Pull tomoyo updates from James Morris:
"Fixes to enable fuzz testing, and a fix for calculating whether a
filesystem is user-modifiable"
* 'next-tomoyo2' of git://git.kernel.org/pub/scm/linux/kernel/git/jmorris/linux-security:
tomoyo: Don't emit WARNING: string while fuzzing testing.
tomoyo: Change pathname calculation for read-only filesystems.
tomoyo: Check address length before reading address family
tomoyo: Add a kernel config option for fuzzing testing.
Pull xtensa updates from Max Filippov:
- implement atomic operations using exclusive access Xtensa option
operations
- add support for Xtensa cores with memory protection unit (MPU)
- clean up xtensa-specific kernel-only headers
- fix error path in simdisk_setup
* tag 'xtensa-20190510' of git://github.com/jcmvbkbc/linux-xtensa:
xtensa: implement initialize_cacheattr for MPU cores
xtensa: add exclusive atomics support
xtensa: clean up inline assembly in futex.h
xtensa: replace variant/core.h with asm/core.h
xtensa: drop ifdef __KERNEL__ from kernel-only headers
xtensa: set proper error code for simdisk_setup()
xtensa: fix incorrect fd close in error case of simdisk_setup()
User Mode Linux does not have access to the ip or sp fields of the pt_regs,
and accessing them causes UML to fail to build. Hide the int3_emulate_jmp()
and int3_emulate_call() instructions from UML, as it doesn't need them
anyway.
Reported-by: kbuild test robot <lkp@intel.com>
Signed-off-by: Steven Rostedt (VMware) <rostedt@goodmis.org>
When using the hrtimer iio trigger timestamp isn't updated.
If we use iio_get_time_ns it is updated correctly.
Fixes: 2a86487786 ("iio: adc: ti-ads8688: add trigger and buffer support")
Signed-off-by: Sean Nyekjaer <sean@geanix.com>
Cc: <Stable@vger.kernel.org>
Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
The ds4424_get_value function takes channel number as it's 3rd
argument and translates it internally into I2C address using
DS4424_DAC_ADDR macro. The caller ds4424_verify_chip was passing an
already translated I2C address as its last argument.
Signed-off-by: Ruslan Babayev <ruslan@babayev.com>
Cc: xe-linux-external@cisco.com
Cc: <Stable@vger.kernel.org>
Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
Clear any interrupt that still is on the device on every channel
this driver is activated for in probe and specific channels in
the timeout handler.
Signed-off-by: Philippe Schenker <philippe.schenker@toradex.com>
Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
Use wait_for_completion_timeout instead of
wait_for_completion_interuptible_timeout.
The interruptible variant gets constantly interrupted if a user
program is compiled with the -pg option.
The killable variant was not used due to the fact that a second
program, reading on this device, that gets killed is then also killing
that wait.
Signed-off-by: Philippe Schenker <philippe.schenker@toradex.com>
Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
This commit will enable the interrupts of all channels handled by this
driver only once in the probe function.
This will improve performance because one byte less has to be written over
i2c on each read out of the adc. On the fastest ADC mode this will improve
read out speed by 15%.
Signed-off-by: Philippe Schenker <philippe.schenker@toradex.com>
Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
In some cases, the wait_completion got interrupted. This caused the
error-handling to mutex_unlock the function. The before turned on
interrupt then got called anyway. In the ISR then completion() was
called causing wrong adc-values returned in a following adc-readout.
Reinitialise completion struct to make sure the counter is zero
when beginning a new adc-conversion.
Signed-off-by: Philippe Schenker <philippe.schenker@toradex.com>
Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
There are two cases where u32 variables n and err are being checked
for less than zero error values, the checks is always false because
the variables are not signed. Fix this by making the variables ints.
Addresses-Coverity: ("Unsigned compared against 0")
Fixes: 345c0dbf3a ("ext4: protect journal inode's blocks using block_validity")
Signed-off-by: Colin Ian King <colin.king@canonical.com>
Signed-off-by: Theodore Ts'o <tytso@mit.edu>
The buffer_head (frames[0].bh) and it's corresping page can be
potentially free'd once brelse() is done inside the for loop
but before the for loop exits in dx_release(). It can be free'd
in another context, when the page cache is flushed via
drop_caches_sysctl_handler(). This results into below data abort
when accessing info->indirect_levels in dx_release().
Unable to handle kernel paging request at virtual address ffffffc17ac3e01e
Call trace:
dx_release+0x70/0x90
ext4_htree_fill_tree+0x2d4/0x300
ext4_readdir+0x244/0x6f8
iterate_dir+0xbc/0x160
SyS_getdents64+0x94/0x174
Signed-off-by: Sahitya Tummala <stummala@codeaurora.org>
Signed-off-by: Theodore Ts'o <tytso@mit.edu>
Reviewed-by: Andreas Dilger <adilger@dilger.ca>
Cc: stable@kernel.org
Unaligned AIO must be serialized because the zeroing of partial blocks
of unaligned AIO can result in data corruption in case it's overlapping
another in flight IO.
Currently we wait for all unwritten extents before we submit unaligned
AIO which protects data in case of unaligned AIO is following overlapping
IO. However if a unaligned AIO is followed by overlapping aligned AIO we
can still end up corrupting data.
To fix this, we must make sure that the unaligned AIO is the only IO in
flight by waiting for unwritten extents conversion not just before the
IO submission, but right after it as well.
This problem can be reproduced by xfstest generic/538
Signed-off-by: Lukas Czerner <lczerner@redhat.com>
Signed-off-by: Theodore Ts'o <tytso@mit.edu>
Cc: stable@kernel.org
When failing from creating cache jbd2_inode_cache, we will destroy the
previously created cache jbd2_handle_cache twice. This patch fixes
this by moving each cache initialization/destruction to its own
separate, individual function.
Signed-off-by: Chengguang Xu <cgxu519@gmail.com>
Signed-off-by: Theodore Ts'o <tytso@mit.edu>
Cc: stable@kernel.org
This commit zeroes out the unused memory region in the buffer_head
corresponding to the extent metablock after writing the extent header
and the corresponding extent node entries.
This is done to prevent random uninitialized data from getting into
the filesystem when the extent block is synced.
This fixes CVE-2019-11833.
Signed-off-by: Sriram Rajagopalan <sriramr@arista.com>
Signed-off-by: Theodore Ts'o <tytso@mit.edu>
Cc: stable@kernel.org
Use gen_rtx_set instead of gen_rtx_SET. The former is a wrapper macro
that handles the difference between GCC versions implementing
the latter.
This fixes the following error on my system with g++ 5.4.0 as the host
compiler
HOSTCXX -fPIC scripts/gcc-plugins/arm_ssp_per_task_plugin.o
scripts/gcc-plugins/arm_ssp_per_task_plugin.c:42:14: error: macro "gen_rtx_SET" requires 3 arguments, but only 2 given
mask)),
^
scripts/gcc-plugins/arm_ssp_per_task_plugin.c: In function ‘unsigned int arm_pertask_ssp_rtl_execute()’:
scripts/gcc-plugins/arm_ssp_per_task_plugin.c:39:20: error: ‘gen_rtx_SET’ was not declared in this scope
emit_insn_before(gen_rtx_SET
Signed-off-by: Chris Packham <chris.packham@alliedtelesis.co.nz>
Fixes: 189af46571 ("ARM: smp: add support for per-task stack canaries")
Cc: stable@vger.kernel.org
Tested-by: Douglas Anderson <dianders@chromium.org>
Signed-off-by: Kees Cook <keescook@chromium.org>
Add missing page operation callbacks to few Realtek drivers.
This also fixes a NPE after the referenced commit added code to the
RTL8211E driver that uses phy_select_page().
Fixes: f81dadbcf7 ("net: phy: realtek: Add rtl8211e rx/tx delays config")
Signed-off-by: Heiner Kallweit <hkallweit1@gmail.com>
Reviewed-by: Florian Fainelli <f.fainelli@gmail.com>
Reported-by: Vicente Bergas <vicencb@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Petr Štetiar says:
====================
of_get_mac_address fixes
this patch series is hopefuly the last series of the fixes which are related
to the introduction of NVMEM support into of_get_mac_address.
First patch is removing `nvmem-mac-address` property which was wrong idea as
I've allocated the property with devm_kzalloc and then added it to DT, so then
2 entities would be refcounting the allocation. So if the driver unbinds, the
buffer is freed, but DT code would be still referencing that memory.
Second patch fixes some unwanted references to the Linux API in the DT
bindings documentation.
Patches 3-5 should hopefully make compilers and thus kbuild test robot happy.
====================
Signed-off-by: David S. Miller <davem@davemloft.net>
This patch fixes following (similar) warning reported by kbuild test robot:
In function ‘memcpy’,
inlined from ‘smsc75xx_init_mac_address’ at drivers/net/usb/smsc75xx.c:778:3,
inlined from ‘smsc75xx_bind’ at drivers/net/usb/smsc75xx.c:1501:2:
./include/linux/string.h:355:9: warning: argument 2 null where non-null expected [-Wnonnull]
return __builtin_memcpy(p, q, size);
^~~~~~~~~~~~~~~~~~~~~~~~~~~~
drivers/net/usb/smsc75xx.c: In function ‘smsc75xx_bind’:
./include/linux/string.h:355:9: note: in a call to built-in function ‘__builtin_memcpy’
I've replaced the offending memcpy with ether_addr_copy, because I'm
100% sure, that of_get_mac_address can't return NULL as it returns valid
pointer or ERR_PTR encoded value, nothing else.
I'm hesitant to just change IS_ERR into IS_ERR_OR_NULL check, as this
would make the warning disappear also, but it would be confusing to
check for impossible return value just to make a compiler happy.
I'm now changing all occurencies of memcpy to ether_addr_copy after the
of_get_mac_address call, as it's very likely, that we're going to get
similar reports from kbuild test robot in the future.
Fixes: d31a36b5f4 ("net: wireless: support of_get_mac_address new ERR_PTR error")
Reported-by: kbuild test robot <lkp@intel.com>
Signed-off-by: Petr Štetiar <ynezz@true.cz>
Signed-off-by: David S. Miller <davem@davemloft.net>
This patch fixes following (similar) warning reported by kbuild test robot:
In function ‘memcpy’,
inlined from ‘smsc75xx_init_mac_address’ at drivers/net/usb/smsc75xx.c:778:3,
inlined from ‘smsc75xx_bind’ at drivers/net/usb/smsc75xx.c:1501:2:
./include/linux/string.h:355:9: warning: argument 2 null where non-null expected [-Wnonnull]
return __builtin_memcpy(p, q, size);
^~~~~~~~~~~~~~~~~~~~~~~~~~~~
drivers/net/usb/smsc75xx.c: In function ‘smsc75xx_bind’:
./include/linux/string.h:355:9: note: in a call to built-in function ‘__builtin_memcpy’
I've replaced the offending memcpy with ether_addr_copy, because I'm
100% sure, that of_get_mac_address can't return NULL as it returns valid
pointer or ERR_PTR encoded value, nothing else.
I'm hesitant to just change IS_ERR into IS_ERR_OR_NULL check, as this
would make the warning disappear also, but it would be confusing to
check for impossible return value just to make a compiler happy.
I'm now changing all occurencies of memcpy to ether_addr_copy after the
of_get_mac_address call, as it's very likely, that we're going to get
similar reports from kbuild test robot in the future.
Fixes: a51645f70f ("net: ethernet: support of_get_mac_address new ERR_PTR error")
Reported-by: kbuild test robot <lkp@intel.com>
Signed-off-by: Petr Štetiar <ynezz@true.cz>
Signed-off-by: David S. Miller <davem@davemloft.net>
This patch fixes following (similar) warning reported by kbuild test robot:
In function ‘memcpy’,
inlined from ‘smsc75xx_init_mac_address’ at drivers/net/usb/smsc75xx.c:778:3,
inlined from ‘smsc75xx_bind’ at drivers/net/usb/smsc75xx.c:1501:2:
./include/linux/string.h:355:9: warning: argument 2 null where non-null expected [-Wnonnull]
return __builtin_memcpy(p, q, size);
^~~~~~~~~~~~~~~~~~~~~~~~~~~~
drivers/net/usb/smsc75xx.c: In function ‘smsc75xx_bind’:
./include/linux/string.h:355:9: note: in a call to built-in function ‘__builtin_memcpy’
I've replaced the offending memcpy with ether_addr_copy, because I'm
100% sure, that of_get_mac_address can't return NULL as it returns valid
pointer or ERR_PTR encoded value, nothing else.
I'm hesitant to just change IS_ERR into IS_ERR_OR_NULL check, as this
would make the warning disappear also, but it would be confusing to
check for impossible return value just to make a compiler happy.
I'm now changing all occurencies of memcpy to ether_addr_copy after the
of_get_mac_address call, as it's very likely, that we're going to get
similar reports from kbuild test robot in the future.
Fixes: ea168cdf12 ("powerpc: tsi108: support of_get_mac_address new ERR_PTR error")
Reported-by: kbuild test robot <lkp@intel.com>
Signed-off-by: Petr Štetiar <ynezz@true.cz>
Signed-off-by: David S. Miller <davem@davemloft.net>
In commit 687e3d5550 ("dt-bindings: doc: reflect new NVMEM
of_get_mac_address behaviour") I've kept or added references to Linux
of_get_mac_address API which is unwanted so this patch fixes that by
removing those references.
Fixes: 687e3d5550 ("dt-bindings: doc: reflect new NVMEM of_get_mac_address behaviour")
Suggested-by: Rob Herring <robh@kernel.org>
Signed-off-by: Petr Štetiar <ynezz@true.cz>
Signed-off-by: David S. Miller <davem@davemloft.net>
In commit d01f449c00 ("of_net: add NVMEM support to
of_get_mac_address") I've added `nvmem-mac-address` property which was
wrong idea as I've allocated the property with devm_kzalloc and then
added it to DT, so then 2 entities would be refcounting the allocation.
So if the driver unbinds, the buffer is freed, but DT code would be
still referencing that memory.
I'm removing this property completely instead of fixing it, as it's not
needed to have it.
Fixes: d01f449c00 ("of_net: add NVMEM support to of_get_mac_address")
Suggested-by: Rob Herring <robh@kernel.org>
Signed-off-by: Petr Štetiar <ynezz@true.cz>
Signed-off-by: David S. Miller <davem@davemloft.net>
Only set the device carrier state to on after receiving an up link
state indication from the underlying adapter. Likewise, if a down
link indication is receieved, update the carrier state accordingly.
This fix ensures that accurate carrier state is reported by the driver
following a link state update by the underlying adapter.
Signed-off-by: Thomas Falcon <tlfalcon@linux.ibm.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
It was discovered in testing that the underlying hardware MAC
address will revert to initial settings following a device reset,
but the driver fails to resend the current OS MAC settings. This
oversight can result in dropped packets should the scenario occur.
Fix this by informing hardware of current MAC address settings
following any adapter initialization or resets.
Signed-off-by: Thomas Falcon <tlfalcon@linux.ibm.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Fix gcc build error:
net/dsa/tag_brcm.c:211:16: error: brcm_prepend_netdev_ops undeclared here (not in a function); did you mean brcm_netdev_ops?
DSA_TAG_DRIVER(brcm_prepend_netdev_ops);
^
./include/net/dsa.h:708:10: note: in definition of macro DSA_TAG_DRIVER
.ops = &__ops, \
^~~~~
./include/net/dsa.h:701:36: warning: dsa_tag_driver_brcm_prepend_netdev_ops defined but not used [-Wunused-variable]
#define DSA_TAG_DRIVER_NAME(__ops) dsa_tag_driver ## _ ## __ops
^
./include/net/dsa.h:707:30: note: in expansion of macro DSA_TAG_DRIVER_NAME
static struct dsa_tag_driver DSA_TAG_DRIVER_NAME(__ops) = { \
^~~~~~~~~~~~~~~~~~~
net/dsa/tag_brcm.c:211:1: note: in expansion of macro DSA_TAG_DRIVER
DSA_TAG_DRIVER(brcm_prepend_netdev_ops);
Like the CONFIG_NET_DSA_TAG_BRCM case,
brcm_prepend_netdev_ops and DSA_TAG_PROTO_BRCM_PREPEND
should be wrappeed by CONFIG_NET_DSA_TAG_BRCM_PREPEND.
Reported-by: Hulk Robot <hulkci@huawei.com>
Fixes: b74b70c449 ("net: dsa: Support prepended Broadcom tag")
Signed-off-by: YueHaibing <yuehaibing@huawei.com>
Reviewed-by: Andrew Lunn <andrew@lunn.ch>
Signed-off-by: David S. Miller <davem@davemloft.net>
Currently error return from kobject_init_and_add() is not followed by a
call to kobject_put(). This means there is a memory leak. We currently
set p to NULL so that kfree() may be called on it as a noop, the code is
arguably clearer if we move the kfree() up closer to where it is
called (instead of after goto jump).
Remove a goto label 'err1' and jump to call to kobject_put() in error
return from kobject_init_and_add() fixing the memory leak. Re-name goto
label 'put_back' to 'err1' now that we don't use err1, following current
nomenclature (err1, err2 ...). Move call to kfree out of the error
code at bottom of function up to closer to where memory was allocated.
Add comment to clarify call to kfree().
Signed-off-by: Tobin C. Harding <tobin@kernel.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
Commit cff0e6c3ec3e6230 ("tomoyo: Add a kernel config option for fuzzing
testing.") enabled the learning mode, but syzkaller is detecting any
"WARNING:" string as a crash. Thus, disable TOMOYO's quota warning if
built for fuzzing testing.
Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
Cc: Dmitry Vyukov <dvyukov@google.com>
Signed-off-by: James Morris <jamorris@linux.microsoft.com>
Commit 5625f2e326 ("TOMOYO: Change pathname for non-rename()able
filesystems.") intended to be applied to filesystems where the content is
not controllable from the userspace (e.g. proc, sysfs, securityfs), based
on an assumption that such filesystems do not support rename() operation.
But it turned out that read-only filesystems also do not support rename()
operation despite the content is controllable from the userspace, and that
commit is annoying TOMOYO users who want to use e.g. squashfs as the root
filesystem due to use of local name which does not start with '/'.
Therefore, based on an assumption that filesystems which require the
device argument upon mount() request is an indication that the content
is controllable from the userspace, do not use local name if a filesystem
does not support rename() operation but requires the device argument upon
mount() request.
Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
Signed-off-by: James Morris <jamorris@linux.microsoft.com>
KMSAN will complain if valid address length passed to bind()/connect()/
sendmsg() is shorter than sizeof("struct sockaddr"->sa_family) bytes.
Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
Signed-off-by: James Morris <jamorris@linux.microsoft.com>
The only purpose of klp_check_compiler_support() is to make sure that we
are not using ftrace on x86 via mcount (because that's executed only after
prologue has already happened, and that's too late for livepatching
purposes).
Now that mcount is not supported by ftrace any more, there is no need for
klp_check_compiler_support() either.
Link: http://lkml.kernel.org/r/nycvar.YFH.7.76.1905102346100.17054@cbobk.fhfr.pm
Reported-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Jiri Kosina <jkosina@suse.cz>
Signed-off-by: Steven Rostedt (VMware) <rostedt@goodmis.org>
This patch modifies the initial page mapping functions in the following way:
During bootup the init, text and data pages will be mapped RWX and if
supported, with huge pages.
At final stage of the bootup, the kernel calls free_initmem() and then all
pages will be remapped either R-X (for text and read-only data) or RW- (for
data). The __init pages will be dropped.
This reflects the behaviour of the x86 platform.
Signed-off-by: Helge Deller <deller@gmx.de>
When running an SMP kernel on a single-CPU machine, we can speed up the
CAS code by replacing the LDCW sync barrier with NOP.
Signed-off-by: Helge Deller <deller@gmx.de>
