1. 09 Apr, 2020 7 commits
    • Ka-Cheong Poon's avatar
      net/rds: Fix MR reference counting problem · 2fabef4f
      Ka-Cheong Poon authored
      In rds_free_mr(), it calls rds_destroy_mr(mr) directly.  But this
      defeats the purpose of reference counting and makes MR free handling
      impossible.  It means that holding a reference does not guarantee that
      it is safe to access some fields.  For example, In
      rds_cmsg_rdma_dest(), it increases the ref count, unlocks and then
      calls mr->r_trans->sync_mr().  But if rds_free_mr() (and
      rds_destroy_mr()) is called in between (there is no lock preventing
      this to happen), r_trans_private is set to NULL, causing a panic.
      Similar issue is in rds_rdma_unuse().
      Reported-by: default avatarzerons <sironhide0null@gmail.com>
      Signed-off-by: default avatarKa-Cheong Poon <ka-cheong.poon@oracle.com>
      Acked-by: default avatarSantosh Shilimkar <santosh.shilimkar@oracle.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      2fabef4f
    • Ka-Cheong Poon's avatar
    • Taehee Yoo's avatar
      net: macsec: fix using wrong structure in macsec_changelink() · 022e9d60
      Taehee Yoo authored
      In the macsec_changelink(), "struct macsec_tx_sa tx_sc" is used to
      store "macsec_secy.tx_sc".
      But, the struct type of tx_sc is macsec_tx_sc, not macsec_tx_sa.
      So, the macsec_tx_sc should be used instead.
      
      Test commands:
          ip link add dummy0 type dummy
          ip link add macsec0 link dummy0 type macsec
          ip link set macsec0 type macsec encrypt off
      
      Splat looks like:
      [61119.963483][ T9335] ==================================================================
      [61119.964709][ T9335] BUG: KASAN: slab-out-of-bounds in macsec_changelink.part.34+0xb6/0x200 [macsec]
      [61119.965787][ T9335] Read of size 160 at addr ffff888020d69c68 by task ip/9335
      [61119.966699][ T9335]
      [61119.966979][ T9335] CPU: 0 PID: 9335 Comm: ip Not tainted 5.6.0+ #503
      [61119.967791][ T9335] Hardware name: innotek GmbH VirtualBox/VirtualBox, BIOS VirtualBox 12/01/2006
      [61119.968914][ T9335] Call Trace:
      [61119.969324][ T9335]  dump_stack+0x96/0xdb
      [61119.969809][ T9335]  ? macsec_changelink.part.34+0xb6/0x200 [macsec]
      [61119.970554][ T9335]  print_address_description.constprop.5+0x1be/0x360
      [61119.971294][ T9335]  ? macsec_changelink.part.34+0xb6/0x200 [macsec]
      [61119.971973][ T9335]  ? macsec_changelink.part.34+0xb6/0x200 [macsec]
      [61119.972703][ T9335]  __kasan_report+0x12a/0x170
      [61119.973323][ T9335]  ? macsec_changelink.part.34+0xb6/0x200 [macsec]
      [61119.973942][ T9335]  kasan_report+0xe/0x20
      [61119.974397][ T9335]  check_memory_region+0x149/0x1a0
      [61119.974866][ T9335]  memcpy+0x1f/0x50
      [61119.975209][ T9335]  macsec_changelink.part.34+0xb6/0x200 [macsec]
      [61119.975825][ T9335]  ? macsec_get_stats64+0x3e0/0x3e0 [macsec]
      [61119.976451][ T9335]  ? kernel_text_address+0x111/0x120
      [61119.976990][ T9335]  ? pskb_expand_head+0x25f/0xe10
      [61119.977503][ T9335]  ? stack_trace_save+0x82/0xb0
      [61119.977986][ T9335]  ? memset+0x1f/0x40
      [61119.978397][ T9335]  ? __nla_validate_parse+0x98/0x1ab0
      [61119.978936][ T9335]  ? macsec_alloc_tfm+0x90/0x90 [macsec]
      [61119.979511][ T9335]  ? __kasan_slab_free+0x111/0x150
      [61119.980021][ T9335]  ? kfree+0xce/0x2f0
      [61119.980700][ T9335]  ? netlink_trim+0x196/0x1f0
      [61119.981420][ T9335]  ? nla_memcpy+0x90/0x90
      [61119.982036][ T9335]  ? register_lock_class+0x19e0/0x19e0
      [61119.982776][ T9335]  ? memcpy+0x34/0x50
      [61119.983327][ T9335]  __rtnl_newlink+0x922/0x1270
      [ ... ]
      
      Fixes: 3cf3227a ("net: macsec: hardware offloading infrastructure")
      Signed-off-by: default avatarTaehee Yoo <ap420073@gmail.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      022e9d60
    • Colin Ian King's avatar
      net-sysfs: remove redundant assignment to variable ret · 5f0224a6
      Colin Ian King authored
      The variable ret is being initialized with a value that is never read
      and it is being updated later with a new value.  The initialization is
      redundant and can be removed.
      
      Addresses-Coverity: ("Unused value")
      Signed-off-by: default avatarColin Ian King <colin.king@canonical.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      5f0224a6
    • Wang Wenhu's avatar
      net: qrtr: send msgs from local of same id as broadcast · 6dbf02ac
      Wang Wenhu authored
      If the local node id(qrtr_local_nid) is not modified after its
      initialization, it equals to the broadcast node id(QRTR_NODE_BCAST).
      So the messages from local node should not be taken as broadcast
      and keep the process going to send them out anyway.
      
      The definitions are as follow:
      static unsigned int qrtr_local_nid = NUMA_NO_NODE;
      
      Fixes: fdf5fd39 ("net: qrtr: Broadcast messages only from control port")
      Signed-off-by: default avatarWang Wenhu <wenhu.wang@vivo.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      6dbf02ac
    • David S. Miller's avatar
      Merge tag 'mlx5-fixes-2020-04-08' of git://git.kernel.org/pub/scm/linux/kernel/git/saeed/linux · 3d61a39d
      David S. Miller authored
      Saeed Mahameed says:
      
      ====================
      Mellanox, mlx5 fixes 2020-04-08
      
      This series introduces some fixes to mlx5 driver.
      
      Please pull and let me know if there is any problem.
      
      For -stable v5.3
       ('net/mlx5: Fix frequent ioread PCI access during recovery')
       ('net/mlx5e: Add missing release firmware call')
      
      For -stable v5.4
       ('net/mlx5e: Fix nest_level for vlan pop action')
       ('net/mlx5e: Fix pfnum in devlink port attribute')
      ====================
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      3d61a39d
    • Lothar Rubusch's avatar
      Documentation: devlink: fix broken link warning · e750b84d
      Lothar Rubusch authored
      At 'make htmldocs' the following warning is thrown:
      
      Documentation/networking/devlink/devlink-trap.rst:302:
      WARNING: undefined label: generic-packet-trap-groups
      
      Fixes the warning by setting the label to the specified header,
      within the same document.
      Signed-off-by: default avatarLothar Rubusch <l.rubusch@gmail.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      e750b84d
  2. 08 Apr, 2020 29 commits
  3. 07 Apr, 2020 4 commits
    • Linus Torvalds's avatar
      Merge branch 'akpm' (patches from Andrew) · 63bef48f
      Linus Torvalds authored
      Merge more updates from Andrew Morton:
      
       - a lot more of MM, quite a bit more yet to come: (memcg, pagemap,
         vmalloc, pagealloc, migration, thp, ksm, madvise, virtio,
         userfaultfd, memory-hotplug, shmem, rmap, zswap, zsmalloc, cleanups)
      
       - various other subsystems (procfs, misc, MAINTAINERS, bitops, lib,
         checkpatch, epoll, binfmt, kallsyms, reiserfs, kmod, gcov, kconfig,
         ubsan, fault-injection, ipc)
      
      * emailed patches from Andrew Morton <akpm@linux-foundation.org>: (158 commits)
        ipc/shm.c: make compat_ksys_shmctl() static
        ipc/mqueue.c: fix a brace coding style issue
        lib/Kconfig.debug: fix a typo "capabilitiy" -> "capability"
        ubsan: include bug type in report header
        kasan: unset panic_on_warn before calling panic()
        ubsan: check panic_on_warn
        drivers/misc/lkdtm/bugs.c: add arithmetic overflow and array bounds checks
        ubsan: split "bounds" checker from other options
        ubsan: add trap instrumentation option
        init/Kconfig: clean up ANON_INODES and old IO schedulers options
        kernel/gcov/fs.c: replace zero-length array with flexible-array member
        gcov: gcc_3_4: replace zero-length array with flexible-array member
        gcov: gcc_4_7: replace zero-length array with flexible-array member
        kernel/kmod.c: fix a typo "assuems" -> "assumes"
        reiserfs: clean up several indentation issues
        kallsyms: unexport kallsyms_lookup_name() and kallsyms_on_each_symbol()
        samples/hw_breakpoint: drop use of kallsyms_lookup_name()
        samples/hw_breakpoint: drop HW_BREAKPOINT_R when reporting writes
        fs/binfmt_elf.c: don't free interpreter's ELF pheaders on common path
        fs/binfmt_elf.c: allocate less for static executable
        ...
      63bef48f
    • Linus Torvalds's avatar
      Merge tag 'nfs-for-5.7-1' of git://git.linux-nfs.org/projects/trondmy/linux-nfs · 04de788e
      Linus Torvalds authored
      Pull NFS client updates from Trond Myklebust:
       "Highlights include:
      
        Stable fixes:
         - Fix a page leak in nfs_destroy_unlinked_subrequests()
      
         - Fix use-after-free issues in nfs_pageio_add_request()
      
         - Fix new mount code constant_table array definitions
      
         - finish_automount() requires us to hold 2 refs to the mount record
      
        Features:
         - Improve the accuracy of telldir/seekdir by using 64-bit cookies
           when possible.
      
         - Allow one RDMA active connection and several zombie connections to
           prevent blocking if the remote server is unresponsive.
      
         - Limit the size of the NFS access cache by default
      
         - Reduce the number of references to credentials that are taken by
           NFS
      
         - pNFS files and flexfiles drivers now support per-layout segment
           COMMIT lists.
      
         - Enable partial-file layout segments in the pNFS/flexfiles driver.
      
         - Add support for CB_RECALL_ANY to the pNFS flexfiles layout type
      
         - pNFS/flexfiles Report NFS4ERR_DELAY and NFS4ERR_GRACE errors from
           the DS using the layouterror mechanism.
      
        Bugfixes and cleanups:
         - SUNRPC: Fix krb5p regressions
      
         - Don't specify NFS version in "UDP not supported" error
      
         - nfsroot: set tcp as the default transport protocol
      
         - pnfs: Return valid stateids in nfs_layout_find_inode_by_stateid()
      
         - alloc_nfs_open_context() must use the file cred when available
      
         - Fix locking when dereferencing the delegation cred
      
         - Fix memory leaks in O_DIRECT when nfs_get_lock_context() fails
      
         - Various clean ups of the NFS O_DIRECT commit code
      
         - Clean up RDMA connect/disconnect
      
         - Replace zero-length arrays with C99-style flexible arrays"
      
      * tag 'nfs-for-5.7-1' of git://git.linux-nfs.org/projects/trondmy/linux-nfs: (86 commits)
        NFS: Clean up process of marking inode stale.
        SUNRPC: Don't start a timer on an already queued rpc task
        NFS/pnfs: Reference the layout cred in pnfs_prepare_layoutreturn()
        NFS/pnfs: Fix dereference of layout cred in pnfs_layoutcommit_inode()
        NFS: Beware when dereferencing the delegation cred
        NFS: Add a module parameter to set nfs_mountpoint_expiry_timeout
        NFS: finish_automount() requires us to hold 2 refs to the mount record
        NFS: Fix a few constant_table array definitions
        NFS: Try to join page groups before an O_DIRECT retransmission
        NFS: Refactor nfs_lock_and_join_requests()
        NFS: Reverse the submission order of requests in __nfs_pageio_add_request()
        NFS: Clean up nfs_lock_and_join_requests()
        NFS: Remove the redundant function nfs_pgio_has_mirroring()
        NFS: Fix memory leaks in nfs_pageio_stop_mirroring()
        NFS: Fix a request reference leak in nfs_direct_write_clear_reqs()
        NFS: Fix use-after-free issues in nfs_pageio_add_request()
        NFS: Fix races nfs_page_group_destroy() vs nfs_destroy_unlinked_subrequests()
        NFS: Fix a page leak in nfs_destroy_unlinked_subrequests()
        NFS: Remove unused FLUSH_SYNC support in nfs_initiate_pgio()
        pNFS/flexfiles: Specify the layout segment range in LAYOUTGET
        ...
      04de788e
    • Linus Torvalds's avatar
      Merge tag 'f2fs-for-5.7-rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/jaegeuk/f2fs · f40f31ca
      Linus Torvalds authored
      Pull f2fs updates from Jaegeuk Kim:
       "In this round, we've mainly focused on fixing bugs and addressing
        issues in recently introduced compression support.
      
        Enhancement:
         - add zstd support, and set LZ4 by default
         - add ioctl() to show # of compressed blocks
         - show mount time in debugfs
         - replace rwsem with spinlock
         - avoid lock contention in DIO reads
      
        Some major bug fixes wrt compression:
         - compressed block count
         - memory access and leak
         - remove obsolete fields
         - flag controls
      
        Other bug fixes and clean ups:
         - fix overflow when handling .flags in inode_info
         - fix SPO issue during resize FS flow
         - fix compression with fsverity enabled
         - potential deadlock when writing compressed pages
         - show missing mount options"
      
      * tag 'f2fs-for-5.7-rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/jaegeuk/f2fs: (66 commits)
        f2fs: keep inline_data when compression conversion
        f2fs: fix to disable compression on directory
        f2fs: add missing CONFIG_F2FS_FS_COMPRESSION
        f2fs: switch discard_policy.timeout to bool type
        f2fs: fix to verify tpage before releasing in f2fs_free_dic()
        f2fs: show compression in statx
        f2fs: clean up dic->tpages assignment
        f2fs: compress: support zstd compress algorithm
        f2fs: compress: add .{init,destroy}_decompress_ctx callback
        f2fs: compress: fix to call missing destroy_compress_ctx()
        f2fs: change default compression algorithm
        f2fs: clean up {cic,dic}.ref handling
        f2fs: fix to use f2fs_readpage_limit() in f2fs_read_multi_pages()
        f2fs: xattr.h: Make stub helpers inline
        f2fs: fix to avoid double unlock
        f2fs: fix potential .flags overflow on 32bit architecture
        f2fs: fix NULL pointer dereference in f2fs_verity_work()
        f2fs: fix to clear PG_error if fsverity failed
        f2fs: don't call fscrypt_get_encryption_info() explicitly in f2fs_tmpfile()
        f2fs: don't trigger data flush in foreground operation
        ...
      f40f31ca
    • Linus Torvalds's avatar
      Merge tag 'for-linus-5.7-rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/rw/ubifs · 763dede1
      Linus Torvalds authored
      Pull UBI and UBIFS updates from Richard Weinberger:
      
       - Fix for memory leaks around UBIFS orphan handling
      
       - Fix for memory leaks around UBI fastmap
      
       - Remove zero-length array from ubi-media.h
      
       - Fix for TNC lookup in UBIFS orphan code
      
      * tag 'for-linus-5.7-rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/rw/ubifs:
        ubi: ubi-media.h: Replace zero-length array with flexible-array member
        ubifs: Fix out-of-bounds memory access caused by abnormal value of node_len
        ubi: fastmap: Only produce the initial anchor PEB when fastmap is used
        ubi: fastmap: Free unused fastmap anchor peb during detach
        ubifs: ubifs_add_orphan: Fix a memory leak bug
        ubifs: ubifs_jnl_write_inode: Fix a memory leak bug
        ubifs: Fix ubifs_tnc_lookup() usage in do_kill_orphans()
      763dede1