Commit Graph

634335 Commits

Author SHA1 Message Date
Eric Biggers
db717d8e26 fscrypto: move ioctl processing more fully into common code
Multiple bugs were recently fixed in the "set encryption policy" ioctl.
To make it clear that fscrypt_process_policy() and fscrypt_get_policy()
implement ioctls and therefore their implementations must take standard
security and correctness precautions, rename them to
fscrypt_ioctl_set_policy() and fscrypt_ioctl_get_policy().  Make the
latter take in a struct file * to make it consistent with the former.

Signed-off-by: Eric Biggers <ebiggers@google.com>
Signed-off-by: Theodore Ts'o <tytso@mit.edu>
2016-12-11 16:26:07 -05:00
Eric Biggers
8048123576 fscrypto: remove unneeded Kconfig dependencies
SHA256 and ENCRYPTED_KEYS are not needed.  CTR shouldn't be needed
either, but I left it for now because it was intentionally added by
commit 71dea01ea2 ("ext4 crypto: require CONFIG_CRYPTO_CTR if ext4
encryption is enabled").  So it sounds like there may be a dependency
problem elsewhere, which I have not been able to identify specifically,
that must be solved before CTR can be removed.

Signed-off-by: Eric Biggers <ebiggers@google.com>
Signed-off-by: Theodore Ts'o <tytso@mit.edu>
2016-12-11 16:26:07 -05:00
Eric Biggers
c1b2212990 MAINTAINERS: fscrypto: recommend linux-fsdevel for fscrypto patches
The filesystem level encryption support, currently used by ext4 and f2fs
and proposed for ubifs, does not yet have a dedicated mailing list.
Since no mailing lists were specified in MAINTAINERS, get_maintainer.pl
only recommended to send patches directly to the maintainers and to
linux-kernel.  This patch adds linux-fsdevel as the preferred mailing
list for fscrypto patches for the time being.

Signed-off-by: Eric Biggers <ebiggers@google.com>
Signed-off-by: Theodore Ts'o <tytso@mit.edu>
2016-12-11 16:26:06 -05:00
Eric Biggers
a6e0891286 fscrypto: don't use on-stack buffer for key derivation
With the new (in 4.9) option to use a virtually-mapped stack
(CONFIG_VMAP_STACK), stack buffers cannot be used as input/output for
the scatterlist crypto API because they may not be directly mappable to
struct page.  get_crypt_info() was using a stack buffer to hold the
output from the encryption operation used to derive the per-file key.
Fix it by using a heap buffer.

This bug could most easily be observed in a CONFIG_DEBUG_SG kernel
because this allowed the BUG in sg_set_buf() to be triggered.

Cc: stable@vger.kernel.org
Signed-off-by: Eric Biggers <ebiggers@google.com>
Signed-off-by: Theodore Ts'o <tytso@mit.edu>
2016-11-13 21:56:25 -05:00
Eric Biggers
08ae877f4e fscrypto: don't use on-stack buffer for filename encryption
With the new (in 4.9) option to use a virtually-mapped stack
(CONFIG_VMAP_STACK), stack buffers cannot be used as input/output for
the scatterlist crypto API because they may not be directly mappable to
struct page.  For short filenames, fname_encrypt() was encrypting a
stack buffer holding the padded filename.  Fix it by encrypting the
filename in-place in the output buffer, thereby making the temporary
buffer unnecessary.

This bug could most easily be observed in a CONFIG_DEBUG_SG kernel
because this allowed the BUG in sg_set_buf() to be triggered.

Cc: stable@vger.kernel.org
Signed-off-by: Eric Biggers <ebiggers@google.com>
Signed-off-by: Theodore Ts'o <tytso@mit.edu>
2016-11-13 21:56:19 -05:00
David Gstir
9c4bb8a3a9 fscrypt: Let fs select encryption index/tweak
Avoid re-use of page index as tweak for AES-XTS when multiple parts of
same page are encrypted. This will happen on multiple (partial) calls of
fscrypt_encrypt_page on same page.
page->index is only valid for writeback pages.

Signed-off-by: David Gstir <david@sigma-star.at>
Signed-off-by: Richard Weinberger <richard@nod.at>
Signed-off-by: Theodore Ts'o <tytso@mit.edu>
2016-11-13 20:18:16 -05:00
David Gstir
0b93e1b94b fscrypt: Constify struct inode pointer
Some filesystems, such as UBIFS, maintain a const pointer for struct
inode.

Signed-off-by: David Gstir <david@sigma-star.at>
Signed-off-by: Richard Weinberger <richard@nod.at>
Signed-off-by: Theodore Ts'o <tytso@mit.edu>
2016-11-13 20:18:01 -05:00
David Gstir
7821d4dd45 fscrypt: Enable partial page encryption
Not all filesystems work on full pages, thus we should allow them to
hand partial pages to fscrypt for en/decryption.

Signed-off-by: David Gstir <david@sigma-star.at>
Signed-off-by: Richard Weinberger <richard@nod.at>
Signed-off-by: Theodore Ts'o <tytso@mit.edu>
2016-11-13 18:55:21 -05:00
David Gstir
b50f7b268b fscrypt: Allow fscrypt_decrypt_page() to function with non-writeback pages
Some filesystem might pass pages which do not have page->mapping->host
set to the encrypted inode. We want the caller to explicitly pass the
corresponding inode.

Signed-off-by: David Gstir <david@sigma-star.at>
Signed-off-by: Richard Weinberger <richard@nod.at>
Signed-off-by: Theodore Ts'o <tytso@mit.edu>
2016-11-13 18:53:10 -05:00
David Gstir
1c7dcf69ee fscrypt: Add in-place encryption mode
ext4 and f2fs require a bounce page when encrypting pages. However, not
all filesystems will need that (eg. UBIFS). This is handled via a
flag on fscrypt_operations where a fs implementation can select in-place
encryption over using a bounce page (which is the default).

Signed-off-by: David Gstir <david@sigma-star.at>
Signed-off-by: Richard Weinberger <richard@nod.at>
Signed-off-by: Theodore Ts'o <tytso@mit.edu>
2016-11-13 18:47:04 -05:00
Linus Torvalds
bc33b0ca11 Linux 4.9-rc4 2016-11-05 16:23:36 -07:00
Linus Torvalds
bd060ac0f6 Merge branch 'i2c/for-current' of git://git.kernel.org/pub/scm/linux/kernel/git/wsa/linux
Pull i2c fix from Wolfram Sang:
 "A bugfix for the I2C core fixing a (rare) race condition"

* 'i2c/for-current' of git://git.kernel.org/pub/scm/linux/kernel/git/wsa/linux:
  i2c: core: fix NULL pointer dereference under race condition
2016-11-05 15:30:12 -07:00
Linus Torvalds
ffbcbfca84 Merge branches 'sched-urgent-for-linus' and 'core-urgent-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip
Pull stack vmap fixups from Thomas Gleixner:
 "Two small patches related to sched_show_task():

   - make sure to hold a reference on the task stack while accessing it

   - remove the thread_saved_pc printout

  .. and add a sanity check into release_task_stack() to catch problems
  with task stack references"

* 'sched-urgent-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip:
  sched/core: Remove pointless printout in sched_show_task()
  sched/core: Fix oops in sched_show_task()

* 'core-urgent-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip:
  fork: Add task stack refcounting sanity check and prevent premature task stack freeing
2016-11-05 11:46:02 -07:00
Linus Torvalds
6c286e812d Merge tag 'md/4.9-rc3' of git://git.kernel.org/pub/scm/linux/kernel/git/shli/md
Pull MD fixes from Shaohua Li:
 "There are several bug fixes queued:

   - fix raid5-cache recovery bugs

   - fix discard IO error handling for raid1/10

   - fix array sync writes bogus position to superblock

   - fix IO error handling for raid array with external metadata"

* tag 'md/4.9-rc3' of git://git.kernel.org/pub/scm/linux/kernel/git/shli/md:
  md: be careful not lot leak internal curr_resync value into metadata. -- (all)
  raid1: handle read error also in readonly mode
  raid5-cache: correct condition for empty metadata write
  md: report 'write_pending' state when array in sync
  md/raid5: write an empty meta-block when creating log super-block
  md/raid5: initialize next_checkpoint field before use
  RAID10: ignore discard error
  RAID1: ignore discard error
2016-11-05 11:34:07 -07:00
Linus Torvalds
e12d8d512f SCSI fixes on 20161105
Two more important data integrity fixes related to RAID device drivers which
 wrongly throw away the SYNCHRONIZE CACHE command in the non-RAID path and a
 memory leak in the scsi_debug driver
 
 Signed-off-by: James E.J. Bottomley <jejb@linux.vnet.ibm.com>
 -----BEGIN PGP SIGNATURE-----
 Version: GnuPG v2
 
 iQIcBAABAgAGBQJYHd5nAAoJEAVr7HOZEZN4BeIP/RmOchL8Xdm2GObAJYeeC5Jv
 7jYqcjsV3LHz8ubebRk/GmrcXVmF52VJ0nc6IgcoAhG44kaY99kapah7wDioMci4
 DC1m9twxQMfclEjk+8nL59iC4HR+A5TlMRnXf3XRTQ399w9KxGe1jGS2/OIOYpPd
 goeQdSfSLxQX87c4eZldotQDY/9NUDe/O0Af3JboX5ySCDnqKiu+xqhE+kXKY7oY
 bfsBurF875bER63YCeRIjmc/iO/klYGcm/7wsEJfxDZerY2/Sr6LaAd+bcComWX2
 YAcoTwOGHwbjhKUbkHGjsQIaT+VFNOCDfXF1Bm37WTF5/AFiBfHRgQEClXm5I6kD
 aRfcwfXeb6jDvUujCksIngSCeQc6/3np9gvmBV6hjKEmn07ny8j7vsDbI2gUL6rs
 IVzMrFUw8O/InyooJD9CubnV7cgKnU+3/WIw3J92UudiEDRJSpCiBszoKL7JnOeA
 aAeUl3hhQBr50w0nLCFcm65PnHjCY/4VuJ7ZXF6Z1e6y+yd81zrbzHYC4rb9sFsa
 3KJ4UgIajhC0t5FxDbwFfOj/b0WhLzqJeMrOnTyI+mrjpHWexNW+iIMw6qRi6yv9
 YuL9XvaaRblnmxOEma3A3xiTCQ6mFl4yYcMa4ppBlDgbTZSJff4kRB+Nma/qw1+v
 VrKlOiKXC5wYp8jPlRwT
 =xrlP
 -----END PGP SIGNATURE-----

Merge tag 'scsi-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/jejb/scsi

Pull SCSI fixes from James Bottomley:
 "Two more important data integrity fixes related to RAID device drivers
  which wrongly throw away the SYNCHRONIZE CACHE command in the non-RAID
  path and a memory leak in the scsi_debug driver"

* tag 'scsi-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/jejb/scsi:
  scsi: arcmsr: Send SYNCHRONIZE_CACHE command to firmware
  scsi: scsi_debug: Fix memory leak if LBP enabled and module is unloaded
  scsi: megaraid_sas: Fix data integrity failure for JBOD (passthrough) devices
2016-11-05 11:28:21 -07:00
Linus Torvalds
f29b909db9 Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/dtor/input
Pull input subsystem updates from Dmitry Torokhov.

* 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/dtor/input:
  Input: psmouse - cleanup Focaltech code
  Input: i8042 - add XMG C504 to keyboard reset table
2016-11-05 11:26:11 -07:00
Linus Torvalds
03daa36f08 FireWire (IEEE 1394) subsystem fixes:
- Add missing input validation to the firewire-net driver.
     Invalid IP-over-1394 encapsulation headers could trigger
     buffer overflows (CVE 2016-8633).
 
   - IP-over-1394 link fragmentation headers were read and written
     incorrectly, breaking fragmented RX/TX with other OS's stacks.
 -----BEGIN PGP SIGNATURE-----
 
 iQI3BAABCAAhBQJYHgSgGhxzdGVmYW5yQHM1cjYuaW4tYmVybGluLmRlAAoJEHnz
 b7JUXXnQFGIP/AvXrsLFgO8vOZd967145Jz0FydmwRBsX1F90xugFIxJI8kRQSN4
 MQ/WHPaHl55LqX88VrxDTfN04TAtb243CDPXDnMN6rEzaSY4O7J6JO/zaUKMGyaW
 rocX3s3uufIqk/GXDk2+I0Ze6xHynbWEPaoDh0rHYkJcD0NHHi9SJPFZf8RnCx3g
 s7GAiU5V9o1SZydY9dCGo66Zl3JSujOsxpbVllT2ux+FWRReea5+O9ntWpPcW+E0
 Elc9v7Nt3BcOEDXrVYg8UIIX6RCt8IBDCaF6D7n8JrhU/ag+OH8+KondktU5P+BI
 MXcsm92UbM+/739RC7V6JbDSodUn1DisoOTyNmH58ZZerKWWt+7E27WXWuRu9ch7
 rBra6pcOhkhO9sHkrwf3DlP9nubAfVbznVxZFOI4O96fnpn284J0RX8brsMOeHcF
 iPAIpGc5PLyvyhczZSfokKj9S4kUvbwhNwCnHs32ttdrGSHRIVFKHsipsFFtcts2
 K7QAN9mxWtBeP8i3gd5tJO8FT7tvg4Ixtt/BzpsFpxaYk9b/k2RnrSt4b4/0mC2q
 fQ6urSQalvffmbU9eMm78NbaFV26s217gZHqqD++tAVLLgkwRaC2k/MucOJJz4xb
 5PYoGLDfCusReBP/MYdpqOhAUEBeeZ03IQT7gaGGDQ27x8k1UIpB57Sk
 =PxAL
 -----END PGP SIGNATURE-----

Merge tag 'firewire-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/ieee1394/linux1394

Pull FireWire (IEEE 1394) fixes from Stefan Richter:

 - add missing input validation to the firewire-net driver. Invalid
   IP-over-1394 encapsulation headers could trigger buffer overflows
   (CVE 2016-8633).

 - IP-over-1394 link fragmentation headers were read and written
   incorrectly, breaking fragmented RX/TX with other OS's stacks.

* tag 'firewire-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/ieee1394/linux1394:
  firewire: net: fix fragmented datagram_size off-by-one
  firewire: net: guard against rx buffer overflows
2016-11-05 11:17:34 -07:00
Linus Torvalds
d8d1721cfb media fixes for v4.9-rc4
-----BEGIN PGP SIGNATURE-----
 
 iQIcBAABAgAGBQJYGZuzAAoJEAhfPr2O5OEVEakQAJKu+4OwrzoWajdIibR9IVpP
 1gbwqAeTDp4XuHC4WyA8U3no3I5RG+moo4GNv87LNZ/H2ix1EGQn6IwbpYG0YmOB
 wdcZ2WViLc4tEYN/Rn7slwjY32dNplra6xNNSb0JHOT5tp6YOCLljqApd9FBvP25
 Yo10z0pRL78ce6VbXyDB5JuqUsjtHivzU45/O5M5giDFIngdqFuu0zneQeMbvulF
 rCz6HSqNutFaeRMdnbP6f2Vtmd2QjeCY4aYg5kQLqWiuXsdMplp9uJkeYaDgccDp
 TF9z33cJlmyPXY6/YH95yfca156EZIVco3yLnNp9Ehmr4S12NV0D3xMKCXPyucEJ
 A6FH60zqxe3qUv7sPi6w4MM7ufgq3F/i33lhhDLsNjw0R8m7ijohfIj7HI84XC+z
 Jjr44A/7p4hqbfvkBePyLHcqaglWnc0E6LnS7lUgJC4/h7z3H2DMoPaUwkjedAI6
 ynd5Ikfw+VvI0UQFyVBBWfH+ol+6BP7QO3TmHES9zfbPNMfhXc3ON4sk9yBzY50S
 cH6/TagQVmuk4zA457oAU+rrYR4g+di97Wk3AMi+gKGWu2qZmHE4Tv0gQsNHoPrK
 06VD1Ur04khRR3tOQ/OqDMGNyLHbCMIMXeUYc363uZ6wrcmVF5caDZ3oy3i1LNNO
 ZALCj0FYwNFmDs7+Ckmq
 =MRLH
 -----END PGP SIGNATURE-----

Merge tag 'media/v4.9-3' of git://git.kernel.org/pub/scm/linux/kernel/git/mchehab/linux-media

Pull media fixes from Mauro Carvalho Chehab:
 "A series of fixup patches meant to fix the usage of DMA on stack, plus
  one warning fixup"

* tag 'media/v4.9-3' of git://git.kernel.org/pub/scm/linux/kernel/git/mchehab/linux-media: (32 commits)
  [media] radio-bcm2048: don't ignore errors
  [media] pctv452e: fix semicolon.cocci warnings
  [media] flexcop-usb: don't use stack for DMA
  [media] stk-webcam: don't use stack for DMA
  [media] s2255drv: don't use stack for DMA
  [media] cpia2_usb: don't use stack for DMA
  [media] digitv: handle error code on RC query
  [media] dw2102: return error if su3000_power_ctrl() fails
  [media] nova-t-usb2: handle error code on RC query
  [media] technisat-usb2: use DMA buffers for I2C transfers
  [media] pctv452e: don't call BUG_ON() on non-fatal error
  [media] pctv452e: don't do DMA on stack
  [media] nova-t-usb2: don't do DMA on stack
  [media] gp8psk: don't go past the buffer size
  [media] gp8psk: don't do DMA on stack
  [media] dtv5100: don't do DMA on stack
  [media] dtt200u: handle USB control message errors
  [media] dtt200u: don't do DMA on stack
  [media] dtt200u-fe: handle errors on USB control messages
  [media] dtt200u-fe: don't do DMA on stack
  ...
2016-11-05 11:15:09 -07:00
Linus Torvalds
41e6410ec3 pci-v4.9-fixes-2
-----BEGIN PGP SIGNATURE-----
 Version: GnuPG v1
 
 iQIcBAABAgAGBQJYHO/8AAoJEFmIoMA60/r8z/0P/1JT1lHNtDgC3RBr5NRy6x+K
 9xAfxeHJjxS/6YbFCBgPlzQJBzZMiSHptb/Y44Cqpr8Gz5WWnn18gbdMoBGQFc6k
 n7iVvEGlvf2YR3CulqdsUH3/B2hDjNbM45HT2Rwd1agq+qku6nMpXdUix+z7TNEg
 Tht/a8XAs77/XOl/uhGSCy5hvGKErcLNrZ1qFWmiUJEsFFgzSx3eqtx2MNJSiJyv
 /F9dzDIgNKAOdOv34hYndE+VLwyFAwqzvIgB5J4oLL23+FzRW68yvQgmt45cogTF
 NA4uFCfnaSK2Dy7qFOfevRE2AfQcSSfvvsGukQQaFoKyY8Jb6Z8w6WWO0P/RBQsY
 ZvmP10JfyjQ5z2SSAMcVNDXR2dL58zc6kuGZISUToX22mMSUsmFMhLq2350657C9
 0A8BkfO86z4EfgmO8aiBfgE7A6RrCR6yfouQTTGJ91COYEG60D/mPhlhtkmHE4yd
 3tqmBSEw11yv92OLU4DdoXFA7Cbm7DElEk6fPcw5TbbWCwbToTHNo/jHbe+0+Esy
 je5AFZe8IIuBHVkN3tcsoaRw2KKCtnBrLbfdyLME6KDXj7eZMg3WWoU0E5uwzIO3
 jLOSCBb2dtqrJmiE4sNiYob8wI+jOLsC/XHHczYWnIzLiYyvYeZP6cBhHao0KCLD
 /ao0YY6m3eUtwSJZbU2q
 =n738
 -----END PGP SIGNATURE-----

Merge tag 'pci-v4.9-fixes-2' of git://git.kernel.org/pub/scm/linux/kernel/git/helgaas/pci

Pull PCI fixes from Bjorn Helgaas:

 - fix for a Qualcomm driver issue that causes a use-before-set crash

 - fix for DesignWare iATU unroll support that causes external aborts
   when enabling the host bridge

* tag 'pci-v4.9-fixes-2' of git://git.kernel.org/pub/scm/linux/kernel/git/helgaas/pci:
  PCI: designware: Check for iATU unroll support after initializing host
  PCI: qcom: Fix pp->dev usage before assignment
2016-11-05 11:11:31 -07:00
Linus Torvalds
785bcb40a0 MTD updates for 4.9-rc4:
* MAINTAINERS updates to reflect some new maintainers/submaintainers -- we
    have some great volunteers who've been developing and reviewing already.
    We're going to try a group maintainership model, so eventually you'll
    probably see pull requests from people besides me.
 
  * NAND fixes from Boris:
    """
    Three simple fixes:
 
    - the first one is fixing a non-critical bug in the gpmi driver
    - the second one is fixing a bug in the 'automatic NAND timings
      selection' feature introduced in 4.9-rc1
    - the last one is fixing a false positive uninitialized-var warning
    """
 -----BEGIN PGP SIGNATURE-----
 Version: GnuPG v1
 
 iQIcBAABAgAGBQJYHSUHAAoJEFySrpd9RFgtnzYQAKROCvMsD8+2k2kxAQiR4HXk
 HtAVi7Pma3zBxbNYXyr1ThGS+Woiy4Ln4xrFyo2M4WQBjbwxZJmQ6BZi0WJ1Hmo0
 aZ0J+jxZHAqXFMlMqaD40w7khW97oTmQ7elCp7agpunQYo1QkbT/Kq/oO3Jet1GX
 lDA3JIbdpdk0nhS5p61tzlgzr6YaXvKQjbUxbtPgMi/sfEBAlG9AaoQWgYrvy0YD
 8JXV74Mo7tG/gNVhsNqTAnzgOHevaW1h2Oiy87Rn7os2eCVzSR0TkQ7AEMEBF55x
 2PpMhxPvxFn/rwAVyecgtkw8SJODng/ROa7iALoEGJiqSdWjhqpWkqhw4UQiHR2J
 mBHFL5+wzsNGyUCPtSmxP+QDK2pueQale3skZivz7twxrRI5OF4DLHMLqktoeqEL
 QGXZUzR+2guK0GK70UfsBiNkVjNH0AMCO+AedwhC6cc2Gei2qhivfIdwWNIY9otn
 2JMVW+pWYlCCtczatgMb1+7/ZlPH+iLpJZHcs/fAh/MGrSDEcXxP5jOxXo3ZS1sK
 jo8CbyRu/QfwWmnkskWfnmPvfbUpIyDmVddYoDmjDvtsea3s3zxvmUb0JhHY8se7
 594NRqEXThmf7LkbVIAS5260fBTELu6jh+y+Fsnpd73nUnrZTspDEYKX1CbNM2k7
 qpEeyozBpihUF9C6hq7o
 =7VFh
 -----END PGP SIGNATURE-----

Merge tag 'for-linus-20161104' of git://git.infradead.org/linux-mtd

Pull MTD fixes from Brian Norris:

 - MAINTAINERS updates to reflect some new maintainers/submaintainers.

   We have some great volunteers who've been developing and reviewing
   already. We're going to try a group maintainership model, so
   eventually you'll probably see pull requests from people besides me.

 - NAND fixes from Boris:
    "Three simple fixes:

      - fix a non-critical bug in the gpmi driver
      - fix a bug in the 'automatic NAND timings selection' feature
        introduced in 4.9-rc1
      - fix a false positive uninitialized-var warning"

* tag 'for-linus-20161104' of git://git.infradead.org/linux-mtd:
  mtd: mtk: avoid warning in mtk_ecc_encode
  mtd: nand: Fix data interface configuration logic
  mtd: nand: gpmi: disable the clocks on errors
  MAINTAINERS: add more people to the MTD maintainer team
  MAINTAINERS: add a maintainer for the SPI NOR subsystem
2016-11-05 10:52:29 -07:00
Linus Torvalds
d29970401f MMC host:
- sdhci-msm: Fix error path in probe
  - dw_mmc-pltfm: Avoid NULL pointer dereference
 -----BEGIN PGP SIGNATURE-----
 Version: GnuPG v1
 
 iQIcBAABAgAGBQJYHMdpAAoJEP4mhCVzWIwpjMAP/RLJWpvBhWZ+koq1C3wH7A3R
 ByPkaxdQWcjLm/WfFg5Vr4eZ2YsgBNYJrwxMp2kCikRw5xri86pfM7aAtdwNiZ9L
 6v1Sjeh+s5jNRR4QuhMiuHRCJrYbE0G58M57rOvmZww1CWU1U20a571QiShWxc39
 WrA54M5WmzhclAd0tonQKudvI8xh8aZlGQgOEnKG0Nb7m7sNx4Jhlq4W8UGzcUjI
 3SXx8QO/lZ2qDQTFCtchWg9mfzq/LLrFzWDQGCUR6aGVywXRR0Wm17nUt59ALGZq
 /csf6o5ZPC8XlWFO4UFFmn/jyoLI/LfKiNv03lg/WJ1PhWnXGgIiNhHCjVKZ360i
 yINagUAewBE58+95jKCl464lumC1Af1ky+/IUJ0+waba0ooyDixf9J9Og8BgxstF
 +bwEGmFSU4QzHwZEb8eUM1IEyMZ05+2kmEAZ8eUlV5ToXTAkLiPUOGwhanjz4NxG
 W8UZyLRtziXi5pdVwpAQYza8HAlqt9Rt5CSUlHtFdHXelb+gbfbcT4vFI4Qxbifq
 Nb+SN3GtwtSfqhkYNZdS6rmjQ4RQBSG1QhQUL+GetNOi1dxGZzZGRi40XqN+dbJL
 DztjHP9y/5gLIXGf2wMx9MWS/LKacsoIRUvCLszUwDCDl/iRZ9fGw+2uAmfJXmZH
 Ivi92WPjdadFg56CJb8n
 =P3pn
 -----END PGP SIGNATURE-----

Merge tag 'mmc-v4.9-rc2' of git://git.kernel.org/pub/scm/linux/kernel/git/ulfh/mmc

Pull MMC fixes from Ulf Hansson:
 "MMC host:

   - sdhci-msm: Fix error path in probe
   - dw_mmc-pltfm: Avoid NULL pointer dereference"

* tag 'mmc-v4.9-rc2' of git://git.kernel.org/pub/scm/linux/kernel/git/ulfh/mmc:
  mmc: sdhci-msm: Fix error return code in sdhci_msm_probe()
  mmc: dw_mmc-pltfm: fix the potential NULL pointer dereference
2016-11-05 10:49:28 -07:00
Linus Torvalds
594aef64b6 Some GPIO fixes for the v4.9 series:
- Fix a nasty file descriptor leak when getting line handles.
 
 - A fix for a cleanup that seemed innocent but created a problem
   for drivers instantiating several gpiochips for one single
   OF node.
 
 - Fix a unpredictable problem using irq_domain_simple() in the
   mvebu driver by converting it to a lineas irqdomain.
 -----BEGIN PGP SIGNATURE-----
 
 iQIcBAABAgAGBQJYHIVAAAoJEEEQszewGV1zsPoP/1ZhUaz+w+KvKkAj0/6mPqiY
 tdzuU+LvC9/jnD80EVfkRVITMGTxKFyK8mtKTdkVd5Y4ZZVpCi6dCxuVSYL7ZmRy
 dQnjE+H+o3GuhhSsc1sjYPqG3QqWAF6f2bCqraI3HtbLonD1l7DUphfYSrgpDQoX
 yVRG4bwti2vpYMuV4wjA/hKUonsyeVkuO/5QQVdG/xXurOcL9z0ByVC9g2vfRQKu
 hw5CWx3XthhE/IWxKg9hjDcj4bYYaHlXfPKaBEzXm3wzF6MatJelVC/gIUZUS3wT
 mQY7RdQ4flK+rKjMQkQpG6a+b2hufER687EA7LjQ90CFwWQGwpT7JS9ig8sEnvKd
 DUtpk5oQJ99nZbVlMJ32AmFRSnSwUf3snbO8iUZvAa/tELdbBjDeXanzM4WMR4tZ
 LExyOXQLksUZttkzUM1SF0G1I/QT83vjdyLec7ssOvxuC6FdmjAtp8x6r2deqijx
 wkBMmuLayUFJu+lGCt0ssfOZ+14XquYax+1uVi3Uxb4MMrqEAz8YzBiM+Fyfr9tS
 sIAT0g96htF3wdiDbi2WA2LttpAghYpjNj9Mkz7BEcvFQexg4+KneYXA33opLOu7
 VVvTU5uJ5vegcAYxnEGjzaK4fgpNGgexyXzQZO3YMtMtnmXgfWmhKBV/7/fsB/E2
 odeokW90GQumdU5lEGYS
 =QmJl
 -----END PGP SIGNATURE-----

Merge tag 'gpio-v4.9-3' of git://git.kernel.org/pub/scm/linux/kernel/git/linusw/linux-gpio

Pull GPIO fixes from Linus Walleij:
 "Some GPIO fixes for the v4.9 series:

   - Fix a nasty file descriptor leak when getting line handles.

   - A fix for a cleanup that seemed innocent but created a problem for
     drivers instantiating several gpiochips for one single OF node.

   - Fix a unpredictable problem using irq_domain_simple() in the mvebu
     driver by converting it to a lineas irqdomain"

* tag 'gpio-v4.9-3' of git://git.kernel.org/pub/scm/linux/kernel/git/linusw/linux-gpio:
  gpio/mvebu: Use irq_domain_add_linear
  gpio: of: fix GPIO drivers with multiple gpio_chip for a single node
  gpio: GPIO_GET_LINE{HANDLE,EVENT}_IOCTL: Fix file descriptor leak
2016-11-05 10:42:20 -07:00
Linus Torvalds
fb415f222c Fixes for some recent regressions including fallout from the vmalloc'd
stack change (after which we can no longer encrypt stuff on the stack).
 -----BEGIN PGP SIGNATURE-----
 
 iQIcBAABAgAGBQJYHNwpAAoJECebzXlCjuG++DMP/3mUUAF09DfFR/EHl7knDT1f
 kZ53UVHYzr02w0wXfwxVLlp2H7TdSAufgsSvPT6qksA3eY7gL6nJ9zHkl+Nv5yCx
 y6vsFWjO1QEUWFOZWCKcmT2dAI3Ddt9IhK13pfZEKN1XKvK2zWB16HEVzSg6fR2K
 NwHlpMnQUI4HWThURzwTZb1M5YhxRCAnyiv8BTAAPjbEfzPzdL7j3jxwqtH8bOWp
 qIcDDvjC744b9zy0YuAEY/NyGBhYZPdM6gWsBBes1TRzBWUL9qsUYTWDJTmg/F1l
 Or0Jz7CUEN9uOHLGnkATPDc+eBg9YFV+bSsSnJu1/W4Er7dX1Af/lol79zEp/Zw1
 Snd9FelSPj3vxmYAFTCLnHRTRgsyiDhbbb7gVrzH9bxnCrRNR6p2kY018s1Cl9Td
 uWQoNNFQwwnYxWYEeZdO5PgX+pcgoCzhHACNk5oA93YaBE0GuLHHugwwIrYE8TM1
 1iY20sLC5lJcnPqxdgnoprZnnHMuL6rx5KRbvBeflNZ4huK2PIcPJyeB83XH6s12
 G67PjJ0rfWzSBF14O/ZtQA6he+kXvnH3pKqpNnaMiBxZZ2J8E1eQvrKTLLIwmtlP
 18KKJpZIzh7jTTZ/99nAMAt/BGw97P9TToLdnI8dCxYygHEaywpEYtcsE8IWFAvA
 3XkS5QdlJhhAaAUUYBXy
 =oPbZ
 -----END PGP SIGNATURE-----

Merge tag 'nfsd-4.9-1' of git://linux-nfs.org/~bfields/linux

Pull nfsd bugfixes from Bruce Fields:
 "Fixes for some recent regressions including fallout from the vmalloc'd
  stack change (after which we can no longer encrypt stuff on the
  stack)"

* tag 'nfsd-4.9-1' of git://linux-nfs.org/~bfields/linux:
  nfsd: Fix general protection fault in release_lock_stateid()
  svcrdma: backchannel cannot share a page for send and rcv buffers
  sunrpc: fix some missing rq_rbuffer assignments
  sunrpc: don't pass on-stack memory to sg_set_buf
  nfsd: move blocked lock handling under a dedicated spinlock
2016-11-04 20:12:10 -07:00
Linus Torvalds
46d7cbb2c4 Merge branch 'for-4.9-rc3' of git://git.kernel.org/pub/scm/linux/kernel/git/kdave/linux
Pull btrfs fixes from Chris Mason:
 "Some fixes that Dave Sterba collected.  We held off on these last week
  because I was focused on the memory corruption testing"

* 'for-4.9-rc3' of git://git.kernel.org/pub/scm/linux/kernel/git/kdave/linux:
  btrfs: fix WARNING in btrfs_select_ref_head()
  Btrfs: remove some no-op casts
  btrfs: pass correct args to btrfs_async_run_delayed_refs()
  btrfs: make file clone aware of fatal signals
  btrfs: qgroup: Prevent qgroup->reserved from going subzero
  Btrfs: kill BUG_ON in do_relocation
2016-11-04 20:08:16 -07:00
Linus Torvalds
bd30fac18f Merge branch 'overlayfs-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/mszeredi/vfs
Pull overlayfs fixes from Miklos Szeredi:
 "Fix two more POSIX ACL bugs introduced in 4.8 and add a missing fsync
  during copy up to prevent possible data loss"

* 'overlayfs-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/mszeredi/vfs:
  ovl: fsync after copy-up
  ovl: fix get_acl() on tmpfs
  ovl: update S_ISGID when setting posix ACLs
2016-11-04 20:03:14 -07:00
Linus Torvalds
d4c5f43dcd drm fixes for amdgpu, radeon, intel, imx and virtio-gpu
-----BEGIN PGP SIGNATURE-----
 
 iQIcBAABAgAGBQJYGoOdAAoJEAx081l5xIa+yxoQAJq5EYvmTQGjP8xP9gh2PaU/
 icQP5IWQipr0rZ7TbCsYTys75RDfYJBkbnERIoONGaNCxLvF72mzEfoIG7Abqrrn
 uyXb4bipKxxqWLsnb+RwjO5nwcI7lLqbUmU3kqa8XTpwdBFZUPlyGTLfkQKGgfbA
 gUrSgUstCskVDoTNRU4/z0hb1yvMVOIffUZ14QIhVp8yk+ljXvgSikSjtbfaKwPX
 q4zzD/Ny9zw9dMJgQc6kGNzbABzhdsFfIdt29yxLncg8vfOy2ht6L+1TUIi9NTz2
 4Xf9B1E8FnAyOPS9UdVasOIc/FOimoC8A/nwd2Yts5l422dnvRQqeob0w8RQxA4E
 4dAeKHiZt+Xt5IeNg2Sj62hdz/4h3y6UU6MRfNpHNGXNWx3M5Og+jnwu5jxsuufz
 PA39OgE36C3BBO2YrpZ46QA7Ggl36uLvoD/EcwH+Y0ILSmgBhll2tbEuqk5XjBGY
 4OMWjRd+HEkCjA1RBU67OYIJXKwIN6y8fftU1gTjauS2eZUapg+s74zhTVBgs+22
 ew4H7h2TTbx/1WjG3YwE1ENn0boxboh4CzfHTYUMfEZpGxW88BzsHvAAqdcV9ou6
 DzaGb5JBthX86Q9OxTtQhSFaD66jFU1TCmiPNwVDoDtPasR8jHOXWKGjni4xe/RR
 LIJDkcXk1cc1WUcASXf4
 =PI1l
 -----END PGP SIGNATURE-----

Merge tag 'drm-fixes-for-v4.9-rc4' of git://people.freedesktop.org/~airlied/linux

Pull drm fixes from Dave Airlie:
 "Fixes for amdgpu, radeon, intel, imx and virtio-gpu.

  This is a bit larger than I'd like, but I had some stuff I meant to
  send for -rc3 but was waiting for the PAT regression fix to land. So
  this is really fixes for rc3 and rc4 in one go.

  There are a set of fixes for an oops we've been seeing around MST
  display unplug, along with more suspend/resume and shutdown fixes for
  amdgpu, one power management follow on fix for nouveau, and set of imx
  fixes, and a single virtio-gpu regression fix"

* tag 'drm-fixes-for-v4.9-rc4' of git://people.freedesktop.org/~airlied/linux: (54 commits)
  virtio-gpu: fix vblank events
  drm/nouveau/acpi: fix check for power resources support
  drm/i915: Fix SKL+ 90/270 degree rotated plane coordinate computation
  drm/i915: Remove two invalid warns
  drm/i915: Rotated view does not need a fence
  drm/i915/fbc: fix CFB size calculation for gen8+
  drm: i915: Wait for fences on new fb, not old
  drm/i915: Clean up DDI DDC/AUX CH sanitation
  drm/i915: Respect alternate_aux_channel for all DDI ports
  drm/i915/gen9: fix watermarks when using the pipe scaler
  drm/i915: Fix mismatched INIT power domain disabling during suspend
  drm/i915: fix a read size argument
  drm/i915: Use fence_write() from rpm resume
  drm/i915/gen9: fix DDB partitioning for multi-screen cases
  drm/i915: workaround sparse warning on variable length arrays
  drm/i915: keep declarations in i915_drv.h
  drm/amd/powerplay: fix bug get wrong evv voltage of Polaris.
  drm/amdgpu/si_dpm: workaround for SI kickers
  drm/radeon/si_dpm: workaround for SI kickers
  drm/amdgpu: fix s3 resume back, uvd dpm randomly can't disable.
  ...
2016-11-04 13:30:13 -07:00
Niklas Cassel
416379f9eb PCI: designware: Check for iATU unroll support after initializing host
dw_pcie_iatu_unroll_enabled() reads a dbi_base register.  Reading any
dbi_base register before pp->ops->host_init has been called causes
"imprecise external abort" on platforms like ARTPEC-6, where the PCIe
module is disabled at boot and first enabled in pp->ops->host_init.  Move
dw_pcie_iatu_unroll_enabled() to dw_pcie_setup_rc(), since it is after
pp->ops->host_init, but before pp->iatu_unroll_enabled is actually used.

Fixes: a0601a4705 ("PCI: designware: Add iATU Unroll feature")
Tested-by: James Le Cuirot <chewi@gentoo.org>
Signed-off-by: Niklas Cassel <niklas.cassel@axis.com>
Signed-off-by: Bjorn Helgaas <bhelgaas@google.com>
Acked-by: Joao Pinto <jpinto@synopsys.com>
Acked-by: Olof Johansson <olof@lixom.net>
2016-11-04 15:28:55 -05:00
Linus Torvalds
66cecb6789 One NULL pointer dereference, and two fixes for regressions introduced
during the merge window.  The rest are fixes for MIPS, s390 and nested VMX.
 -----BEGIN PGP SIGNATURE-----
 Version: GnuPG v2.0.22 (GNU/Linux)
 
 iQEcBAABAgAGBQJYG2H5AAoJEL/70l94x66DK/cH/0jEQ3ynuLAd5CKux7JxI/EP
 msSJh1Xqr4+XhXZnuDpGQWrdsBlxoiqA6PsJrUTtyi4nQCDXlT8g+2MDuvqhWIHz
 7vw58j/EMJDCVQzYAbN5VDUfk13uB5aSWTo3M9Rf09v0hU1Ql7z8u4CtKEdLpN5Y
 LY9bT9fxUmXO7REKP7bdW6ZrDX/hUShYHgMqzXGFMyGBG3ym3a9bggXEzTCD6eNQ
 ioogQIWqg+icdhta0iLNAwFClPlcKB2/xo4IUuNgrPwGoHFGJN/8+qxT4+sVbp2B
 v8u1zOXlCFXBcskWE+yRRsGe72+mIzz6QScCyO+5HbhKYVfbE9H7KBlFX9rZZ2c=
 =IbKx
 -----END PGP SIGNATURE-----

Merge tag 'for-linus' of git://git.kernel.org/pub/scm/virt/kvm/kvm

Pull KVM updates from Paolo Bonzini:
 "One NULL pointer dereference, and two fixes for regressions introduced
  during the merge window.

  The rest are fixes for MIPS, s390 and nested VMX"

* tag 'for-linus' of git://git.kernel.org/pub/scm/virt/kvm/kvm:
  kvm: x86: Check memopp before dereference (CVE-2016-8630)
  kvm: nVMX: VMCLEAR an active shadow VMCS after last use
  KVM: x86: drop TSC offsetting kvm_x86_ops to fix KVM_GET/SET_CLOCK
  KVM: x86: fix wbinvd_dirty_mask use-after-free
  kvm/x86: Show WRMSR data is in hex
  kvm: nVMX: Fix kernel panics induced by illegal INVEPT/INVVPID types
  KVM: document lock orders
  KVM: fix OOPS on flush_work
  KVM: s390: Fix STHYI buffer alignment for diag224
  KVM: MIPS: Precalculate MMIO load resume PC
  KVM: MIPS: Make ERET handle ERL before EXL
  KVM: MIPS: Fix lazy user ASID regenerate for SMP
2016-11-04 13:08:05 -07:00
Linus Torvalds
34c510b2ee Merge branch 'upstream' of git://git.linux-mips.org/pub/scm/ralf/upstream-linus
Pull MIPS fixes from Ralf Baechle:
 "A set of MIPS fixes for 4.9:

   - lots of fixes for printk continuations
   - six fixes for FP related code.
   - fix max_low_pfn with disabled highmem
   - fix KASLR handling of NULL FDT and KASLR for generic kernels
   - fix build of compressed image
   - provide default mips_cpc_default_phys_base to ignore CPC
   - fix reboot on Malta"

* 'upstream' of git://git.linux-mips.org/pub/scm/ralf/upstream-linus:
  MIPS: Fix max_low_pfn with disabled highmem
  MIPS: Correct MIPS I FP sigcontext layout
  MIPS: Fix ISA I/II FP signal context offsets
  MIPS: Remove FIR from ISA I FP signal context
  MIPS: Fix ISA I FP sigcontext access violation handling
  MIPS: Fix FCSR Cause bit handling for correct SIGFPE issue
  MIPS: ptrace: Also initialize the FP context on individual FCSR writes
  MIPS: dump_tlb: Fix printk continuations
  MIPS: Fix __show_regs() output
  MIPS: traps: Fix output of show_code
  MIPS: traps: Fix output of show_stacktrace
  MIPS: traps: Fix output of show_backtrace
  MIPS: Fix build of compressed image
  MIPS: generic: Fix KASLR for generic kernel.
  MIPS: KASLR: Fix handling of NULL FDT
  MIPS: Malta: Fixup reboot
  MIPS: CPC: Provide default mips_cpc_default_phys_base to ignore CPC
2016-11-04 13:03:57 -07:00
Linus Torvalds
f7df76e6ac Merge branch 'parisc-4.9-3' of git://git.kernel.org/pub/scm/linux/kernel/git/deller/parisc-linux
Pull parisc updates from Helge Deller:
 "The first three patches are trivial and add some required KERN_CONT,
  ignore the new pkey syscalls on parisc and use the LINUX_GATEWAY_ADDR
  define instead of hardcoded values.

  The two patches from Dave Anglin are important.

  The first one avoids trashing the sr2 and sr3 space registers in the
  Light-weight syscall path. Especially the usage of sr3 is critical
  since it may get trashed by the interrupt handler.

  The second patch is even more important and tagged for stable series.
  It protects one critical section in the syscall entry path by
  disabling local interrupts. Without disabling interrupts, the sr7
  space register may not be in sync with the current stack setup and
  thus an incoming hardware interrupt may destroy memory in random
  userspace areas"

* 'parisc-4.9-3' of git://git.kernel.org/pub/scm/linux/kernel/git/deller/parisc-linux:
  parisc: Ignore the pkey system calls for now
  parisc: Use LINUX_GATEWAY_ADDR define instead of hardcoded value
  parisc: Ensure consistent state when switching to kernel stack at syscall entry
  parisc: Avoid trashing sr2 and sr3 in LWS code
  parisc: use KERN_CONT when printing device inventory
2016-11-04 13:01:13 -07:00
Vladimir Zapolskiy
147b36d5b7 i2c: core: fix NULL pointer dereference under race condition
Race condition between registering an I2C device driver and
deregistering an I2C adapter device which is assumed to manage that
I2C device may lead to a NULL pointer dereference due to the
uninitialized list head of driver clients.

The root cause of the issue is that the I2C bus may know about the
registered device driver and thus it is matched by bus_for_each_drv(),
but the list of clients is not initialized and commonly it is NULL,
because I2C device drivers define struct i2c_driver as static and
clients field is expected to be initialized by I2C core:

  i2c_register_driver()             i2c_del_adapter()
    driver_register()                 ...
      bus_add_driver()                ...
        ...                           bus_for_each_drv(..., __process_removed_adapter)
      ...                               i2c_do_del_adapter()
    ...                                   list_for_each_entry_safe(..., &driver->clients, ...)
    INIT_LIST_HEAD(&driver->clients);

To solve the problem it is sufficient to do clients list head
initialization before calling driver_register().

The problem was found while using an I2C device driver with a sluggish
registration routine on a bus provided by a physically detachable I2C
master controller, but practically the oops may be reproduced under
the race between arbitraty I2C device driver registration and managing
I2C bus device removal e.g. by unbinding the latter over sysfs:

% echo 21a4000.i2c > /sys/bus/platform/drivers/imx-i2c/unbind
  Unable to handle kernel NULL pointer dereference at virtual address 00000000
  Internal error: Oops: 17 [#1] SMP ARM
  CPU: 2 PID: 533 Comm: sh Not tainted 4.9.0-rc3+ #61
  Hardware name: Freescale i.MX6 Quad/DualLite (Device Tree)
  task: e5ada400 task.stack: e4936000
  PC is at i2c_do_del_adapter+0x20/0xcc
  LR is at __process_removed_adapter+0x14/0x1c
  Flags: NzCv  IRQs on  FIQs on  Mode SVC_32  ISA ARM  Segment none
  Control: 10c5387d  Table: 35bd004a  DAC: 00000051
  Process sh (pid: 533, stack limit = 0xe4936210)
  Stack: (0xe4937d28 to 0xe4938000)
  Backtrace:
  [<c0667be0>] (i2c_do_del_adapter) from [<c0667cc0>] (__process_removed_adapter+0x14/0x1c)
  [<c0667cac>] (__process_removed_adapter) from [<c0516998>] (bus_for_each_drv+0x6c/0xa0)
  [<c051692c>] (bus_for_each_drv) from [<c06685ec>] (i2c_del_adapter+0xbc/0x284)
  [<c0668530>] (i2c_del_adapter) from [<bf0110ec>] (i2c_imx_remove+0x44/0x164 [i2c_imx])
  [<bf0110a8>] (i2c_imx_remove [i2c_imx]) from [<c051a838>] (platform_drv_remove+0x2c/0x44)
  [<c051a80c>] (platform_drv_remove) from [<c05183d8>] (__device_release_driver+0x90/0x12c)
  [<c0518348>] (__device_release_driver) from [<c051849c>] (device_release_driver+0x28/0x34)
  [<c0518474>] (device_release_driver) from [<c0517150>] (unbind_store+0x80/0x104)
  [<c05170d0>] (unbind_store) from [<c0516520>] (drv_attr_store+0x28/0x34)
  [<c05164f8>] (drv_attr_store) from [<c0298acc>] (sysfs_kf_write+0x50/0x54)
  [<c0298a7c>] (sysfs_kf_write) from [<c029801c>] (kernfs_fop_write+0x100/0x214)
  [<c0297f1c>] (kernfs_fop_write) from [<c0220130>] (__vfs_write+0x34/0x120)
  [<c02200fc>] (__vfs_write) from [<c0221088>] (vfs_write+0xa8/0x170)
  [<c0220fe0>] (vfs_write) from [<c0221e74>] (SyS_write+0x4c/0xa8)
  [<c0221e28>] (SyS_write) from [<c0108a20>] (ret_fast_syscall+0x0/0x1c)

Signed-off-by: Vladimir Zapolskiy <vladimir_zapolskiy@mentor.com>
Signed-off-by: Wolfram Sang <wsa@the-dreams.de>
Cc: stable@kernel.org
2016-11-04 20:36:58 +01:00
James Hogan
16a767ec63 MIPS: Fix max_low_pfn with disabled highmem
When low memory doesn't reach HIGHMEM_START (e.g. up to 256MB at PA=0 is
common) and highmem is present above HIGHMEM_START (e.g. on Malta the
RAM overlayed by the IO region is aliased at PA=0x90000000), max_low_pfn
will be initially calculated very large and then clipped down to
HIGHMEM_START.

This causes crashes when reading /sys/kernel/mm/page_idle/bitmap
(i.e. CONFIG_IDLE_PAGE_TRACKING=y) when highmem is disabled. pfn_valid()
will compare against max_mapnr which is derived from max_low_pfn when
there is no highend_pfn set up, and will return true for PFNs right up
to HIGHMEM_START, even though they are beyond the end of low memory and
no page structs will actually exist for these PFNs.

This is fixed by skipping high memory regions when initially calculating
max_low_pfn if highmem is disabled, so it doesn't get clipped too high.
We also clip regions which overlap the highmem boundary when highmem is
disabled, so that max_pfn doesn't extend into highmem either.

Signed-off-by: James Hogan <james.hogan@imgtec.com>
Cc: Paul Burton <paul.burton@imgtec.com>
Cc: linux-mips@linux-mips.org
Patchwork: https://patchwork.linux-mips.org/patch/14490/
Signed-off-by: Ralf Baechle <ralf@linux-mips.org>
2016-11-04 01:45:22 +01:00
Maciej W. Rozycki
f92722dc45 MIPS: Correct MIPS I FP sigcontext layout
Complement commit 80cbfad790 ("MIPS: Correct MIPS I FP context
layout") and correct the way Floating Point General registers are stored
in a signal context with MIPS I hardware.

Use the S.D and L.D assembly macros to have pairs of SWC1 instructions
and pairs of LWC1 instructions produced, respectively, in an arrangement
which makes the memory representation of floating-point data passed
compatible with that used by hardware SDC1 and LDC1 instructions, where
available, regardless of the hardware endianness used.  This matches the
layout used by r4k_fpu.S, ensuring run-time compatibility for MIPS I
software across all o32 hardware platforms.

Define an EX2 macro to handle exceptions from both hardware instructions
implicitly produced from S.D and L.D assembly macros.

Signed-off-by: Maciej W. Rozycki <macro@imgtec.com>
Cc: linux-mips@linux-mips.org
Cc: linux-kernel@vger.kernel.org
Patchwork: https://patchwork.linux-mips.org/patch/14477/
Signed-off-by: Ralf Baechle <ralf@linux-mips.org>
2016-11-04 01:39:23 +01:00
Maciej W. Rozycki
758ef0a939 MIPS: Fix ISA I/II FP signal context offsets
Fix a regression introduced with commit 2db9ca0a35 ("MIPS: Use struct
mips_abi offsets to save FP context") for MIPS I/I FP signal contexts,
by converting save/restore code to the updated internal API.  Start FGR
offsets from 0 rather than SC_FPREGS from $a0 and use $a1 rather than
the offset of SC_FPC_CSR from $a0 for the Floating Point Control/Status
Register (FCSR).

Document the new internal API and adjust assembly code formatting for
consistency.

Signed-off-by: Maciej W. Rozycki <macro@imgtec.com>
Cc: Paul Burton <paul.burton@imgtec.com>
Cc: linux-mips@linux-mips.org
Cc: linux-kernel@vger.kernel.org
Patchwork: https://patchwork.linux-mips.org/patch/14476/
Signed-off-by: Ralf Baechle <ralf@linux-mips.org>
2016-11-04 01:38:52 +01:00
Maciej W. Rozycki
6daaa3266d MIPS: Remove FIR from ISA I FP signal context
Complement commit e50c0a8fa6 ("Support the MIPS32 / MIPS64 DSP ASE.")
and remove the Floating Point Implementation Register (FIR) from the FP
register set recorded in a signal context with MIPS I processors too, in
line with the change applied to r4k_fpu.S.

The `sc_fpc_eir' slot is unused according to our current ABI and the FIR
register is read-only and always directly accessible from user software.

[ralf@linux-mips.org: This is also required because the next commit depends
on it.]

Signed-off-by: Maciej W. Rozycki <macro@imgtec.com>
Cc: linux-mips@linux-mips.org
Cc: linux-kernel@vger.kernel.org
Patchwork: https://patchwork.linux-mips.org/patch/14475/
Signed-off-by: Ralf Baechle <ralf@linux-mips.org>
2016-11-04 01:38:50 +01:00
Maciej W. Rozycki
35938a00ba MIPS: Fix ISA I FP sigcontext access violation handling
Complement commit 0ae8dceaebe3 ("Merge with 2.3.10.") and use the local
`fault' handler to recover from FP sigcontext access violation faults,
like corresponding code does in r4k_fpu.S.  The `bad_stack' handler is
in syscall.c and is not suitable here as we want to propagate the error
condition up through the caller rather than killing the thread outright.

Signed-off-by: Maciej W. Rozycki <macro@imgtec.com>
Cc: linux-mips@linux-mips.org
Cc: linux-kernel@vger.kernel.org
Patchwork: https://patchwork.linux-mips.org/patch/14474/
Signed-off-by: Ralf Baechle <ralf@linux-mips.org>
2016-11-04 01:38:41 +01:00
Maciej W. Rozycki
5a1aca4469 MIPS: Fix FCSR Cause bit handling for correct SIGFPE issue
Sanitize FCSR Cause bit handling, following a trail of past attempts:

* commit 4249548454 ("MIPS: ptrace: Fix FP context restoration FCSR
regression"),

* commit 443c44032a ("MIPS: Always clear FCSR cause bits after
emulation"),

* commit 64bedffe49 ("MIPS: Clear [MSA]FPE CSR.Cause after
notify_die()"),

* commit b1442d39fa ("MIPS: Prevent user from setting FCSR cause
bits"),

* commit b54d2901517d ("Properly handle branch delay slots in connection
with signals.").

Specifically do not mask these bits out in ptrace(2) processing and send
a SIGFPE signal instead whenever a matching pair of an FCSR Cause and
Enable bit is seen as execution of an affected context is about to
resume.  Only then clear Cause bits, and even then do not clear any bits
that are set but masked with the respective Enable bits.  Adjust Cause
bit clearing throughout code likewise, except within the FPU emulator
proper where they are set according to IEEE 754 exceptions raised as the
operation emulated executed.  Do so so that any IEEE 754 exceptions
subject to their default handling are recorded like with operations
executed by FPU hardware.

Signed-off-by: Maciej W. Rozycki <macro@imgtec.com>
Cc: Paul Burton <paul.burton@imgtec.com>
Cc: James Hogan <james.hogan@imgtec.com>
Cc: linux-mips@linux-mips.org
Cc: linux-kernel@vger.kernel.org
Patchwork: https://patchwork.linux-mips.org/patch/14460/
Signed-off-by: Ralf Baechle <ralf@linux-mips.org>
2016-11-04 01:28:41 +01:00
Maciej W. Rozycki
c9e5603974 MIPS: ptrace: Also initialize the FP context on individual FCSR writes
Complement commit ac9ad83bc3 ("MIPS: prevent FP context set via ptrace
being discarded") and also initialize the FP context whenever FCSR alone
is written with a PTRACE_POKEUSR request addressing FPC_CSR, rather than
along with the full FPU register set in the case of the PTRACE_SETFPREGS
request.

Signed-off-by: Maciej W. Rozycki <macro@imgtec.com>
Cc: Paul Burton <paul.burton@imgtec.com>
Cc: James Hogan <james.hogan@imgtec.com>
Cc: linux-mips@linux-mips.org
Cc: linux-kernel@vger.kernel.org
Patchwork: https://patchwork.linux-mips.org/patch/14459/
Signed-off-by: Ralf Baechle <ralf@linux-mips.org>
2016-11-04 01:28:17 +01:00
James Hogan
8a98495c70 MIPS: dump_tlb: Fix printk continuations
Since commit 4bcc595ccd ("printk: reinstate KERN_CONT for printing
continuation lines") the output from TLB dumps on MIPS has been
pretty unreadable due to the lack of KERN_CONT markers. Use pr_cont to
provide the appropriate markers & restore the expected output.

Continuation is also used for the second line of each TLB entry printed
in dump_tlb.c even though it has a newline, since it is a continuation
of the interpretation of the same TLB entry. For example:

[   46.371884] Index:  0 pgmask=16kb va=77654000 asid=73 gid=00
        [ri=0 xi=0 pa=ffc18000 c=5 d=0 v=1 g=0] [ri=0 xi=0 pa=ffc1c000 c=5 d=0 v=1 g=0]
[   46.385380] Index: 12 pgmask=16kb va=004b4000 asid=73 gid=00
        [ri=0 xi=0 pa=00000000 c=0 d=0 v=0 g=0] [ri=0 xi=0 pa=ffb00000 c=5 d=1 v=1 g=0]

Signed-off-by: James Hogan <james.hogan@imgtec.com>
Cc: Maciej W. Rozycki <macro@imgtec.com>
Cc: linux-mips@linux-mips.org
Patchwork: https://patchwork.linux-mips.org/patch/14444/
Signed-off-by: Ralf Baechle <ralf@linux-mips.org>
2016-11-04 01:04:32 +01:00
Paul Burton
752f549982 MIPS: Fix __show_regs() output
Since commit 4bcc595ccd ("printk: reinstate KERN_CONT for printing
continuation lines") the output from __show_regs() on MIPS has been
pretty unreadable due to the lack of KERN_CONT markers. Use pr_cont to
provide the appropriate markers & restore the expected register output.

Signed-off-by: Paul Burton <paul.burton@imgtec.com>
Signed-off-by: Matt Redfearn <matt.redfearn@imgtec.com>
Cc: Maciej W. Rozycki <macro@imgtec.com>
Cc: James Hogan <james.hogan@imgtec.com>
Cc: linux-mips@linux-mips.org
Cc: linux-kernel@vger.kernel.org
Patchwork: https://patchwork.linux-mips.org/patch/14432/
Signed-off-by: Ralf Baechle <ralf@linux-mips.org>
2016-11-04 01:01:20 +01:00
Matt Redfearn
41000c5819 MIPS: traps: Fix output of show_code
Since commit 4bcc595ccd ("printk: reinstate KERN_CONT for printing
continuation lines") the output from show_code on MIPS has been
pretty unreadable due to the lack of KERN_CONT markers. Use pr_cont to
provide the appropriate markers & restore the expected output.

Signed-off-by: Matt Redfearn <matt.redfearn@imgtec.com>
Cc: Maciej W. Rozycki <macro@imgtec.com>
Cc: James Hogan <james.hogan@imgtec.com>
Cc: Paul Burton <paul.burton@imgtec.com>
Cc: linux-mips@linux-mips.org
Cc: linux-kernel@vger.kernel.org
Patchwork: https://patchwork.linux-mips.org/patch/14431/
Signed-off-by: Ralf Baechle <ralf@linux-mips.org>
2016-11-04 01:00:49 +01:00
Matt Redfearn
fe4e09e701 MIPS: traps: Fix output of show_stacktrace
Since commit 4bcc595ccd ("printk: reinstate KERN_CONT for printing
continuation lines") the output from show_stacktrace on MIPS has been
pretty unreadable due to the lack of KERN_CONT markers. Use pr_cont to
provide the appropriate markers & restore the expected output. Also
start a new line with printk such that the presence of timing
information does not interfere with output.

Signed-off-by: Matt Redfearn <matt.redfearn@imgtec.com>
Cc: Maciej W. Rozycki <macro@imgtec.com>
Cc: James Hogan <james.hogan@imgtec.com>
Cc: Paul Burton <paul.burton@imgtec.com>
Cc: linux-mips@linux-mips.org
Cc: linux-kernel@vger.kernel.org
Patchwork: https://patchwork.linux-mips.org/patch/14430/
Signed-off-by: Ralf Baechle <ralf@linux-mips.org>
2016-11-04 00:58:57 +01:00
Matt Redfearn
bcf084de5d MIPS: traps: Fix output of show_backtrace
Since commit 4bcc595ccd ("printk: reinstate KERN_CONT for printing
continuation lines") the output from show_backtrace on MIPS has been
pretty unreadable due to the lack of KERN_CONT markers. Use pr_cont to
provide the appropriate markers & restore the expected output.

Signed-off-by: Matt Redfearn <matt.redfearn@imgtec.com>
Cc: Maciej W. Rozycki <macro@imgtec.com>
Cc: James Hogan <james.hogan@imgtec.com>
Cc: Paul Burton <paul.burton@imgtec.com>
Cc: linux-mips@linux-mips.org
Cc: linux-kernel@vger.kernel.org
Patchwork: https://patchwork.linux-mips.org/patch/14429/
Signed-off-by: Ralf Baechle <ralf@linux-mips.org>
2016-11-04 00:57:51 +01:00
Matt Redfearn
818f38c5b7 MIPS: Fix build of compressed image
Changes introduced to arch/mips/Makefile for the generic kernel resulted
in build errors when making a compressed image if platform-y has multiple
values, like this:

make[2]: *** No rule to make target `alchemy/'.
make[1]: *** [vmlinuz] Error 2
make[1]: Target `_all' not remade because of errors.
make: *** [sub-make] Error 2
make: Target `_all' not remade because of errors.

Fix this by quoting $(platform-y) as it is passed to the Makefile in
arch/mips/boot/compressed/Makefile

Reported-by: kernelci.org bot <bot@kernelci.org>
Link: https://storage.kernelci.org/next/next-20161017/mips-gpr_defconfig/build.log
Signed-off-by: Matt Redfearn <matt.redfearn@imgtec.com>
Reviewed-by: Paul Burton <paul.burton@imgtec.com>
Cc: linux-mips@linux-mips.org
Cc: linux-kernel@vger.kernel.org
Patchwork: https://patchwork.linux-mips.org/patch/14405/
Signed-off-by: Ralf Baechle <ralf@linux-mips.org>
2016-11-04 00:37:15 +01:00
Matt Redfearn
9a59061cfd MIPS: generic: Fix KASLR for generic kernel.
The KASLR code requires that the plat_get_fdt() function return the
address of the device tree, and it must be available early in the boot,
before prom_init() is called. Move the code determining the address of
the device tree into plat_get_fdt, and call that from prom_init().

The fdt pointer will be set up by plat_get_fdt() called from
relocate_kernel initially and once the relocated kernel has started,
prom_init() will use it again to determine the address in the relocated
image.

Fixes: eed0eabd12 ("MIPS: generic: Introduce generic DT-based board support")
Signed-off-by: Matt Redfearn <matt.redfearn@imgtec.com>
Reviewed-by: James Hogan <james.hogan@imgtec.com>
Reviewed-by: Paul Burton <paul.burton@imgtec.com>
Cc: linux-mips@linux-mips.org
Cc: linux-kernel@vger.kernel.org
Patchwork: https://patchwork.linux-mips.org/patch/14415/
Signed-off-by: Ralf Baechle <ralf@linux-mips.org>
2016-11-04 00:32:06 +01:00
Matt Redfearn
4736697963 MIPS: KASLR: Fix handling of NULL FDT
If platform code returns a NULL pointer to the FDT, initial_boot_params
will not get set to a valid pointer and attempting to find the /chosen
node in it will cause a NULL pointer dereference and the kernel to crash
immediately on startup - with no output to the console.

Fix this by checking that initial_boot_params is valid before using it.

Fixes: 405bc8fd12 ("MIPS: Kernel: Implement KASLR using CONFIG_RELOCATABLE")
Cc: stable@vger.kernel.org # 4.7+
Signed-off-by: Matt Redfearn <matt.redfearn@imgtec.com>
Cc: linux-mips@linux-mips.org
Cc: linux-kernel@vger.kernel.org
Patchwork: https://patchwork.linux-mips.org/patch/14414/
Signed-off-by: Ralf Baechle <ralf@linux-mips.org>
2016-11-04 00:30:49 +01:00
Paul Burton
93032e31a5 MIPS: Malta: Fixup reboot
Commit 10b6ea0959 ("MIPS: Malta: Use syscon-reboot driver to reboot")
converted the Malta board to use the generic syscon-reboot driver to
handle reboots, but incorrectly used the value 0x4d rather than 0x42 as
the magic to write to the reboot register.

I also incorrectly believed that syscon/regmap would default to native
endianness, but this isn't the case. Force this by specifying with a
native-endian property in the devicetree.

Signed-off-by: Paul Burton <paul.burton@imgtec.com>
Fixes: 10b6ea0959 ("MIPS: Malta: Use syscon-reboot driver to reboot")
Reported-by: Guenter Roeck <linux@roeck-us.net>
Cc: linux-mips@linux-mips.org
Tested-by: Guenter Roeck <linux@roeck-us.net>
Tested-by: Maciej W. Rozycki <macro@imgtec.com>
Patchwork: https://patchwork.linux-mips.org/patch/14396/
Signed-off-by: Ralf Baechle <ralf@linux-mips.org>
2016-11-04 00:27:27 +01:00
Paul Burton
682c1e5221 MIPS: CPC: Provide default mips_cpc_default_phys_base to ignore CPC
Provide a default implementation of mips_cpc_default_phys_base() which
simply returns 0, and adjust mips_cpc_phys_base() to allow for
mips_cpc_default_phys_base() returning 0. This allows kernels which
include CPC support to be built without platform code & simply ignore
the CPC if it wasn't already enabled by the bootloader.

This fixes link failures such as the following from generic defconfigs:

   arch/mips/built-in.o: In function `mips_cpc_phys_base':
   arch/mips/kernel/mips-cpc.c:47: undefined reference to `mips_cpc_default_phys_base'

[ralf@linux-mips.org: changed prototype for coding style compliance.]

Signed-off-by: Paul Burton <paul.burton@imgtec.com>
Reported-by: kbuild test robot <fengguang.wu@intel.com>
Cc: linux-mips@linux-mips.org
Patchwork: https://patchwork.linux-mips.org/patch/14401/
Signed-off-by: Ralf Baechle <ralf@linux-mips.org>
2016-11-04 00:17:46 +01:00
Stefan Richter
e9300a4b7b firewire: net: fix fragmented datagram_size off-by-one
RFC 2734 defines the datagram_size field in fragment encapsulation
headers thus:

    datagram_size:  The encoded size of the entire IP datagram.  The
    value of datagram_size [...] SHALL be one less than the value of
    Total Length in the datagram's IP header (see STD 5, RFC 791).

Accordingly, the eth1394 driver of Linux 2.6.36 and older set and got
this field with a -/+1 offset:

    ether1394_tx() /* transmit */
        ether1394_encapsulate_prep()
            hdr->ff.dg_size = dg_size - 1;

    ether1394_data_handler() /* receive */
        if (hdr->common.lf == ETH1394_HDR_LF_FF)
            dg_size = hdr->ff.dg_size + 1;
        else
            dg_size = hdr->sf.dg_size + 1;

Likewise, I observe OS X 10.4 and Windows XP Pro SP3 to transmit 1500
byte sized datagrams in fragments with datagram_size=1499 if link
fragmentation is required.

Only firewire-net sets and gets datagram_size without this offset.  The
result is lacking interoperability of firewire-net with OS X, Windows
XP, and presumably Linux' eth1394.  (I did not test with the latter.)
For example, FTP data transfers to a Linux firewire-net box with max_rec
smaller than the 1500 bytes MTU
  - from OS X fail entirely,
  - from Win XP start out with a bunch of fragmented datagrams which
    time out, then continue with unfragmented datagrams because Win XP
    temporarily reduces the MTU to 576 bytes.

So let's fix firewire-net's datagram_size accessors.

Note that firewire-net thereby loses interoperability with unpatched
firewire-net, but only if link fragmentation is employed.  (This happens
with large broadcast datagrams, and with large datagrams on several
FireWire CardBus cards with smaller max_rec than equivalent PCI cards,
and it can be worked around by setting a small enough MTU.)

Cc: stable@vger.kernel.org
Signed-off-by: Stefan Richter <stefanr@s5r6.in-berlin.de>
2016-11-03 14:46:39 +01:00
Stefan Richter
667121ace9 firewire: net: guard against rx buffer overflows
The IP-over-1394 driver firewire-net lacked input validation when
handling incoming fragmented datagrams.  A maliciously formed fragment
with a respectively large datagram_offset would cause a memcpy past the
datagram buffer.

So, drop any packets carrying a fragment with offset + length larger
than datagram_size.

In addition, ensure that
  - GASP header, unfragmented encapsulation header, or fragment
    encapsulation header actually exists before we access it,
  - the encapsulated datagram or fragment is of nonzero size.

Reported-by: Eyal Itkin <eyal.itkin@gmail.com>
Reviewed-by: Eyal Itkin <eyal.itkin@gmail.com>
Fixes: CVE 2016-8633
Cc: stable@vger.kernel.org
Signed-off-by: Stefan Richter <stefanr@s5r6.in-berlin.de>
2016-11-03 14:46:39 +01:00