1. 11 Mar, 2019 2 commits
  2. 08 Mar, 2019 2 commits
    • Pablo Neira Ayuso's avatar
      netfilter: nf_tables: fix set double-free in abort path · 40ba1d9b
      Pablo Neira Ayuso authored
      The abort path can cause a double-free of an anonymous set.
      Added-and-to-be-aborted rule looks like this:
      
      udp dport { 137, 138 } drop
      
      The to-be-aborted transaction list looks like this:
      
      newset
      newsetelem
      newsetelem
      rule
      
      This gets walked in reverse order, so first pass disables the rule, the
      set elements, then the set.
      
      After synchronize_rcu(), we then destroy those in same order: rule, set
      element, set element, newset.
      
      Problem is that the anonymous set has already been bound to the rule, so
      the rule (lookup expression destructor) already frees the set, when then
      cause use-after-free when trying to delete the elements from this set,
      then try to free the set again when handling the newset expression.
      
      Rule releases the bound set in first place from the abort path, this
      causes the use-after-free on set element removal when undoing the new
      element transactions. To handle this, skip new element transaction if
      set is bound from the abort path.
      
      This is still causes the use-after-free on set element removal.  To
      handle this, remove transaction from the list when the set is already
      bound.
      
      Joint work with Florian Westphal.
      
      Fixes: f6ac8585 ("netfilter: nf_tables: unbind set in rule from commit path")
      Bugzilla: https://bugzilla.netfilter.org/show_bug.cgi?id=1325Acked-by: default avatarFlorian Westphal <fw@strlen.de>
      Signed-off-by: default avatarPablo Neira Ayuso <pablo@netfilter.org>
      40ba1d9b
    • Florian Westphal's avatar
      netfilter: nat: don't register device notifier twice · 46f7487e
      Florian Westphal authored
      Otherwise, we get notifier list corruption.
      
      This is the most simple fix: remove the device notifier call chain
      from the ipv6 masquerade register function and handle it only
      in the ipv4 version.
      
      The better fix is merge
      nf_nat_masquerade_ipv4/6_(un)register_notifier
        into a single
      nf_nat_masquerade_(un)register_notifiers
      
      but to do this its needed to first merge the two masquerade modules
      into a single xt_MASQUERADE.
      
      Furthermore, we need to use different refcounts for ipv4/ipv6
      until we can merge MASQUERADE.
      
      Fixes: d1aca8ab ("netfilter: nat: merge ipv4 and ipv6 masquerade functionality")
      Signed-off-by: default avatarFlorian Westphal <fw@strlen.de>
      Signed-off-by: default avatarPablo Neira Ayuso <pablo@netfilter.org>
      46f7487e
  3. 07 Mar, 2019 12 commits
    • Eric Dumazet's avatar
      net/hsr: fix possible crash in add_timer() · 1e027960
      Eric Dumazet authored
      syzbot found another add_timer() issue, this time in net/hsr [1]
      
      Let's use mod_timer() which is safe.
      
      [1]
      kernel BUG at kernel/time/timer.c:1136!
      invalid opcode: 0000 [#1] PREEMPT SMP KASAN
      CPU: 0 PID: 15909 Comm: syz-executor.3 Not tainted 5.0.0+ #97
      Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
      kobject: 'loop2' (00000000f5629718): kobject_uevent_env
      RIP: 0010:add_timer kernel/time/timer.c:1136 [inline]
      RIP: 0010:add_timer+0x654/0xbe0 kernel/time/timer.c:1134
      Code: 0f 94 c5 31 ff 44 89 ee e8 09 61 0f 00 45 84 ed 0f 84 77 fd ff ff e8 bb 5f 0f 00 e8 07 10 a0 ff e9 68 fd ff ff e8 ac 5f 0f 00 <0f> 0b e8 a5 5f 0f 00 0f 0b e8 9e 5f 0f 00 4c 89 b5 58 ff ff ff e9
      RSP: 0018:ffff8880656eeca0 EFLAGS: 00010246
      kobject: 'loop2' (00000000f5629718): fill_kobj_path: path = '/devices/virtual/block/loop2'
      RAX: 0000000000040000 RBX: 1ffff1100caddd9a RCX: ffffc9000c436000
      RDX: 0000000000040000 RSI: ffffffff816056c4 RDI: ffff88806a2f6cc8
      RBP: ffff8880656eed58 R08: ffff888067f4a300 R09: ffff888067f4abc8
      R10: 0000000000000000 R11: 0000000000000000 R12: ffff88806a2f6cc0
      R13: dffffc0000000000 R14: 0000000000000001 R15: ffff8880656eed30
      FS:  00007fc2019bf700(0000) GS:ffff8880ae800000(0000) knlGS:0000000000000000
      CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
      CR2: 0000000000738000 CR3: 0000000067e8e000 CR4: 00000000001406f0
      DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
      DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
      Call Trace:
       hsr_check_announce net/hsr/hsr_device.c:99 [inline]
       hsr_check_carrier_and_operstate+0x567/0x6f0 net/hsr/hsr_device.c:120
       hsr_netdev_notify+0x297/0xa00 net/hsr/hsr_main.c:51
       notifier_call_chain+0xc7/0x240 kernel/notifier.c:93
       __raw_notifier_call_chain kernel/notifier.c:394 [inline]
       raw_notifier_call_chain+0x2e/0x40 kernel/notifier.c:401
       call_netdevice_notifiers_info+0x3f/0x90 net/core/dev.c:1739
       call_netdevice_notifiers_extack net/core/dev.c:1751 [inline]
       call_netdevice_notifiers net/core/dev.c:1765 [inline]
       dev_open net/core/dev.c:1436 [inline]
       dev_open+0x143/0x160 net/core/dev.c:1424
       team_port_add drivers/net/team/team.c:1203 [inline]
       team_add_slave+0xa07/0x15d0 drivers/net/team/team.c:1933
       do_set_master net/core/rtnetlink.c:2358 [inline]
       do_set_master+0x1d4/0x230 net/core/rtnetlink.c:2332
       do_setlink+0x966/0x3510 net/core/rtnetlink.c:2493
       rtnl_setlink+0x271/0x3b0 net/core/rtnetlink.c:2747
       rtnetlink_rcv_msg+0x465/0xb00 net/core/rtnetlink.c:5192
       netlink_rcv_skb+0x17a/0x460 net/netlink/af_netlink.c:2485
       rtnetlink_rcv+0x1d/0x30 net/core/rtnetlink.c:5210
       netlink_unicast_kernel net/netlink/af_netlink.c:1310 [inline]
       netlink_unicast+0x536/0x720 net/netlink/af_netlink.c:1336
       netlink_sendmsg+0x8ae/0xd70 net/netlink/af_netlink.c:1925
       sock_sendmsg_nosec net/socket.c:622 [inline]
       sock_sendmsg+0xdd/0x130 net/socket.c:632
       sock_write_iter+0x27c/0x3e0 net/socket.c:923
       call_write_iter include/linux/fs.h:1869 [inline]
       do_iter_readv_writev+0x5e0/0x8e0 fs/read_write.c:680
       do_iter_write fs/read_write.c:956 [inline]
       do_iter_write+0x184/0x610 fs/read_write.c:937
       vfs_writev+0x1b3/0x2f0 fs/read_write.c:1001
       do_writev+0xf6/0x290 fs/read_write.c:1036
       __do_sys_writev fs/read_write.c:1109 [inline]
       __se_sys_writev fs/read_write.c:1106 [inline]
       __x64_sys_writev+0x75/0xb0 fs/read_write.c:1106
       do_syscall_64+0x103/0x610 arch/x86/entry/common.c:290
       entry_SYSCALL_64_after_hwframe+0x49/0xbe
      RIP: 0033:0x457f29
      Code: ad b8 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 7b b8 fb ff c3 66 2e 0f 1f 84 00 00 00 00
      RSP: 002b:00007fc2019bec78 EFLAGS: 00000246 ORIG_RAX: 0000000000000014
      RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 0000000000457f29
      RDX: 0000000000000001 RSI: 00000000200000c0 RDI: 0000000000000003
      RBP: 000000000073bf00 R08: 0000000000000000 R09: 0000000000000000
      R10: 0000000000000000 R11: 0000000000000246 R12: 00007fc2019bf6d4
      R13: 00000000004c4a60 R14: 00000000004dd218 R15: 00000000ffffffff
      
      Fixes: f421436a ("net/hsr: Add support for the High-availability Seamless Redundancy protocol (HSRv0)")
      Signed-off-by: default avatarEric Dumazet <edumazet@google.com>
      Reported-by: default avatarsyzbot <syzkaller@googlegroups.com>
      Cc: Arvid Brodin <arvid.brodin@alten.se>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      1e027960
    • Dirk van der Merwe's avatar
      nfp: fix simple vNIC mailbox length · eaab2d2d
      Dirk van der Merwe authored
      The simple vNIC mailbox length should be 12 decimal and not 0x12.
      Using a decimal also makes it clear this is a length value and not
      another field within the simple mailbox defines.
      
      Found by code inspection, there are no known firmware configurations
      where this would cause issues.
      
      Fixes: 527d7d1b ("nfp: read mailbox address from TLV caps")
      Signed-off-by: default avatarDirk van der Merwe <dirk.vandermerwe@netronome.com>
      Reviewed-by: default avatarJakub Kicinski <jakub.kicinski@netronome.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      eaab2d2d
    • Nathan Chancellor's avatar
      net: atm: Add another IS_ENABLED(CONFIG_COMPAT) in atm_dev_ioctl · 0805a4b8
      Nathan Chancellor authored
      I removed compat's universal assignment to 0, which allows this if
      statement to fall through when compat is passed with a value other
      than 0.
      
      Fixes: f9d19a74 ("net: atm: Use IS_ENABLED in atm_dev_ioctl")
      Signed-off-by: default avatarNathan Chancellor <natechancellor@gmail.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      0805a4b8
    • Nathan Chancellor's avatar
      net: stmmac: Avoid sometimes uninitialized Clang warnings · df103170
      Nathan Chancellor authored
      When building with -Wsometimes-uninitialized, Clang warns:
      
      drivers/net/ethernet/stmicro/stmmac/stmmac_main.c:495:3: warning: variable 'ns' is used uninitialized whenever 'if' condition is false [-Wsometimes-uninitialized]
      drivers/net/ethernet/stmicro/stmmac/stmmac_main.c:495:3: warning: variable 'ns' is used uninitialized whenever '&&' condition is false [-Wsometimes-uninitialized]
      drivers/net/ethernet/stmicro/stmmac/stmmac_main.c:532:3: warning: variable 'ns' is used uninitialized whenever 'if' condition is false [-Wsometimes-uninitialized]
      drivers/net/ethernet/stmicro/stmmac/stmmac_main.c:532:3: warning: variable 'ns' is used uninitialized whenever '&&' condition is false [-Wsometimes-uninitialized]
      drivers/net/ethernet/stmicro/stmmac/stmmac_main.c:741:3: warning: variable 'sec_inc' is used uninitialized whenever 'if' condition is false [-Wsometimes-uninitialized]
      drivers/net/ethernet/stmicro/stmmac/stmmac_main.c:741:3: warning: variable 'sec_inc' is used uninitialized whenever '&&' condition is false [-Wsometimes-uninitialized]
      
      Clang is concerned with the use of stmmac_do_void_callback (which
      stmmac_get_timestamp and stmmac_config_sub_second_increment wrap),
      as it may fail to initialize these values if the if condition was ever
      false (meaning the callbacks don't exist). It's not wrong because the
      callbacks (get_timestamp and config_sub_second_increment respectively)
      are the ones that initialize the variables. While it's unlikely that the
      callbacks are ever going to disappear and make that condition false, we
      can easily avoid this warning by zero initialize the variables.
      
      Link: https://github.com/ClangBuiltLinux/linux/issues/384Suggested-by: default avatarNick Desaulniers <ndesaulniers@google.com>
      Reviewed-by: default avatarNick Desaulniers <ndesaulniers@google.com>
      Signed-off-by: default avatarNathan Chancellor <natechancellor@gmail.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      df103170
    • Nathan Chancellor's avatar
      net: atm: Use IS_ENABLED in atm_dev_ioctl · f9d19a74
      Nathan Chancellor authored
      When building with -Wsometimes-uninitialized, Clang warns:
      
      net/atm/resources.c:256:6: warning: variable 'number' is used uninitialized whenever 'if' condition is true [-Wsometimes-uninitialized]
      net/atm/resources.c:212:7: warning: variable 'iobuf_len' is used uninitialized whenever 'if' condition is true [-Wsometimes-uninitialized]
      
      Clang won't realize that compat is 0 when CONFIG_COMPAT is not set until
      the constant folding stage, which happens after this semantic analysis.
      Use IS_ENABLED instead so that the zero is present at the semantic
      analysis stage, which eliminates this warning.
      
      Link: https://github.com/ClangBuiltLinux/linux/issues/386Signed-off-by: default avatarNathan Chancellor <natechancellor@gmail.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      f9d19a74
    • Arnd Bergmann's avatar
      ethtool: reduce stack usage with clang · 3499e87e
      Arnd Bergmann authored
      clang inlines the dev_ethtool() more aggressively than gcc does, leading
      to a larger amount of used stack space:
      
      net/core/ethtool.c:2536:24: error: stack frame size of 1216 bytes in function 'dev_ethtool' [-Werror,-Wframe-larger-than=]
      
      Marking the sub-functions that require the most stack space as
      noinline_for_stack gives us reasonable behavior on all compilers.
      Signed-off-by: default avatarArnd Bergmann <arnd@arndb.de>
      Reviewed-by: default avatarMichal Kubecek <mkubecek@suse.cz>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      3499e87e
    • Sudarsana Reddy Kalluru's avatar
      qede: Fix internal loopback failure with jumbo mtu configuration · b89869da
      Sudarsana Reddy Kalluru authored
      Driver uses port-mtu as packet-size for the loopback traffic. This patch
      limits the max packet size to 1.5K to avoid data being split over multiple
      buffer descriptors (BDs) in cases where MTU > PAGE_SIZE.
      Signed-off-by: default avatarSudarsana Reddy Kalluru <skalluru@marvell.com>
      Signed-off-by: default avatarAriel Elior <aelior@marvell.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      b89869da
    • Arnd Bergmann's avatar
      enic: fix build warning without CONFIG_CPUMASK_OFFSTACK · 43d28166
      Arnd Bergmann authored
      The enic driver relies on the CONFIG_CPUMASK_OFFSTACK feature to
      dynamically allocate a struct member, but this is normally intended for
      local variables.
      
      Building with clang, I get a warning for a few locations that check the
      address of the cpumask_var_t:
      
      drivers/net/ethernet/cisco/enic/enic_main.c:122:22: error: address of array 'enic->msix[i].affinity_mask' will always evaluate to 'true' [-Werror,-Wpointer-bool-conversion]
      
      As far as I can tell, the code is still correct, as the truth value of
      the pointer is what we need in this configuration. To get rid of
      the warning, use cpumask_available() instead of checking the
      pointer directly.
      
      Fixes: 322cf7e3 ("enic: assign affinity hint to interrupts")
      Signed-off-by: default avatarArnd Bergmann <arnd@arndb.de>
      Reviewed-by: default avatarNathan Chancellor <natechancellor@gmail.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      43d28166
    • Arnd Bergmann's avatar
      peak_usb: fix clang build warning · a2ae6da0
      Arnd Bergmann authored
      Clang points out undefined behavior when building the pcan_usb_pro driver:
      
      drivers/net/can/usb/peak_usb/pcan_usb_pro.c:136:15: error: passing an object that undergoes default argument promotion to 'va_start' has undefined behavior [-Werror,-Wvarargs]
      
      Changing the function prototype to avoid argument promotion in the
      varargs call avoids the warning, and should make this well-defined.
      Signed-off-by: default avatarArnd Bergmann <arnd@arndb.de>
      Reviewed-by: default avatarNathan Chancellor <natechancellor@gmail.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      a2ae6da0
    • Masaru Nagai's avatar
      ravb: Decrease TxFIFO depth of Q3 and Q2 to one · ae9819e3
      Masaru Nagai authored
      Hardware has the CBS (Credit Based Shaper) which affects only Q3
      and Q2. When updating the CBS settings, even if the driver does so
      after waiting for Tx DMA finished, there is a possibility that frame
      data still remains in TxFIFO.
      
      To avoid this, decrease TxFIFO depth of Q3 and Q2 to one.
      
      This patch has been exercised this using netperf TCP_MAERTS, TCP_STREAM
      and UDP_STREAM tests run on an Ebisu board. No performance change was
      detected, outside of noise in the tests, both in terms of throughput and
      CPU utilisation.
      
      Fixes: c156633f ("Renesas Ethernet AVB driver proper")
      Signed-off-by: default avatarMasaru Nagai <masaru.nagai.vx@renesas.com>
      Signed-off-by: default avatarKazuya Mizuguchi <kazuya.mizuguchi.ks@renesas.com>
      [simon: updated changelog]
      Signed-off-by: default avatarSimon Horman <horms+renesas@verge.net.au>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      ae9819e3
    • Arnd Bergmann's avatar
      isdn: isdnloop: fix pointer dereference bug · 8a72b81e
      Arnd Bergmann authored
      clang has spotted an ancient code bug and warns about it with:
      
      drivers/isdn/isdnloop/isdnloop.c:573:12: error: address of array 'card->rcard' will always evaluate to 'true' [-Werror,-Wpointer-bool-conversion]
      
      This is an array of pointers, so we should check if a specific
      pointer exists in the array before using it, not whether the
      array itself exists.
      Signed-off-by: default avatarArnd Bergmann <arnd@arndb.de>
      Reviewed-by: default avatarNathan Chancellor <natechancellor@gmail.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      8a72b81e
    • Arnd Bergmann's avatar
      davinci_emac: always build in CONFIG_OF code · f096ca63
      Arnd Bergmann authored
      clang warns about what seems to be an unintended use of an obscure C
      language feature where a forward declaration of an array remains usable
      when the final definition is never seen:
      
      drivers/net/ethernet/ti/davinci_emac.c:1694:34: error: tentative array definition assumed to have one element [-Werror]
      static const struct of_device_id davinci_emac_of_match[];
      
      There is no harm in always enabling the device tree matching code here,
      and it makes the code behave in a more conventional way aside from
      avoiding the warning.
      Signed-off-by: default avatarArnd Bergmann <arnd@arndb.de>
      Reviewed-by: default avatarNathan Chancellor <natechancellor@gmail.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      f096ca63
  4. 06 Mar, 2019 9 commits
    • Soheil Hassas Yeganeh's avatar
      tcp: do not report TCP_CM_INQ of 0 for closed connections · 6466e715
      Soheil Hassas Yeganeh authored
      Returning 0 as inq to userspace indicates there is no more data to
      read, and the application needs to wait for EPOLLIN. For a connection
      that has received FIN from the remote peer, however, the application
      must continue reading until getting EOF (return value of 0
      from tcp_recvmsg) or an error, if edge-triggered epoll (EPOLLET) is
      being used. Otherwise, the application will never receive a new
      EPOLLIN, since there is no epoll edge after the FIN.
      
      Return 1 when there is no data left on the queue but the
      connection has received FIN, so that the applications continue
      reading.
      
      Fixes: b75eba76 (tcp: send in-queue bytes in cmsg upon read)
      Signed-off-by: default avatarSoheil Hassas Yeganeh <soheil@google.com>
      Acked-by: default avatarNeal Cardwell <ncardwell@google.com>
      Signed-off-by: default avatarEric Dumazet <edumazet@google.com>
      Acked-by: default avatarYuchung Cheng <ycheng@google.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      6466e715
    • Mao Wenan's avatar
      net: hsr: fix memory leak in hsr_dev_finalize() · 6caabe7f
      Mao Wenan authored
      If hsr_add_port(hsr, hsr_dev, HSR_PT_MASTER) failed to
      add port, it directly returns res and forgets to free the node
      that allocated in hsr_create_self_node(), and forgets to delete
      the node->mac_list linked in hsr->self_node_db.
      
      BUG: memory leak
      unreferenced object 0xffff8881cfa0c780 (size 64):
        comm "syz-executor.0", pid 2077, jiffies 4294717969 (age 2415.377s)
        hex dump (first 32 bytes):
          e0 c7 a0 cf 81 88 ff ff 00 02 00 00 00 00 ad de  ................
          00 e6 49 cd 81 88 ff ff c0 9b 87 d0 81 88 ff ff  ..I.............
        backtrace:
          [<00000000e2ff5070>] hsr_dev_finalize+0x736/0x960 [hsr]
          [<000000003ed2e597>] hsr_newlink+0x2b2/0x3e0 [hsr]
          [<000000003fa8c6b6>] __rtnl_newlink+0xf1f/0x1600 net/core/rtnetlink.c:3182
          [<000000001247a7ad>] rtnl_newlink+0x66/0x90 net/core/rtnetlink.c:3240
          [<00000000e7d1b61d>] rtnetlink_rcv_msg+0x54e/0xb90 net/core/rtnetlink.c:5130
          [<000000005556bd3a>] netlink_rcv_skb+0x129/0x340 net/netlink/af_netlink.c:2477
          [<00000000741d5ee6>] netlink_unicast_kernel net/netlink/af_netlink.c:1310 [inline]
          [<00000000741d5ee6>] netlink_unicast+0x49a/0x650 net/netlink/af_netlink.c:1336
          [<000000009d56f9b7>] netlink_sendmsg+0x88b/0xdf0 net/netlink/af_netlink.c:1917
          [<0000000046b35c59>] sock_sendmsg_nosec net/socket.c:621 [inline]
          [<0000000046b35c59>] sock_sendmsg+0xc3/0x100 net/socket.c:631
          [<00000000d208adc9>] __sys_sendto+0x33e/0x560 net/socket.c:1786
          [<00000000b582837a>] __do_sys_sendto net/socket.c:1798 [inline]
          [<00000000b582837a>] __se_sys_sendto net/socket.c:1794 [inline]
          [<00000000b582837a>] __x64_sys_sendto+0xdd/0x1b0 net/socket.c:1794
          [<00000000c866801d>] do_syscall_64+0x147/0x600 arch/x86/entry/common.c:290
          [<00000000fea382d9>] entry_SYSCALL_64_after_hwframe+0x49/0xbe
          [<00000000e01dacb3>] 0xffffffffffffffff
      
      Fixes: c5a75911 ("net/hsr: Use list_head (and rcu) instead of array for slave devices.")
      Reported-by: default avatarHulk Robot <hulkci@huawei.com>
      Signed-off-by: default avatarMao Wenan <maowenan@huawei.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      6caabe7f
    • Vlad Buslov's avatar
      net: sched: flower: insert new filter to idr after setting its mask · ecb3dea4
      Vlad Buslov authored
      When adding new filter to flower classifier, fl_change() inserts it to
      handle_idr before initializing filter extensions and assigning it a mask.
      Normally this ordering doesn't matter because all flower classifier ops
      callbacks assume rtnl lock protection. However, when filter has an action
      that doesn't have its kernel module loaded, rtnl lock is released before
      call to request_module(). During this time the filter can be accessed bu
      concurrent task before its initialization is completed, which can lead to a
      crash.
      
      Example case of NULL pointer dereference in concurrent dump:
      
      Task 1                           Task 2
      
      tc_new_tfilter()
       fl_change()
        idr_alloc_u32(fnew)
        fl_set_parms()
         tcf_exts_validate()
          tcf_action_init()
           tcf_action_init_1()
            rtnl_unlock()
            request_module()
            ...                        rtnl_lock()
            				 tc_dump_tfilter()
            				  tcf_chain_dump()
      				   fl_walk()
      				    idr_get_next_ul()
      				    tcf_node_dump()
      				     tcf_fill_node()
      				      fl_dump()
      				       mask = &f->mask->key; <- NULL ptr
            rtnl_lock()
      
      Extension initialization and mask assignment don't depend on fnew->handle
      that is allocated by idr_alloc_u32(). Move idr allocation code after action
      creation and mask assignment in fl_change() to prevent concurrent access
      to not fully initialized filter when rtnl lock is released to load action
      module.
      
      Fixes: 01683a14 ("net: sched: refactor flower walk to iterate over idr")
      Signed-off-by: default avatarVlad Buslov <vladbu@mellanox.com>
      Reviewed-by: default avatarRoi Dayan <roid@mellanox.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      ecb3dea4
    • Vasily Averin's avatar
      tcp: detecting the misuse of .sendpage for Slab objects · a10674bf
      Vasily Averin authored
      sendpage was not designed for processing of the Slab pages,
      in some situations it can trigger BUG_ON on receiving side.
      Signed-off-by: default avatarVasily Averin <vvs@virtuozzo.com>
      Signed-off-by: default avatarEric Dumazet <edumazet@google.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      a10674bf
    • Arnd Bergmann's avatar
      appletalk: Add atalk.h header files to MAINTAINERS file · 7b837623
      Arnd Bergmann authored
      Add the path names here so that git-send-email can pick up the
      netdev@vger.kernel.org Cc line automatically for a patch that
      only touches the headers.
      Signed-off-by: default avatarArnd Bergmann <arnd@arndb.de>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      7b837623
    • Arnd Bergmann's avatar
      appletalk: Fix compile regression · 27da0d2e
      Arnd Bergmann authored
      A bugfix just broke compilation of appletalk when CONFIG_SYSCTL
      is disabled:
      
      In file included from net/appletalk/ddp.c:65:
      net/appletalk/ddp.c: In function 'atalk_init':
      include/linux/atalk.h:164:34: error: expected expression before 'do'
       #define atalk_register_sysctl()  do { } while(0)
                                        ^~
      net/appletalk/ddp.c:1934:7: note: in expansion of macro 'atalk_register_sysctl'
        rc = atalk_register_sysctl();
      
      This is easier to avoid by using conventional inline functions
      as stubs rather than macros. The header already has inline
      functions for other purposes, so I'm changing over all the
      macros for consistency.
      
      Fixes: 6377f787 ("appletalk: Fix use-after-free in atalk_proc_exit")
      Signed-off-by: default avatarArnd Bergmann <arnd@arndb.de>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      27da0d2e
    • Alan Maguire's avatar
      iptunnel: NULL pointer deref for ip_md_tunnel_xmit · f4b3ec4e
      Alan Maguire authored
      Naresh Kamboju noted the following oops during execution of selftest
      tools/testing/selftests/bpf/test_tunnel.sh on x86_64:
      
      [  274.120445] BUG: unable to handle kernel NULL pointer dereference
      at 0000000000000000
      [  274.128285] #PF error: [INSTR]
      [  274.131351] PGD 8000000414a0e067 P4D 8000000414a0e067 PUD 3b6334067 PMD 0
      [  274.138241] Oops: 0010 [#1] SMP PTI
      [  274.141734] CPU: 1 PID: 11464 Comm: ping Not tainted
      5.0.0-rc4-next-20190129 #1
      [  274.149046] Hardware name: Supermicro SYS-5019S-ML/X11SSH-F, BIOS
      2.0b 07/27/2017
      [  274.156526] RIP: 0010:          (null)
      [  274.160280] Code: Bad RIP value.
      [  274.163509] RSP: 0018:ffffbc9681f83540 EFLAGS: 00010286
      [  274.168726] RAX: 0000000000000000 RBX: ffffdc967fa80a18 RCX: 0000000000000000
      [  274.175851] RDX: ffff9db2ee08b540 RSI: 000000000000000e RDI: ffffdc967fa809a0
      [  274.182974] RBP: ffffbc9681f83580 R08: ffff9db2c4d62690 R09: 000000000000000c
      [  274.190098] R10: 0000000000000000 R11: ffff9db2ee08b540 R12: ffff9db31ce7c000
      [  274.197222] R13: 0000000000000001 R14: 000000000000000c R15: ffff9db3179cf400
      [  274.204346] FS:  00007ff4ae7c5740(0000) GS:ffff9db31fa80000(0000)
      knlGS:0000000000000000
      [  274.212424] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
      [  274.218162] CR2: ffffffffffffffd6 CR3: 00000004574da004 CR4: 00000000003606e0
      [  274.225292] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
      [  274.232416] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
      [  274.239541] Call Trace:
      [  274.241988]  ? tnl_update_pmtu+0x296/0x3b0
      [  274.246085]  ip_md_tunnel_xmit+0x1bc/0x520
      [  274.250176]  gre_fb_xmit+0x330/0x390
      [  274.253754]  gre_tap_xmit+0x128/0x180
      [  274.257414]  dev_hard_start_xmit+0xb7/0x300
      [  274.261598]  sch_direct_xmit+0xf6/0x290
      [  274.265430]  __qdisc_run+0x15d/0x5e0
      [  274.269007]  __dev_queue_xmit+0x2c5/0xc00
      [  274.273011]  ? dev_queue_xmit+0x10/0x20
      [  274.276842]  ? eth_header+0x2b/0xc0
      [  274.280326]  dev_queue_xmit+0x10/0x20
      [  274.283984]  ? dev_queue_xmit+0x10/0x20
      [  274.287813]  arp_xmit+0x1a/0xf0
      [  274.290952]  arp_send_dst.part.19+0x46/0x60
      [  274.295138]  arp_solicit+0x177/0x6b0
      [  274.298708]  ? mod_timer+0x18e/0x440
      [  274.302281]  neigh_probe+0x57/0x70
      [  274.305684]  __neigh_event_send+0x197/0x2d0
      [  274.309862]  neigh_resolve_output+0x18c/0x210
      [  274.314212]  ip_finish_output2+0x257/0x690
      [  274.318304]  ip_finish_output+0x219/0x340
      [  274.322314]  ? ip_finish_output+0x219/0x340
      [  274.326493]  ip_output+0x76/0x240
      [  274.329805]  ? ip_fragment.constprop.53+0x80/0x80
      [  274.334510]  ip_local_out+0x3f/0x70
      [  274.337992]  ip_send_skb+0x19/0x40
      [  274.341391]  ip_push_pending_frames+0x33/0x40
      [  274.345740]  raw_sendmsg+0xc15/0x11d0
      [  274.349403]  ? __might_fault+0x85/0x90
      [  274.353151]  ? _copy_from_user+0x6b/0xa0
      [  274.357070]  ? rw_copy_check_uvector+0x54/0x130
      [  274.361604]  inet_sendmsg+0x42/0x1c0
      [  274.365179]  ? inet_sendmsg+0x42/0x1c0
      [  274.368937]  sock_sendmsg+0x3e/0x50
      [  274.372460]  ___sys_sendmsg+0x26f/0x2d0
      [  274.376293]  ? lock_acquire+0x95/0x190
      [  274.380043]  ? __handle_mm_fault+0x7ce/0xb70
      [  274.384307]  ? lock_acquire+0x95/0x190
      [  274.388053]  ? __audit_syscall_entry+0xdd/0x130
      [  274.392586]  ? ktime_get_coarse_real_ts64+0x64/0xc0
      [  274.397461]  ? __audit_syscall_entry+0xdd/0x130
      [  274.401989]  ? trace_hardirqs_on+0x4c/0x100
      [  274.406173]  __sys_sendmsg+0x63/0xa0
      [  274.409744]  ? __sys_sendmsg+0x63/0xa0
      [  274.413488]  __x64_sys_sendmsg+0x1f/0x30
      [  274.417405]  do_syscall_64+0x55/0x190
      [  274.421064]  entry_SYSCALL_64_after_hwframe+0x49/0xbe
      [  274.426113] RIP: 0033:0x7ff4ae0e6e87
      [  274.429686] Code: 64 89 02 48 c7 c0 ff ff ff ff eb b9 0f 1f 80 00
      00 00 00 8b 05 ca d9 2b 00 48 63 d2 48 63 ff 85 c0 75 10 b8 2e 00 00
      00 0f 05 <48> 3d 00 f0 ff ff 77 51 c3 53 48 89 f3 48 83 ec 10 48 89 7c
      24 08
      [  274.448422] RSP: 002b:00007ffcd9b76db8 EFLAGS: 00000246 ORIG_RAX:
      000000000000002e
      [  274.455978] RAX: ffffffffffffffda RBX: 0000000000000040 RCX: 00007ff4ae0e6e87
      [  274.463104] RDX: 0000000000000000 RSI: 00000000006092e0 RDI: 0000000000000003
      [  274.470228] RBP: 0000000000000000 R08: 00007ffcd9bc40a0 R09: 00007ffcd9bc4080
      [  274.477349] R10: 000000000000060a R11: 0000000000000246 R12: 0000000000000003
      [  274.484475] R13: 0000000000000016 R14: 00007ffcd9b77fa0 R15: 00007ffcd9b78da4
      [  274.491602] Modules linked in: cls_bpf sch_ingress iptable_filter
      ip_tables algif_hash af_alg x86_pkg_temp_thermal fuse [last unloaded:
      test_bpf]
      [  274.504634] CR2: 0000000000000000
      [  274.507976] ---[ end trace 196d18386545eae1 ]---
      [  274.512588] RIP: 0010:          (null)
      [  274.516334] Code: Bad RIP value.
      [  274.519557] RSP: 0018:ffffbc9681f83540 EFLAGS: 00010286
      [  274.524775] RAX: 0000000000000000 RBX: ffffdc967fa80a18 RCX: 0000000000000000
      [  274.531921] RDX: ffff9db2ee08b540 RSI: 000000000000000e RDI: ffffdc967fa809a0
      [  274.539082] RBP: ffffbc9681f83580 R08: ffff9db2c4d62690 R09: 000000000000000c
      [  274.546205] R10: 0000000000000000 R11: ffff9db2ee08b540 R12: ffff9db31ce7c000
      [  274.553329] R13: 0000000000000001 R14: 000000000000000c R15: ffff9db3179cf400
      [  274.560456] FS:  00007ff4ae7c5740(0000) GS:ffff9db31fa80000(0000)
      knlGS:0000000000000000
      [  274.568541] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
      [  274.574277] CR2: ffffffffffffffd6 CR3: 00000004574da004 CR4: 00000000003606e0
      [  274.581403] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
      [  274.588535] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
      [  274.595658] Kernel panic - not syncing: Fatal exception in interrupt
      [  274.602046] Kernel Offset: 0x14400000 from 0xffffffff81000000
      (relocation range: 0xffffffff80000000-0xffffffffbfffffff)
      [  274.612827] ---[ end Kernel panic - not syncing: Fatal exception in
      interrupt ]---
      [  274.620387] ------------[ cut here ]------------
      
      I'm also seeing the same failure on x86_64, and it reproduces
      consistently.
      
      >From poking around it looks like the skb's dst entry is being used
      to calculate the mtu in:
      
      mtu = skb_dst(skb) ? dst_mtu(skb_dst(skb)) : dev->mtu;
      
      ...but because that dst_entry  has an "ops" value set to md_dst_ops,
      the various ops (including mtu) are not set:
      
      crash> struct sk_buff._skb_refdst ffff928f87447700 -x
            _skb_refdst = 0xffffcd6fbf5ea590
      crash> struct dst_entry.ops 0xffffcd6fbf5ea590
        ops = 0xffffffffa0193800
      crash> struct dst_ops.mtu 0xffffffffa0193800
        mtu = 0x0
      crash>
      
      I confirmed that the dst entry also has dst->input set to
      dst_md_discard, so it looks like it's an entry that's been
      initialized via __metadata_dst_init alright.
      
      I think the fix here is to use skb_valid_dst(skb) - it checks
      for  DST_METADATA also, and with that fix in place, the
      problem - which was previously 100% reproducible - disappears.
      
      The below patch resolves the panic and all bpf tunnel tests pass
      without incident.
      
      Fixes: c8b34e68 ("ip_tunnel: Add tnl_update_pmtu in ip_md_tunnel_xmit")
      Reported-by: default avatarNaresh Kamboju <naresh.kamboju@linaro.org>
      Signed-off-by: default avatarAlan Maguire <alan.maguire@oracle.com>
      Acked-by: default avatarAlexei Starovoitov <ast@kernel.org>
      Tested-by: default avatarAnders Roxell <anders.roxell@linaro.org>
      Reported-by: default avatarNicolas Dichtel <nicolas.dichtel@6wind.com>
      Tested-by: default avatarNicolas Dichtel <nicolas.dichtel@6wind.com>
      Acked-by: default avatarNicolas Dichtel <nicolas.dichtel@6wind.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      f4b3ec4e
    • Paolo Abeni's avatar
      ipv4/route: fail early when inet dev is missing · 22c74764
      Paolo Abeni authored
      If a non local multicast packet reaches ip_route_input_rcu() while
      the ingress device IPv4 private data (in_dev) is NULL, we end up
      doing a NULL pointer dereference in IN_DEV_MFORWARD().
      
      Since the later call to ip_route_input_mc() is going to fail if
      !in_dev, we can fail early in such scenario and avoid the dangerous
      code path.
      
      v1 -> v2:
       - clarified the commit message, no code changes
      Reported-by: default avatarTianhao Zhao <tizhao@redhat.com>
      Fixes: e58e4159 ("net: Enable support for VRF with ipv4 multicast")
      Signed-off-by: default avatarPaolo Abeni <pabeni@redhat.com>
      Reviewed-by: default avatarDavid Ahern <dsahern@gmail.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      22c74764
    • Dan Carpenter's avatar
      net: hns3: Fix a logical vs bitwise typo · f4772dee
      Dan Carpenter authored
      There were a couple logical ORs accidentally mixed in with the bitwise
      ORs.
      
      Fixes: e8149933 ("net: hns3: remove hnae3_get_bit in data path")
      Signed-off-by: default avatarDan Carpenter <dan.carpenter@oracle.com>
      Reviewed-by: default avatarYunsheng Lin <linyunsheng@huawei.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      f4772dee
  5. 05 Mar, 2019 15 commits
    • wenxu's avatar
      net/sched: act_tunnel_key: Fix double free dst_cache · 4177c5d9
      wenxu authored
      dst_cache_destroy will be called in dst_release
      
      dst_release-->dst_destroy_rcu-->dst_destroy-->metadata_dst_free
      -->dst_cache_destroy
      
      It should not call dst_cache_destroy before dst_release
      
      Fixes: 41411e2f ("net/sched: act_tunnel_key: Add dst_cache support")
      Signed-off-by: default avatarwenxu <wenxu@ucloud.cn>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      4177c5d9
    • Erik Hugne's avatar
      tipc: fix RDM/DGRAM connect() regression · 0e632089
      Erik Hugne authored
      Fix regression bug introduced in
      commit 365ad353 ("tipc: reduce risk of user starvation during link
      congestion")
      
      Only signal -EDESTADDRREQ for RDM/DGRAM if we don't have a cached
      sockaddr.
      
      Fixes: 365ad353 ("tipc: reduce risk of user starvation during link congestion")
      Signed-off-by: default avatarErik Hugne <erik.hugne@gmail.com>
      Signed-off-by: default avatarJon Maloy <jon.maloy@ericsson.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      0e632089
    • Linus Torvalds's avatar
      Merge tag 'mips_5.1' of git://git.kernel.org/pub/scm/linux/kernel/git/mips/linux · d9862cfb
      Linus Torvalds authored
      Pull MIPS updates from Paul Burton:
      
       - Support for the MIPSr6 MemoryMapID register & Global INValidate TLB
         (GINVT) instructions, allowing for more efficient TLB maintenance
         when running on a CPU such as the I6500 that supports these.
      
       - Enable huge page support for MIPS64r6.
      
       - Optimize post-DMA cache sync by removing that code entirely for
         kernel configurations in which we know it won't be needed.
      
       - The number of pages allocated for interrupt stacks is now calculated
         correctly, where before we would wastefully allocate too much memory
         in some configurations.
      
       - The ath79 platform migrates to devicetree.
      
       - The bcm47xx platform sees fixes for the Buffalo WHR-G54S board.
      
       - The ingenic/jz4740 platform gains support for appended devicetrees.
      
       - The cavium_octeon, lantiq, loongson32 & sgi-ip27 platforms all see
         cleanups as do various pieces of core architecture code.
      
      * tag 'mips_5.1' of git://git.kernel.org/pub/scm/linux/kernel/git/mips/linux: (66 commits)
        MIPS: lantiq: Remove separate GPHY Firmware loader
        MIPS: ingenic: Add support for appended devicetree
        MIPS: SGI-IP27: rework HUB interrupts
        MIPS: SGI-IP27: do boot CPU init later
        MIPS: SGI-IP27: do xtalk scanning later
        MIPS: SGI-IP27: use pr_info/pr_emerg and pr_cont to fix output
        MIPS: SGI-IP27: clean up bridge access and header files
        MIPS: SGI-IP27: get rid of volatile and hubreg_t
        MIPS: irq: Allocate accurate order pages for irq stack
        MIPS: dma-noncoherent: Remove bogus condition in dma_sync_phys()
        MIPS: eBPF: Remove REG_32BIT_ZERO_EX
        MIPS: eBPF: Always return sign extended 32b values
        MIPS: CM: Fix indentation
        MIPS: BCM47XX: Fix/improve Buffalo WHR-G54S support
        MIPS: OCTEON: program rx/tx-delay always from DT
        MIPS: OCTEON: delete board-specific link status
        MIPS: OCTEON: don't lie about interface type of CN3005 board
        MIPS: OCTEON: warn if deprecated link status is being used
        MIPS: OCTEON: add fixed-link nodes to in-kernel device tree
        MIPS: Delete unused flush_cache_sigtramp()
        ...
      d9862cfb
    • Linus Torvalds's avatar
      Merge branch 'parisc-5.1-1' of git://git.kernel.org/pub/scm/linux/kernel/git/deller/parisc-linux · 8feed3ef
      Linus Torvalds authored
      Pull parisc updates from Helge Deller:
       "The most important changes in this patch set are:
      
         - DMA-related cleanups for parisc with the aim to move anything not
           required by drivers out of <asm/dma-mapping.h>, by Christoph
           Hellwig
      
         - Switch to memblock_alloc(), by Mike Rapoport
      
         - Makefile cleanups by Masahiro Yamada
      
         - Switch to bust_spinlocks(), by Sergey Senozhatsky
      
         - Improved initial SMP affinity selection for IRQs
      
         - Added IPI- and rescheduling interrupts in /proc/interrupts output"
      
      * 'parisc-5.1-1' of git://git.kernel.org/pub/scm/linux/kernel/git/deller/parisc-linux: (21 commits)
        parisc: use memblock_alloc() instead of custom get_memblock()
        parisc: Add constants for various PDC firmware calls
        parisc: Add constant for PDC_PAT_COMPLEX firmware call
        parisc: Show machine product number during boot
        parisc: Add constants for PDC_RELOCATE PDC call
        parisc: Add PDC_CRASH_PREP PDC function number
        parisc: Use F_EXTEND() macro in iosapic code
        parisc: remove the HBA_DATA macro
        parisc/lba_pci: use container_of in LBA_DEV
        parisc/dino: use container_of in DINO_DEV
        parisc: properly type the return value of parisc_walk_tree
        parisc: properly type the iommu field in struct pci_hba_data
        parisc: turn GET_IOC into an inline function
        parisc: move internal implementation details out of <asm/dma-mapping.h>
        parisc: don't include <asm/cacheflush.h> in <asm/dma-mapping.h>
        parisc: remove meaningless ccflags-y in arch/parisc/boot/Makefile
        parisc: replace oops_in_progress manipulation with bust_spinlocks()
        parisc: Improve initial IRQ to CPU assignment
        parisc: Count IPI function call interrupts
        parisc: Show rescheduling interrupts on SMP machines only
        ...
      8feed3ef
    • Linus Torvalds's avatar
      Merge tag 's390-5.1-1' of git://git.kernel.org/pub/scm/linux/kernel/git/s390/linux · 3591b195
      Linus Torvalds authored
      Pull s390 updates from Martin Schwidefsky:
      
       - A copy of Arnds compat wrapper generation series
      
       - Pass information about the KVM guest to the host in form the control
         program code and the control program version code
      
       - Map IOV resources to support PCI physical functions on s390
      
       - Add vector load and store alignment hints to improve performance
      
       - Use the "jdd" constraint with gcc 9 to make jump labels working again
      
       - Remove amode workaround for old z/VM releases from the DCSS code
      
       - Add support for in-kernel performance measurements using the CPU
         measurement counter facility
      
       - Introduce a new PMU device cpum_cf_diag to capture counters and store
         thenn as event raw data.
      
       - Bug fixes and cleanups
      
      * tag 's390-5.1-1' of git://git.kernel.org/pub/scm/linux/kernel/git/s390/linux: (54 commits)
        Revert "s390/cpum_cf: Add kernel message exaplanations"
        s390/dasd: fix read device characteristic with CONFIG_VMAP_STACK=y
        s390/suspend: fix prefix register reset in swsusp_arch_resume
        s390: warn about clearing als implied facilities
        s390: allow overriding facilities via command line
        s390: clean up redundant facilities list setup
        s390/als: remove duplicated in-place implementation of stfle
        s390/cio: Use cpa range elsewhere within vfio-ccw
        s390/cio: Fix vfio-ccw handling of recursive TICs
        s390: vfio_ap: link the vfio_ap devices to the vfio_ap bus subsystem
        s390/cpum_cf: Handle EBUSY return code from CPU counter facility reservation
        s390/cpum_cf: Add kernel message exaplanations
        s390/cpum_cf_diag: Add support for s390 counter facility diagnostic trace
        s390/cpum_cf: add ctr_stcctm() function
        s390/cpum_cf: move common functions into a separate file
        s390/cpum_cf: introduce kernel_cpumcf_avail() function
        s390/cpu_mf: replace stcctm5() with the stcctm() function
        s390/cpu_mf: add store cpu counter multiple instruction support
        s390/cpum_cf: Add minimal in-kernel interface for counter measurements
        s390/cpum_cf: introduce kernel_cpumcf_alert() to obtain measurement alerts
        ...
      3591b195
    • Linus Torvalds's avatar
      Merge tag 'm68k-for-v5.1-tag1' of git://git.kernel.org/pub/scm/linux/kernel/git/geert/linux-m68k · 45f5532a
      Linus Torvalds authored
      Pull m68k updates from Geert Uytterhoeven:
      
       - VLA removal
      
       - gcc-8.x build fixes
      
       - small improvements and cleanups
      
       - defconfig updates
      
      * tag 'm68k-for-v5.1-tag1' of git://git.kernel.org/pub/scm/linux/kernel/git/geert/linux-m68k:
        m68k: Add -ffreestanding to CFLAGS
        m68k/apollo: Fix comment in Makefile
        dio: Fix buffer overflow in case of unknown board
        m68k/defconfig: Update defconfigs for v5.0-rc1
        m68k/atari: Avoid VLA use in atari_switches_setup()
        m68k: Avoid VLA use in mangle_kernel_stack()
        m68k/mac: Use '030 reset method on SE/30
        m68k/mac: Remove obsolete comment
        m68k/mac: Skip VIA port setup unless RTC is connected
        m68k/mac: Clean up unused timer definitions
        m68k/defconfig: Drop NET_VENDOR_<FOO>=n
      45f5532a
    • Borislav Petkov's avatar
      x86: Deprecate a.out support · eac61655
      Borislav Petkov authored
      Linux supports ELF binaries for ~25 years now.  a.out coredumping has
      bitrotten quite significantly and would need some fixing to get it into
      shape again but considering how even the toolchains cannot create a.out
      executables in its default configuration, let's deprecate a.out support
      and remove it a couple of releases later, instead.
      Signed-off-by: default avatarBorislav Petkov <bp@suse.de>
      Acked-by: default avatarRichard Weinberger <richard@nod.at>
      Cc: Al Viro <viro@zeniv.linux.org.uk>
      Cc: Anton Ivanov <anton.ivanov@cambridgegreys.com>
      Cc: Jann Horn <jannh@google.com>
      Cc: <linux-api@vger.kernel.org>
      Cc: <linux-fsdevel@vger.kernel.org>
      Cc: lkml <linux-kernel@vger.kernel.org>
      Cc: Matthew Wilcox <willy@infradead.org>
      Cc: Thomas Gleixner <tglx@linutronix.de>
      Cc: <x86@kernel.org>
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      eac61655
    • Linus Torvalds's avatar
      a.out: remove core dumping support · 08300f44
      Linus Torvalds authored
      We're (finally) phasing out a.out support for good.  As Borislav Petkov
      points out, we've supported ELF binaries for about 25 years by now, and
      coredumping in particular has bitrotted over the years.
      
      None of the tool chains even support generating a.out binaries any more,
      and the plan is to deprecate a.out support entirely for the kernel.  But
      I want to start with just removing the core dumping code, because I can
      still imagine that somebody actually might want to support a.out as a
      simpler biinary format.
      
      Particularly if you generate some random binaries on the fly, ELF is a
      much more complicated format (admittedly ELF also does have a lot of
      toolchain support, mitigating that complexity a lot and you really
      should have moved over in the last 25 years).
      
      So it's at least somewhat possible that somebody out there has some
      workflow that still involves generating and running a.out executables.
      
      In contrast, it's very unlikely that anybody depends on debugging any
      legacy a.out core files.  But regardless, I want this phase-out to be
      done in two steps, so that we can resurrect a.out support (if needed)
      without having to resurrect the core file dumping that is almost
      certainly not needed.
      
      Jann Horn pointed to the <asm/a.out-core.h> file that my first trivial
      cut at this had missed.
      
      And Alan Cox points out that the a.out binary loader _could_ be done in
      user space if somebody wants to, but we might keep just the loader in
      the kernel if somebody really wants it, since the loader isn't that big
      and has no really odd special cases like the core dumping does.
      Acked-by: default avatarBorislav Petkov <bp@alien8.de>
      Cc: Alan Cox <gnomes@lxorguk.ukuu.org.uk>
      Cc: Jann Horn <jannh@google.com>
      Cc: Richard Weinberger <richard@nod.at>
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      08300f44
    • Linus Torvalds's avatar
      Merge branch 'linus' of git://git.kernel.org/pub/scm/linux/kernel/git/herbert/crypto-2.6 · 63bdf428
      Linus Torvalds authored
      Pull crypto update from Herbert Xu:
       "API:
         - Add helper for simple skcipher modes.
         - Add helper to register multiple templates.
         - Set CRYPTO_TFM_NEED_KEY when setkey fails.
         - Require neither or both of export/import in shash.
         - AEAD decryption test vectors are now generated from encryption
           ones.
         - New option CONFIG_CRYPTO_MANAGER_EXTRA_TESTS that includes random
           fuzzing.
      
        Algorithms:
         - Conversions to skcipher and helper for many templates.
         - Add more test vectors for nhpoly1305 and adiantum.
      
        Drivers:
         - Add crypto4xx prng support.
         - Add xcbc/cmac/ecb support in caam.
         - Add AES support for Exynos5433 in s5p.
         - Remove sha384/sha512 from artpec7 as hardware cannot do partial
           hash"
      
      [ There is a merge of the Freescale SoC tree in order to pull in changes
        required by patches to the caam/qi2 driver. ]
      
      * 'linus' of git://git.kernel.org/pub/scm/linux/kernel/git/herbert/crypto-2.6: (174 commits)
        crypto: s5p - add AES support for Exynos5433
        dt-bindings: crypto: document Exynos5433 SlimSSS
        crypto: crypto4xx - add missing of_node_put after of_device_is_available
        crypto: cavium/zip - fix collision with generic cra_driver_name
        crypto: af_alg - use struct_size() in sock_kfree_s()
        crypto: caam - remove redundant likely/unlikely annotation
        crypto: s5p - update iv after AES-CBC op end
        crypto: x86/poly1305 - Clear key material from stack in SSE2 variant
        crypto: caam - generate hash keys in-place
        crypto: caam - fix DMA mapping xcbc key twice
        crypto: caam - fix hash context DMA unmap size
        hwrng: bcm2835 - fix probe as platform device
        crypto: s5p-sss - Use AES_BLOCK_SIZE define instead of number
        crypto: stm32 - drop pointless static qualifier in stm32_hash_remove()
        crypto: chelsio - Fixed Traffic Stall
        crypto: marvell - Remove set but not used variable 'ivsize'
        crypto: ccp - Update driver messages to remove some confusion
        crypto: adiantum - add 1536 and 4096-byte test vectors
        crypto: nhpoly1305 - add a test vector with len % 16 != 0
        crypto: arm/aes-ce - update IV after partial final CTR block
        ...
      63bdf428
    • Linus Torvalds's avatar
      Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net-next · 64563003
      Linus Torvalds authored
      Pull networking updates from David Miller:
       "Here we go, another merge window full of networking and #ebpf changes:
      
         1) Snoop DHCPACKS in batman-adv to learn MAC/IP pairs in the DHCP
            range without dealing with floods of ARP traffic, from Linus
            Lüssing.
      
         2) Throttle buffered multicast packet transmission in mt76, from
            Felix Fietkau.
      
         3) Support adaptive interrupt moderation in ice, from Brett Creeley.
      
         4) A lot of struct_size conversions, from Gustavo A. R. Silva.
      
         5) Add peek/push/pop commands to bpftool, as well as bash completion,
            from Stanislav Fomichev.
      
         6) Optimize sk_msg_clone(), from Vakul Garg.
      
         7) Add SO_BINDTOIFINDEX, from David Herrmann.
      
         8) Be more conservative with local resends due to local congestion,
            from Yuchung Cheng.
      
         9) Allow vetoing of unsupported VXLAN FDBs, from Petr Machata.
      
        10) Add health buffer support to devlink, from Eran Ben Elisha.
      
        11) Add TXQ scheduling API to mac80211, from Toke Høiland-Jørgensen.
      
        12) Add statistics to basic packet scheduler filter, from Cong Wang.
      
        13) Add GRE tunnel support for mlxsw Spectrum-2, from Nir Dotan.
      
        14) Lots of new IP tunneling forwarding tests, also from Nir Dotan.
      
        15) Add 3ad stats to bonding, from Nikolay Aleksandrov.
      
        16) Lots of probing improvements for bpftool, from Quentin Monnet.
      
        17) Various nfp drive #ebpf JIT improvements from Jakub Kicinski.
      
        18) Allow #ebpf programs to access gso_segs from skb shared info, from
            Eric Dumazet.
      
        19) Add sock_diag support for AF_XDP sockets, from Björn Töpel.
      
        20) Support 22260 iwlwifi devices, from Luca Coelho.
      
        21) Use rbtree for ipv6 defragmentation, from Peter Oskolkov.
      
        22) Add JMP32 instruction class support to #ebpf, from Jiong Wang.
      
        23) Add spinlock support to #ebpf, from Alexei Starovoitov.
      
        24) Support 256-bit keys and TLS 1.3 in ktls, from Dave Watson.
      
        25) Add device infomation API to devlink, from Jakub Kicinski.
      
        26) Add new timestamping socket options which are y2038 safe, from
            Deepa Dinamani.
      
        27) Add RX checksum offloading for various sh_eth chips, from Sergei
            Shtylyov.
      
        28) Flow offload infrastructure, from Pablo Neira Ayuso.
      
        29) Numerous cleanups, improvements, and bug fixes to the PHY layer
            and many drivers from Heiner Kallweit.
      
        30) Lots of changes to try and make packet scheduler classifiers run
            lockless as much as possible, from Vlad Buslov.
      
        31) Support BCM957504 chip in bnxt_en driver, from Erik Burrows.
      
        32) Add concurrency tests to tc-tests infrastructure, from Vlad
            Buslov.
      
        33) Add hwmon support to aquantia, from Heiner Kallweit.
      
        34) Allow 64-bit values for SO_MAX_PACING_RATE, from Eric Dumazet.
      
        And I would be remiss if I didn't thank the various major networking
        subsystem maintainers for integrating much of this work before I even
        saw it. Alexei Starovoitov, Daniel Borkmann, Pablo Neira Ayuso,
        Johannes Berg, Kalle Valo, and many others. Thank you!"
      
      * git://git.kernel.org/pub/scm/linux/kernel/git/davem/net-next: (2207 commits)
        net/sched: avoid unused-label warning
        net: ignore sysctl_devconf_inherit_init_net without SYSCTL
        phy: mdio-mux: fix Kconfig dependencies
        net: phy: use phy_modify_mmd_changed in genphy_c45_an_config_aneg
        net: dsa: mv88e6xxx: add call to mv88e6xxx_ports_cmode_init to probe for new DSA framework
        selftest/net: Remove duplicate header
        sky2: Disable MSI on Dell Inspiron 1545 and Gateway P-79
        net/mlx5e: Update tx reporter status in case channels were successfully opened
        devlink: Add support for direct reporter health state update
        devlink: Update reporter state to error even if recover aborted
        sctp: call iov_iter_revert() after sending ABORT
        team: Free BPF filter when unregistering netdev
        ip6mr: Do not call __IP6_INC_STATS() from preemptible context
        isdn: mISDN: Fix potential NULL pointer dereference of kzalloc
        net: dsa: mv88e6xxx: support in-band signalling on SGMII ports with external PHYs
        cxgb4/chtls: Prefix adapter flags with CXGB4
        net-sysfs: Switch to bitmap_zalloc()
        mellanox: Switch to bitmap_zalloc()
        bpf: add test cases for non-pointer sanitiation logic
        mlxsw: i2c: Extend initialization by querying resources data
        ...
      64563003
    • Martin Schwidefsky's avatar
      fcc082f3
    • Linus Torvalds's avatar
      Merge tag 'leds-for-5.1-rc1' of... · cd2a3bf0
      Linus Torvalds authored
      Merge tag 'leds-for-5.1-rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/j.anaszewski/linux-leds
      
      Pull LED updates from Jacek Anaszewski:
      
       - finalize previously announced support for initialization of pattern
         triggers from Device Tree
      
       - fix for null deref on firmware load failure in leds-lp55xx-common.c
      
      * tag 'leds-for-5.1-rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/j.anaszewski/linux-leds:
        leds: lp55xx: fix null deref on firmware load failure
        leds: trigger: timer: Add initialization from Device Tree
        leds: trigger: oneshot: Add initialization from Device Tree
        leds: trigger: pattern: Add pattern initialization from Device Tree
        leds: Add helper for getting default pattern from Device Tree
        dt-bindings: leds: Add pattern initialization from Device Tree
      cd2a3bf0
    • Linus Torvalds's avatar
      Merge tag 'hwmon-for-v5.1' of git://git.kernel.org/pub/scm/linux/kernel/git/groeck/linux-staging · 7629bac6
      Linus Torvalds authored
      Pull hwmon updates from Guenter Roeck:
      
       - Add support for LM96000, DPS-650AB to existing drivers
      
       - Use permission specific SENSOR[_DEVICE]_ATTR variants in several
         drivers
      
       - Replace S_<PERMS> with octal values in several drivers
      
       - Update some license headers
      
       - Various minor fixes and improvements in several drivers
      
      * tag 'hwmon-for-v5.1' of git://git.kernel.org/pub/scm/linux/kernel/git/groeck/linux-staging: (89 commits)
        dt-bindings: hwmon: Add missing documentation for lm75
        hwmon: (ad7418) Add device tree probing
        hwmon: (ad741x) Add DT bindings for Analog Devices AD741x
        hwmon: (ntc_thermistor) Convert to new hwmon API
        hwmon: (pwm-fan) Add optional regulator support
        dt-bindings: hwmon: Add optional regulator support to pwm-fan
        hwmon: (f71882fg) Mark expected switch fall-through
        hwmon: (ad7418) Catch I2C errors
        hwmon: (lm85) add support for LM96000 high frequencies
        hwmon: (lm85) support the LM96000
        dt-bindings: Add LM96000 as a trivial device
        hwmon: (lm85) remove freq_map size hardcodes
        hwmon: (occ) Fix license headers
        hwmon: (via-cputemp) Use permission specific SENSOR[_DEVICE]_ATTR variants
        hwmon: (vexpress-hwmon) Use permission specific SENSOR[_DEVICE]_ATTR variants
        hwmon: (tmp421) Replace S_<PERMS> with octal values
        hwmon: (tmp103) Use permission specific SENSOR[_DEVICE]_ATTR variants
        hwmon: (tmp102) Replace S_<PERMS> with octal values
        hwmon: (tc74) Use permission specific SENSOR[_DEVICE]_ATTR variants
        hwmon: (tc654) Use permission specific SENSOR[_DEVICE]_ATTR variants
        ...
      7629bac6
    • Linus Torvalds's avatar
      Merge tag 'spi-v5.1' of git://git.kernel.org/pub/scm/linux/kernel/git/broonie/spi · dcc75dde
      Linus Torvalds authored
      Pull spi updates from Mark Brown:
       "A fairly quiet release for SPI, the biggest thing is the conversion to
        use GPIO descriptors which is now 90% done but still needs some
        stragglers converting.
      
        Summary:
      
         - Support for inter-word delays
      
         - Conversion of the core and most drivers to use GPIO descriptors for
           GPIO controlled chip selects
      
         - New drivers for NXP FlexSPI and QuadSPI, SiFive and Spreadtrum"
      
      * tag 'spi-v5.1' of git://git.kernel.org/pub/scm/linux/kernel/git/broonie/spi: (104 commits)
        spi: sh-msiof: Restrict bits per word to 8/16/24/32 on R-Car Gen2/3
        spi: sifive: Remove redundant dev_err call in sifive_spi_probe()
        spi: sifive: Remove spi_master_put in sifive_spi_remove()
        spi: spi-gpio: fix SPI_CS_HIGH capability
        spi: pxa2xx: Setup maximum supported DMA transfer length
        spi: sifive: Add driver for the SiFive SPI controller
        spi: sifive: Add DT documentation for SiFive SPI controller
        spi: sprd: Add a prefix for SPI DMA channel macros
        spi: sprd: spi: sprd: Add DMA mode support
        dt-bindings: spi: Add the DMA properties for the SPI dma mode
        spi: sprd: Add the SPI irq function for the SPI DMA mode
        dt-bindings: spi: imx: Add an entry for the i.MX8QM compatible
        spi: use gpio[d]_set_value_cansleep for setting chipselect GPIO
        spi: gpio: Advertise support for SPI_CS_HIGH
        spi: sh-msiof: Replace spi_master by spi_controller
        spi: sh-hspi: Replace spi_master by spi_controller
        spi: rspi: Replace spi_master by spi_controller
        spi: atmel-quadspi: add support for sam9x60 qspi controller
        dt-bindings: spi: atmel-quadspi: QuadSPI driver for Microchip SAM9X60
        spi: atmel-quadspi: add support for named peripheral clock
        ...
      dcc75dde
    • Linus Torvalds's avatar
      Merge tag 'regulator-v5.1' of git://git.kernel.org/pub/scm/linux/kernel/git/broonie/regulator · 32c0ac3a
      Linus Torvalds authored
      Pull regulator updates from Mark Brown:
       "The bulk of the standout changes in this release are cleanups, with
        the core work being a combination of factoring out common code into
        helpers and the completion of the conversion of the core to use GPIO
        descriptors.
      
        Summary:
      
         - Addition of helper functions for current limits and conversion of
           drivers to use them by Axel Lin.
      
         - Lots and lots of cleanups from Axel Lin.
      
         - Conversion of the core to use GPIO descriptors rather than numbers
           by Linus Walleij.
      
         - New drivers for Maxim MAX77650 and ROHM BD70528"
      
      * tag 'regulator-v5.1' of git://git.kernel.org/pub/scm/linux/kernel/git/broonie/regulator: (131 commits)
        regulator: mc13xxx: Constify regulator_ops variables
        regulator: palmas: Constify palmas_smps_ramp_delay array
        regulator: wm831x-dcdc: Convert to use regulator_set/get_current_limit_regmap
        regulator: pv88090: Convert to use regulator_set/get_current_limit_regmap
        regulator: pv88080: Convert to use regulator_set/get_current_limit_regmap
        regulator: pv88060: Convert to use regulator_set/get_current_limit_regmap
        regulator: max77650: Convert to use regulator_set/get_current_limit_regmap
        regulator: lp873x: Convert to use regulator_set/get_current_limit_regmap
        regulator: lp872x: Convert to use regulator_set/get_current_limit_regmap
        regulator: da9210: Convert to use regulator_set/get_current_limit_regmap
        regulator: da9055: Convert to use regulator_set/get_current_limit_regmap
        regulator: core: Add set/get_current_limit helpers for regmap users
        regulator: Fix comment for csel_reg and csel_mask
        regulator: stm32-vrefbuf: add power management support
        regulator: 88pm8607: Remove unused fields from struct pm8607_regulator_info
        regulator: 88pm8607: Simplify pm8607_list_voltage implementation
        regulator: cpcap: Constify omap4_regulators and xoom_regulators
        regulator: cpcap: Remove unused vsel_shift from struct cpcap_regulator
        dt-bindings: regulator: tps65218: rectify units of LS3
        dt-bindings: regulator: add LS2 load switch documentation
        ...
      32c0ac3a