fix rate-scaling to not start lowest possible rate

* fix the TX queue hang detection for AP/GO modes

* fix the TX queue hang timeout in monitor interfaces

* fix packet injection

* remove a wrong error message when dumping PCI registers

* fix race condition with RF-kill

* tell mac80211 when the MIC has been stripped (9000 series)

* tell mac80211 when the IVC has been stripped (9000 series)

* add 2 new PCI IDs, one for 9000 and one for 22000

* fix a queue hang due during a P2P Remain-on-Channel operation

brcmfmac

* fix a race which sometimes caused a crash during sdio unbind

* fix a kernel-doc related build error
====================

Signed-off-by: David S. Miller <davem@davemloft.net>
2017-12-08 14:48:49 -05:00
Antoine Tenart 8a7b741e76 net: mvpp2: fix the RSS table entry offset
The macro used to access or set an RSS table entry was using an offset
of 8, while it should use an offset of 0. This lead to wrongly configure
the RSS table, not accessing the right entries.

Fixes: 1d7d15d79f ("net: mvpp2: initialize the RSS tables")
Signed-off-by: Antoine Tenart <antoine.tenart@free-electrons.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2017-12-08 14:35:15 -05:00
David S. Miller b7e445a1c8 Merge branch 'tcp-RACK-loss-recovery-bug-fixes'
Yuchung Cheng says:

====================
tcp: RACK loss recovery bug fixes

This patch set has four minor bug fixes in TCP RACK loss recovery.
====================

Signed-off-by: David S. Miller <davem@davemloft.net>
2017-12-08 14:14:12 -05:00
Yuchung Cheng 6065fd0d17 tcp: evaluate packet losses upon RTT change
RACK skips an ACK unless it advances the most recently delivered
TX timestamp (rack.mstamp). Since RACK also uses the most recent
RTT to decide if a packet is lost, RACK should still run the
loss detection whenever the most recent RTT changes. For example,
an ACK that does not advance the timestamp but triggers the cwnd
undo due to reordering, would then use the most recent (higher)
RTT measurement to detect further losses.

Signed-off-by: Yuchung Cheng <ycheng@google.com>
Reviewed-by: Neal Cardwell <ncardwell@google.com>
Reviewed-by: Priyaranjan Jha <priyarjha@google.com>
Reviewed-by: Eric Dumazet <edumazet@google.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2017-12-08 14:14:11 -05:00
Yuchung Cheng 428aec5e69 tcp: fix off-by-one bug in RACK
RACK should mark a packet lost when remaining wait time is zero.

Signed-off-by: Yuchung Cheng <ycheng@google.com>
Reviewed-by: Neal Cardwell <ncardwell@google.com>
Reviewed-by: Priyaranjan Jha <priyarjha@google.com>
Reviewed-by: Eric Dumazet <edumazet@google.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2017-12-08 14:14:11 -05:00
Yuchung Cheng cd1fc85b43 tcp: always evaluate losses in RACK upon undo
When sender detects spurious retransmission, all packets
marked lost are remarked to be in-flight. However some may
be considered lost based on its timestamps in RACK. This patch
forces RACK to re-evaluate, which may be skipped previously if
the ACK does not advance RACK timestamp.

Signed-off-by: Yuchung Cheng <ycheng@google.com>
Reviewed-by: Neal Cardwell <ncardwell@google.com>
Reviewed-by: Priyaranjan Jha <priyarjha@google.com>
Reviewed-by: Eric Dumazet <edumazet@google.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2017-12-08 14:14:11 -05:00
Yuchung Cheng 0ce294d884 tcp: correctly test congestion state in RACK
RACK does not test the loss recovery state correctly to compute
the reordering window. It assumes if lost_out is zero then TCP is
not in loss recovery. But it can be zero during recovery before
calling tcp_rack_detect_loss(): when an ACK acknowledges all
packets marked lost before receiving this ACK, but has not yet
to discover new ones by tcp_rack_detect_loss(). The fix is to
simply test the congestion state directly.

Signed-off-by: Yuchung Cheng <ycheng@google.com>
Reviewed-by: Neal Cardwell <ncardwell@google.com>
Reviewed-by: Priyaranjan Jha <priyarjha@google.com>
Reviewed-by: Eric Dumazet <edumazet@google.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2017-12-08 14:14:11 -05:00
Calvin Owens 2edbdb3159 bnxt_en: Fix sources of spurious netpoll warnings
After applying 2270bc5da3 ("bnxt_en: Fix netpoll handling") and
903649e718 ("bnxt_en: Improve -ENOMEM logic in NAPI poll loop."),
we still see the following WARN fire:

  ------------[ cut here ]------------
  WARNING: CPU: 0 PID: 1875170 at net/core/netpoll.c:165 netpoll_poll_dev+0x15a/0x160
  bnxt_poll+0x0/0xd0 exceeded budget in poll
  <snip>
  Call Trace:
   [<ffffffff814be5cd>] dump_stack+0x4d/0x70
   [<ffffffff8107e013>] __warn+0xd3/0xf0
   [<ffffffff8107e07f>] warn_slowpath_fmt+0x4f/0x60
   [<ffffffff8179519a>] netpoll_poll_dev+0x15a/0x160
   [<ffffffff81795f38>] netpoll_send_skb_on_dev+0x168/0x250
   [<ffffffff817962fc>] netpoll_send_udp+0x2dc/0x440
   [<ffffffff815fa9be>] write_ext_msg+0x20e/0x250
   [<ffffffff810c8125>] call_console_drivers.constprop.23+0xa5/0x110
   [<ffffffff810c9549>] console_unlock+0x339/0x5b0
   [<ffffffff810c9a88>] vprintk_emit+0x2c8/0x450
   [<ffffffff810c9d5f>] vprintk_default+0x1f/0x30
   [<ffffffff81173df5>] printk+0x48/0x50
   [<ffffffffa0197713>] edac_raw_mc_handle_error+0x563/0x5c0 [edac_core]
   [<ffffffffa0197b9b>] edac_mc_handle_error+0x42b/0x6e0 [edac_core]
   [<ffffffffa01c3a60>] sbridge_mce_output_error+0x410/0x10d0 [sb_edac]
   [<ffffffffa01c47cc>] sbridge_check_error+0xac/0x130 [sb_edac]
   [<ffffffffa0197f3c>] edac_mc_workq_function+0x3c/0x90 [edac_core]
   [<ffffffff81095f8b>] process_one_work+0x19b/0x480
   [<ffffffff810967ca>] worker_thread+0x6a/0x520
   [<ffffffff8109c7c4>] kthread+0xe4/0x100
   [<ffffffff81884c52>] ret_from_fork+0x22/0x40

This happens because we increment rx_pkts on -ENOMEM and -EIO, resulting
in rx_pkts > 0. Fix this by only bumping rx_pkts if we were actually
given a non-zero budget.

Signed-off-by: Calvin Owens <calvinowens@fb.com>
Acked-by: Michael Chan <michael.chan@broadcom.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2017-12-08 14:07:19 -05:00
Neil Armstrong 39005e562a ARM64: dts: meson-gx: fix UART pclk clock name
The clock-names for pclk was wrongly set to "core", but the bindings
specifies "pclk".
This was not cathed until the legacy non-documented bindings were removed.

Reported-by: Andreas Färber <afaerber@suse.de>
Fixes: f72d6f6037 ("ARM64: dts: meson-gx: use stable UART bindings with correct gate clock")
Signed-off-by: Neil Armstrong <narmstrong@baylibre.com>
Signed-off-by: Kevin Hilman <khilman@baylibre.com>
2017-12-08 10:39:11 -08:00
David S. Miller b25b3e2fd9 Merge branch 'tcp-bbr-sampling-fixes'
Neal Cardwell says:

====================
TCP BBR sampling fixes for loss recovery undo

This patch series has a few minor bug fixes for cases where spurious
loss recoveries can trick BBR estimators into estimating that the
available bandwidth is much lower than the true available bandwidth.
In both cases the fix here is to just reset the estimator upon loss
recovery undo.
====================

Signed-off-by: David S. Miller <davem@davemloft.net>
2017-12-08 13:27:44 -05:00
Neal Cardwell 600647d467 tcp_bbr: reset long-term bandwidth sampling on loss recovery undo
Fix BBR so that upon notification of a loss recovery undo BBR resets
long-term bandwidth sampling.

Under high reordering, reordering events can be interpreted as loss.
If the reordering and spurious loss estimates are high enough, this
can cause BBR to spuriously estimate that we are seeing loss rates
high enough to trigger long-term bandwidth estimation. To avoid that
problem, this commit resets long-term bandwidth sampling on loss
recovery undo events.

Signed-off-by: Neal Cardwell <ncardwell@google.com>
Reviewed-by: Yuchung Cheng <ycheng@google.com>
Acked-by: Soheil Hassas Yeganeh <soheil@google.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2017-12-08 13:27:43 -05:00
Neal Cardwell 2f6c498e4f tcp_bbr: reset full pipe detection on loss recovery undo
Fix BBR so that upon notification of a loss recovery undo BBR resets
the full pipe detection (STARTUP exit) state machine.

Under high reordering, reordering events can be interpreted as loss.
If the reordering and spurious loss estimates are high enough, this
could previously cause BBR to spuriously estimate that the pipe is
full.

Since spurious loss recovery means that our overall sending will have
slowed down spuriously, this commit gives a flow more time to probe
robustly for bandwidth and decide the pipe is really full.

Signed-off-by: Neal Cardwell <ncardwell@google.com>
Reviewed-by: Yuchung Cheng <ycheng@google.com>
Acked-by: Soheil Hassas Yeganeh <soheil@google.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2017-12-08 13:27:43 -05:00
Neal Cardwell c589e69b50 tcp_bbr: record "full bw reached" decision in new full_bw_reached bit
This commit records the "full bw reached" decision in a new
full_bw_reached bit. This is a pure refactor that does not change the
current behavior, but enables subsequent fixes and improvements.

In particular, this enables simple and clean fixes because the full_bw
and full_bw_cnt can be unconditionally zeroed without worrying about
forgetting that we estimated we filled the pipe in Startup. And it
enables future improvements because multiple code paths can be used
for estimating that we filled the pipe in Startup; any new code paths
only need to set this bit when they think the pipe is full.

Note that this fix intentionally reduces the width of the full_bw_cnt
counter, since we have never used the most significant bit.

Signed-off-by: Neal Cardwell <ncardwell@google.com>
Reviewed-by: Yuchung Cheng <ycheng@google.com>
Acked-by: Soheil Hassas Yeganeh <soheil@google.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2017-12-08 13:27:43 -05:00
Bert Kenward d4a7a8893d sfc: pass valid pointers from efx_enqueue_unwind
The bytes_compl and pkts_compl pointers passed to efx_dequeue_buffers
cannot be NULL. Add a paranoid warning to check this condition and fix
the one case where they were NULL.

efx_enqueue_unwind() is called very rarely, during error handling.
Without this fix it would fail with a NULL pointer dereference in
efx_dequeue_buffer, with efx_enqueue_skb in the call stack.

Fixes: e9117e5099 ("sfc: Firmware-Assisted TSO version 2")
Reported-by: Jarod Wilson <jarod@redhat.com>
Signed-off-by: Bert Kenward <bkenward@solarflare.com>
Tested-by: Jarod Wilson <jarod@redhat.com>
Acked-by: Jarod Wilson <jarod@redhat.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2017-12-08 13:25:39 -05:00
Claudiu Manoil b6b5e8a691 gianfar: Disable EEE autoneg by default
This controller does not support EEE, but it may connect to a PHY
which supports EEE and advertises EEE by default, while its link
partner also advertises EEE. If this happens, the PHY enters low
power mode when the traffic rate is low and causes packet loss.
This patch disables EEE advertisement by default for any PHY that
gianfar connects to, to prevent the above unwanted outcome.

Signed-off-by: Shaohui Xie <Shaohui.Xie@nxp.com>
Tested-by: Yangbo Lu <Yangbo.lu@nxp.com>
Signed-off-by: Claudiu Manoil <claudiu.manoil@nxp.com>
Reviewed-by: Andrew Lunn <andrew@lunn.ch>
Signed-off-by: David S. Miller <davem@davemloft.net>
2017-12-08 13:23:01 -05:00
Linus Torvalds c6b3e9693f Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/s390/linux
Pull s390 fixes from Martin Schwidefsky:

 - three more patches in regard to the SPDX license tags. The missing
   tags for the files in arch/s390/kvm will be merged via the KVM tree.
   With that all s390 related files should have their SPDX tags.

 - a patch to get rid of 'struct timespec' in the DASD driver.

 - bug fixes

* 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/s390/linux:
  s390: fix compat system call table
  s390/mm: fix off-by-one bug in 5-level page table handling
  s390: Remove redudant license text
  s390: add a few more SPDX identifiers
  s390/dasd: prevent prefix I/O error
  s390: always save and restore all registers on context switch
  s390/dasd: remove 'struct timespec' usage
  s390/qdio: restrict target-full handling to IQDIO
  s390/qdio: consider ERROR buffers for inbound-full condition
  s390/virtio: add BSD license to virtio-ccw
2017-12-08 10:10:17 -08:00
Linus Torvalds 6e7e7f4ddc arm64 fixes:
- Fix SW PAN pgd shadowing for kernel threads, EFI and exiting user tasks
 
 - Fix FP register leak when a task_struct is re-allocated
 
 - Fix potential use-after-free in FP state tracking used by KVM
 -----BEGIN PGP SIGNATURE-----
 Version: GnuPG v1
 
 iQEcBAABCgAGBQJaKUT9AAoJELescNyEwWM0AdIH/RmM1E3LIbOga+9DyqeQ4i8/
 +8AVV0wFEyIYZY3APrFEnasrjuunWvCUZMOT5HwkfcWpBUmxKHmgG/Jy0dgvZ9at
 xC5WAgYZuN2Z1U9smrCWVBiUlojrxbaEPS/RR4QqB0ViHg2xBL8TW6Dolm8Rt4ei
 UMXyhLAzUPgTIzN+xiW10dg5VqwLv2y1HvbbaF3bUhidrccMeyz+7bpwYfk26n+c
 2N7XJqc9t7DxqBpr1ZSwUzAz89wVDI7cCll+9nTS0/UBDeYXSHwTqO8MbmoRVPo9
 Mlf0NdFwTqKE0YS/4q2QBfMog4fzJQmQrcrsoHUy/ZA2IBuUxKsBVn4SCG0Y9Q8=
 =Esv9
 -----END PGP SIGNATURE-----

Merge tag 'arm64-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/arm64/linux

Pull arm64 fixes from Will Deacon:
 "Fix some more FP register fallout from the SVE patches and also some
  problems with the PGD tracking in our software PAN emulation code,
  after we received a crash report from a 3.18 kernel running a
  backport.

  Summary:

   - fix SW PAN pgd shadowing for kernel threads, EFI and exiting user
     tasks

   - fix FP register leak when a task_struct is re-allocated

   - fix potential use-after-free in FP state tracking used by KVM"

* tag 'arm64-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/arm64/linux:
  arm64/sve: Avoid dereference of dead task_struct in KVM guest entry
  arm64: SW PAN: Update saved ttbr0 value on enter_lazy_tlb
  arm64: SW PAN: Point saved ttbr0 at the zero page when switching to init_mm
  arm64: fpsimd: Abstract out binding of task's fpsimd context to the cpu.
  arm64: fpsimd: Prevent registers leaking from dead tasks
2017-12-08 10:08:23 -08:00
Linus Torvalds 3625de4b28 ACPI fix for v4.15-rc3
This fixes an out of bounds warning from KASAN in the ACPI
 CPPC driver.
 -----BEGIN PGP SIGNATURE-----
 Version: GnuPG v2
 
 iQIcBAABCAAGBQJaKXLtAAoJEILEb/54YlRxEmUQAJ1MnvVoCIpB/NC/gcp8wBwZ
 Y9rOJhnsgTiAA8Or7YJCOhPAHCa2S16m/nCkgrZfSjNgYJ/nHT8SB5vw8Fkc/PIz
 Jmc3E/yVvn446c9ozSa3NALth5Ov90ys4HFsF3jjetTr7aDwmwjaC2pIGRBd6pUK
 nk1MBMdu4wsGYssCV3dMjH4B1TmnU3rLyCl95yFFI8jgjA4slVk+I3EtxrlSOOHy
 9wnbHOWch2UbJBDQLIhhgXKcUXDxnwfBJ8aoEGQ2LokTU1pdXMJG2RFPKG1Dtuqh
 JBhSRXe7jA7jkdGda6sXFOWc7hXMscf0FMOvf3+x7q91OIumtNqxIm45nTEdMOBl
 vT5eFsAUOD8HzaA9BYt/QVIFR9jG0leofVpgK+xGVzISWrLSavaEcuX1gblJ120I
 iJMd0zuPnrktjYRn6VWxVKXpGKr4/EqCuVRE3EHG9aERJtKsfN9vIh66m97JfI2D
 Eb8ifaL7nVIALoWPlq53Lhjllf/cCwvoUNMLhnnoqZU5HWOfolTyGQHeI0DjhQv2
 UCxjuKFCtBKQyMNNyWXF1MWOGcgky3v/4HdkYjfly1h0eO6l5owilj+OW4cxss9l
 NtUCuT2IsQ6dO5oooz+fHzvz0AkgtB+pYLZie28+b3Y5CgvnKTYsnxeMVchkcmo1
 XnL6KGvGgX68z/0AVrMt
 =35fs
 -----END PGP SIGNATURE-----

Merge tag 'acpi-4.15-rc3' of git://git.kernel.org/pub/scm/linux/kernel/git/rafael/linux-pm

Pull ACPI fix from Rafael Wysocki:
 "This fixes an out of bounds warning from KASAN in the ACPI CPPC
  driver"

* tag 'acpi-4.15-rc3' of git://git.kernel.org/pub/scm/linux/kernel/git/rafael/linux-pm:
  ACPI / CPPC: Fix KASAN global out of bounds warning
2017-12-08 10:05:53 -08:00
Linus Torvalds 7ed9fd2e29 Power management fix for v4.15-rc3
This fixes an issue in the device runtime PM framework that prevents
 customer devices from resuming if runtime PM is disabled for one or
 more of their supplier devices (as reflected by device links between
 those devices).
 -----BEGIN PGP SIGNATURE-----
 Version: GnuPG v2
 
 iQIbBAABCAAGBQJaKXG3AAoJEILEb/54YlRxBjQP90QAzPd1hg8bTmn9OQc3aB1q
 IRR6AZDx/ZQ4ORn1P5IVcjxB9hrnsRbfOi1saeiFrkNZfdr7i0X+ViF/4hjcQfuK
 mc//rKxGhUCqlT9mX4i0wY7quxglZWjFh3ld+qlQNNCip0D4JZEo8mYF4BFbjkg4
 s3940XvXxgx1RRB5b1PsfWrlnAc/LgE4o4+1HvVVPKQdZZPsDHWJkDGuhI4in+fS
 lIoiAzx8dkh6O1JRAQQoaurygtfCd4/ni552DhaiKPxXmoLK5dKl1RJqku2PxMk9
 4GdU2k/JFyQZOx1EMWWiINjqivUBq+dIbK2wo4kike5mAh7v71/PT5lIC2mNG8td
 xd/o9zFG8qZ9USZHFKQmQk7kftCebipYlEZkJiUueUQa3uXDt6BGUhZ/YUoEL/dv
 Svy3fx4iCz3eX98aoJIL9ng0O98BJdV0m9cxBm10qXVlBnsrP1gBp43OaNoxNUDz
 duh4/kJJ3EC0lnYdIOyP3Wl1pzQKO8ZLBr5iA+3Fnm6XWfx2/nKaUijIFu73oHJq
 0ZJaApH52yh00uL4Rwy0CKx2cZi67G7HVMoiZ/DpZFA6XEKrnfvBb/tHrZ/Z61rC
 BLSdBDgZZ2ZyitZgHrttKJV5cBgC8EIcewTGYDwU+s17KgtWsXermktYYWXigBFq
 fgcz+26Gzrv8mnpWk+M=
 =/T0U
 -----END PGP SIGNATURE-----

Merge tag 'pm-4.15-rc3' of git://git.kernel.org/pub/scm/linux/kernel/git/rafael/linux-pm

Pull power management fix from Rafael Wysocki:
 "This fixes an issue in the device runtime PM framework that prevents
  customer devices from resuming if runtime PM is disabled for one or
  more of their supplier devices (as reflected by device links between
  those devices)"

* tag 'pm-4.15-rc3' of git://git.kernel.org/pub/scm/linux/kernel/git/rafael/linux-pm:
  PM / runtime: Fix handling of suppliers with disabled runtime PM
2017-12-08 09:58:10 -08:00
Geert Uytterhoeven 589b754df3 of: overlay: Make node skipping in init_overlay_changeset() clearer
Make it more clear that nodes without "__overlay__" subnodes are
skipped, by reverting the logic and using continue.
This also reduces indentation level.

Signed-off-by: Geert Uytterhoeven <geert+renesas@glider.be>
Signed-off-by: Rob Herring <robh@kernel.org>
2017-12-08 09:32:18 -06:00
Geert Uytterhoeven 35e691eddc of: overlay: Fix out-of-bounds write in init_overlay_changeset()
If an overlay has no "__symbols__" node, but it has nodes without
"__overlay__" subnodes at the end (e.g. a "__fixups__" node), after
filling in all fragments for nodes with "__overlay__" subnodes,
"fragment = &fragments[cnt]" will point beyond the end of the allocated
array.

Hence writing to "fragment->overlay" will overwrite unallocated memory,
which may lead to a crash later.

Fix this by deferring both the assignment to "fragment" and the
offending write afterwards until we know for sure the node has an
"__overlay__" subnode, and thus a valid entry in "fragments[]".

Fixes: 61b4de4e0b ("of: overlay: minor restructuring")
Signed-off-by: Geert Uytterhoeven <geert+renesas@glider.be>
Signed-off-by: Rob Herring <robh@kernel.org>
2017-12-08 09:32:10 -06:00
Eric Biggers 54c1fb39fe X.509: fix comparisons of ->pkey_algo
->pkey_algo used to be an enum, but was changed to a string by commit
4e8ae72a75 ("X.509: Make algo identifiers text instead of enum").  But
two comparisons were not updated.  Fix them to use strcmp().

This bug broke signature verification in certain configurations,
depending on whether the string constants were deduplicated or not.

Fixes: 4e8ae72a75 ("X.509: Make algo identifiers text instead of enum")
Cc: <stable@vger.kernel.org> # v4.6+
Signed-off-by: Eric Biggers <ebiggers@google.com>
Signed-off-by: David Howells <dhowells@redhat.com>
2017-12-08 15:13:29 +00:00
Eric Biggers 18026d8668 KEYS: reject NULL restriction string when type is specified
keyctl_restrict_keyring() allows through a NULL restriction when the
"type" is non-NULL, which causes a NULL pointer dereference in
asymmetric_lookup_restriction() when it calls strcmp() on the
restriction string.

But no key types actually use a "NULL restriction" to mean anything, so
update keyctl_restrict_keyring() to reject it with EINVAL.

Reported-by: syzbot <syzkaller@googlegroups.com>
Fixes: 97d3aa0f31 ("KEYS: Add a lookup_restriction function for the asymmetric key type")
Cc: <stable@vger.kernel.org> # v4.12+
Signed-off-by: Eric Biggers <ebiggers@google.com>
Signed-off-by: David Howells <dhowells@redhat.com>
2017-12-08 15:13:29 +00:00
Colin Ian King 3d1f025542 security: keys: remove redundant assignment to key_ref
Variable key_ref is being assigned a value that is never read;
key_ref is being re-assigned a few statements later.  Hence this
assignment is redundant and can be removed.

Signed-off-by: Colin Ian King <colin.king@canonical.com>
Signed-off-by: David Howells <dhowells@redhat.com>
Reviewed-by: James Morris <james.l.morris@oracle.com>
2017-12-08 15:13:29 +00:00
Eric Biggers aa33003620 X.509: use crypto_shash_digest()
Use crypto_shash_digest() instead of crypto_shash_init() followed by
crypto_shash_finup().  (For simplicity only; they are equivalent.)

Signed-off-by: Eric Biggers <ebiggers@google.com>
Signed-off-by: David Howells <dhowells@redhat.com>
2017-12-08 15:13:29 +00:00
Eric Biggers 72f9a07b6b KEYS: be careful with error codes in public_key_verify_signature()
In public_key_verify_signature(), if akcipher_request_alloc() fails, we
return -ENOMEM.  But that error code was set 25 lines above, and by
accident someone could easily insert new code in between that assigns to
'ret', which would introduce a signature verification bypass.  Make the
code clearer by moving the -ENOMEM down to where it is used.

Additionally, the callers of public_key_verify_signature() only consider
a negative return value to be an error.  This means that if any positive
return value is accidentally introduced deeper in the call stack (e.g.
'return EBADMSG' instead of 'return -EBADMSG' somewhere in RSA),
signature verification will be bypassed.  Make things more robust by
having public_key_verify_signature() warn about positive errors and
translate them into -EINVAL.

Signed-off-by: Eric Biggers <ebiggers@google.com>
Signed-off-by: David Howells <dhowells@redhat.com>
2017-12-08 15:13:29 +00:00
Eric Biggers a80745a6de pkcs7: use crypto_shash_digest()
Use crypto_shash_digest() instead of crypto_shash_init() followed by
crypto_shash_finup().  (For simplicity only; they are equivalent.)

Signed-off-by: Eric Biggers <ebiggers@google.com>
Signed-off-by: David Howells <dhowells@redhat.com>
2017-12-08 15:13:28 +00:00
Eric Biggers 7204eb8590 pkcs7: fix check for self-signed certificate
pkcs7_validate_trust_one() used 'x509->next == x509' to identify a
self-signed certificate.  That's wrong; ->next is simply the link in the
linked list of certificates in the PKCS#7 message.  It should be
checking ->signer instead.  Fix it.

Fortunately this didn't actually matter because when we re-visited
'x509' on the next iteration via 'x509->signer', it was already seen and
not verified, so we returned -ENOKEY anyway.

Signed-off-by: Eric Biggers <ebiggers@google.com>
Signed-off-by: David Howells <dhowells@redhat.com>
Reviewed-by: James Morris <james.l.morris@oracle.com>
2017-12-08 15:13:28 +00:00
Eric Biggers 8ecb506d34 pkcs7: return correct error code if pkcs7_check_authattrs() fails
If pkcs7_check_authattrs() returns an error code, we should pass that
error code on, rather than using ENOMEM.

Fixes: 99db443506 ("PKCS#7: Appropriately restrict authenticated attributes and content type")
Signed-off-by: Eric Biggers <ebiggers@google.com>
Signed-off-by: David Howells <dhowells@redhat.com>
Reviewed-by: James Morris <james.l.morris@oracle.com>
2017-12-08 15:13:28 +00:00
Eric Biggers 8dfd2f22d3 509: fix printing uninitialized stack memory when OID is empty
Callers of sprint_oid() do not check its return value before printing
the result.  In the case where the OID is zero-length, -EBADMSG was
being returned without anything being written to the buffer, resulting
in uninitialized stack memory being printed.  Fix this by writing
"(bad)" to the buffer in the cases where -EBADMSG is returned.

Fixes: 4f73175d03 ("X.509: Add utility functions to render OIDs as strings")
Signed-off-by: Eric Biggers <ebiggers@google.com>
Signed-off-by: David Howells <dhowells@redhat.com>
2017-12-08 15:13:28 +00:00
Eric Biggers 47e0a208fb X.509: fix buffer overflow detection in sprint_oid()
In sprint_oid(), if the input buffer were to be more than 1 byte too
small for the first snprintf(), 'bufsize' would underflow, causing a
buffer overflow when printing the remainder of the OID.

Fortunately this cannot actually happen currently, because no users pass
in a buffer that can be too small for the first snprintf().

Regardless, fix it by checking the snprintf() return value correctly.

For consistency also tweak the second snprintf() check to look the same.

Fixes: 4f73175d03 ("X.509: Add utility functions to render OIDs as strings")
Cc: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Eric Biggers <ebiggers@google.com>
Signed-off-by: David Howells <dhowells@redhat.com>
Reviewed-by: James Morris <james.l.morris@oracle.com>
2017-12-08 15:13:28 +00:00
Eric Biggers 0f30cbea00 X.509: reject invalid BIT STRING for subjectPublicKey
Adding a specially crafted X.509 certificate whose subjectPublicKey
ASN.1 value is zero-length caused x509_extract_key_data() to set the
public key size to SIZE_MAX, as it subtracted the nonexistent BIT STRING
metadata byte.  Then, x509_cert_parse() called kmemdup() with that bogus
size, triggering the WARN_ON_ONCE() in kmalloc_slab().

This appears to be harmless, but it still must be fixed since WARNs are
never supposed to be user-triggerable.

Fix it by updating x509_cert_parse() to validate that the value has a
BIT STRING metadata byte, and that the byte is 0 which indicates that
the number of bits in the bitstring is a multiple of 8.

It would be nice to handle the metadata byte in asn1_ber_decoder()
instead.  But that would be tricky because in the general case a BIT
STRING could be implicitly tagged, and/or could legitimately have a
length that is not a whole number of bytes.

Here was the WARN (cleaned up slightly):

    WARNING: CPU: 1 PID: 202 at mm/slab_common.c:971 kmalloc_slab+0x5d/0x70 mm/slab_common.c:971
    Modules linked in:
    CPU: 1 PID: 202 Comm: keyctl Tainted: G    B            4.14.0-09238-g1d3b78bbc6e9 #26
    Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.11.0-20171110_100015-anatol 04/01/2014
    task: ffff880033014180 task.stack: ffff8800305c8000
    Call Trace:
     __do_kmalloc mm/slab.c:3706 [inline]
     __kmalloc_track_caller+0x22/0x2e0 mm/slab.c:3726
     kmemdup+0x17/0x40 mm/util.c:118
     kmemdup include/linux/string.h:414 [inline]
     x509_cert_parse+0x2cb/0x620 crypto/asymmetric_keys/x509_cert_parser.c:106
     x509_key_preparse+0x61/0x750 crypto/asymmetric_keys/x509_public_key.c:174
     asymmetric_key_preparse+0xa4/0x150 crypto/asymmetric_keys/asymmetric_type.c:388
     key_create_or_update+0x4d4/0x10a0 security/keys/key.c:850
     SYSC_add_key security/keys/keyctl.c:122 [inline]
     SyS_add_key+0xe8/0x290 security/keys/keyctl.c:62
     entry_SYSCALL_64_fastpath+0x1f/0x96

Fixes: 42d5ec27f8 ("X.509: Add an ASN.1 decoder")
Cc: <stable@vger.kernel.org> # v3.7+
Signed-off-by: Eric Biggers <ebiggers@google.com>
Signed-off-by: David Howells <dhowells@redhat.com>
Reviewed-by: James Morris <james.l.morris@oracle.com>
2017-12-08 15:13:27 +00:00
Eric Biggers 81a7be2cd6 ASN.1: check for error from ASN1_OP_END__ACT actions
asn1_ber_decoder() was ignoring errors from actions associated with the
opcodes ASN1_OP_END_SEQ_ACT, ASN1_OP_END_SET_ACT,
ASN1_OP_END_SEQ_OF_ACT, and ASN1_OP_END_SET_OF_ACT.  In practice, this
meant the pkcs7_note_signed_info() action (since that was the only user
of those opcodes).  Fix it by checking for the error, just like the
decoder does for actions associated with the other opcodes.

This bug allowed users to leak slab memory by repeatedly trying to add a
specially crafted "pkcs7_test" key (requires CONFIG_PKCS7_TEST_KEY).

In theory, this bug could also be used to bypass module signature
verification, by providing a PKCS#7 message that is misparsed such that
a signature's ->authattrs do not contain its ->msgdigest.  But it
doesn't seem practical in normal cases, due to restrictions on the
format of the ->authattrs.

Fixes: 42d5ec27f8 ("X.509: Add an ASN.1 decoder")
Cc: <stable@vger.kernel.org> # v3.7+
Signed-off-by: Eric Biggers <ebiggers@google.com>
Signed-off-by: David Howells <dhowells@redhat.com>
Reviewed-by: James Morris <james.l.morris@oracle.com>
2017-12-08 15:13:27 +00:00