1. 27 Feb, 2018 1 commit
  2. 26 Feb, 2018 16 commits
    • Thomas Winter's avatar
      ip_tunnel: Do not use mark in skb by default · 4e994776
      Thomas Winter authored
      This reverts commit 5c38bd1b.
      
      skb->mark contains the mark the encapsulated traffic which
      can result in incorrect routing decisions being made such
      as routing loops if the route chosen is via tunnel itself.
      The correct method should be to use tunnel->fwmark.
      Signed-off-by: default avatarThomas Winter <thomas.winter@alliedtelesis.co.nz>
      Cc: "David S. Miller" <davem@davemloft.net>
      Cc: Alexey Kuznetsov <kuznet@ms2.inr.ac.ru>
      Cc: Hideaki YOSHIFUJI <yoshfuji@linux-ipv6.org>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      4e994776
    • Ido Schimmel's avatar
      bridge: Fix VLAN reference count problem · 0e5a82ef
      Ido Schimmel authored
      When a VLAN is added on a port, a reference is taken on the
      corresponding master VLAN entry. If it does not already exist, then it
      is created and a reference taken.
      
      However, in the second case a reference is not really taken when
      CONFIG_REFCOUNT_FULL is enabled as refcount_inc() is replaced by
      refcount_inc_not_zero().
      
      Fix this by using refcount_set() on a newly created master VLAN entry.
      
      Fixes: 25127759 ("net, bridge: convert net_bridge_vlan.refcnt from atomic_t to refcount_t")
      Signed-off-by: default avatarIdo Schimmel <idosch@mellanox.com>
      Acked-by: default avatarNikolay Aleksandrov <nikolay@cumulusnetworks.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      0e5a82ef
    • Sergei Shtylyov's avatar
      DT: net: renesas,ravb: document R8A77980 bindings · 3a291aa1
      Sergei Shtylyov authored
      Renesas R-Car V3H (R8A77980) SoC has the R-Car gen3 compatible EtherAVB
      device, so document the SoC specific bindings.
      Signed-off-by: default avatarSergei Shtylyov <sergei.shtylyov@cogentembedded.com>
      Reviewed-by: default avatarGeert Uytterhoeven <geert+renesas@glider.be>
      Reviewed-by: default avatarSimon Horman <horms+renesas@verge.net.au>
      Reviewed-by: default avatarRob Herring <robh@kernel.org>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      3a291aa1
    • Ramon Fried's avatar
      qrtr: add MODULE_ALIAS macro to smd · c77f5fbb
      Ramon Fried authored
      Added MODULE_ALIAS("rpmsg:IPCRTR") to ensure qrtr-smd and qrtr will load
      when IPCRTR channel is detected.
      Signed-off-by: default avatarRamon Fried <rfried@codeaurora.org>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      c77f5fbb
    • Denis Du's avatar
      hdlc_ppp: carrier detect ok, don't turn off negotiation · b6c3bad1
      Denis Du authored
      Sometimes when physical lines have a just good noise to make the protocol
      handshaking fail, but the carrier detect still good. Then after remove of
      the noise, nobody will trigger this protocol to be start again to cause
      the link to never come back. The fix is when the carrier is still on, not
      terminate the protocol handshaking.
      Signed-off-by: default avatarDenis Du <dudenis2000@yahoo.ca>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      b6c3bad1
    • Jason Wang's avatar
      tuntap: correctly add the missing XDP flush · 1bb4f2e8
      Jason Wang authored
      We don't flush batched XDP packets through xdp_do_flush_map(), this
      will cause packets stall at TX queue. Consider we don't do XDP on NAPI
      poll(), the only possible fix is to call xdp_do_flush_map()
      immediately after xdp_do_redirect().
      
      Note, this in fact won't try to batch packets through devmap, we could
      address in the future.
      Reported-by: default avatarChristoffer Dall <christoffer.dall@linaro.org>
      Fixes: 761876c8 ("tap: XDP support")
      Signed-off-by: default avatarJason Wang <jasowang@redhat.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      1bb4f2e8
    • Jason Wang's avatar
      tuntap: disable preemption during XDP processing · 23e43f07
      Jason Wang authored
      Except for tuntap, all other drivers' XDP was implemented at NAPI
      poll() routine in a bh. This guarantees all XDP operation were done at
      the same CPU which is required by e.g BFP_MAP_TYPE_PERCPU_ARRAY. But
      for tuntap, we do it in process context and we try to protect XDP
      processing by RCU reader lock. This is insufficient since
      CONFIG_PREEMPT_RCU can preempt the RCU reader critical section which
      breaks the assumption that all XDP were processed in the same CPU.
      
      Fixing this by simply disabling preemption during XDP processing.
      
      Fixes: 761876c8 ("tap: XDP support")
      Signed-off-by: default avatarJason Wang <jasowang@redhat.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      23e43f07
    • Jason Wang's avatar
      Revert "tuntap: add missing xdp flush" · f249be4d
      Jason Wang authored
      This reverts commit 762c330d. The
      reason is we try to batch packets for devmap which causes calling
      xdp_do_flush() in the process context. Simply disabling preemption
      may not work since process may move among processors which lead
      xdp_do_flush() to miss some flushes on some processors.
      
      So simply revert the patch, a follow-up patch will add the xdp flush
      correctly.
      Reported-by: default avatarChristoffer Dall <christoffer.dall@linaro.org>
      Fixes: 762c330d ("tuntap: add missing xdp flush")
      Signed-off-by: default avatarJason Wang <jasowang@redhat.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      f249be4d
    • Emil Tantilov's avatar
      ixgbe: fix crash in build_skb Rx code path · 0c5661ec
      Emil Tantilov authored
      Add check for build_skb enabled ring in ixgbe_dma_sync_frag().
      In that case &skb_shinfo(skb)->frags[0] may not always be set which
      can lead to a crash. Instead we derive the page offset from skb->data.
      
      Fixes: 42073d91
      ("ixgbe: Have the CPU take ownership of the buffers sooner")
      CC: stable <stable@vger.kernel.org>
      Reported-by: default avatarAmbarish Soman <asoman@redhat.com>
      Suggested-by: default avatarAlexander Duyck <alexander.h.duyck@intel.com>
      Signed-off-by: default avatarEmil Tantilov <emil.s.tantilov@intel.com>
      Tested-by: default avatarAndrew Bowers <andrewx.bowers@intel.com>
      Signed-off-by: default avatarJeff Kirsher <jeffrey.t.kirsher@intel.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      0c5661ec
    • David S. Miller's avatar
      ARM: orion5x: Revert commit 4904dbda. · 13a55372
      David S. Miller authored
      It is not valid for orion5x to use mac_pton().
      
      First of all, the orion5x buffer is not NULL terminated.  mac_pton()
      has no business operating on non-NULL terminated buffers because
      only the caller can know that this is valid and in what manner it
      is ok to parse this NULL'less buffer.
      
      Second of all, orion5x operates on an __iomem pointer, which cannot
      be dereferenced using normal C pointer operations.  Accesses to
      such areas much be performed with the proper iomem accessors.
      
      Fixes: 4904dbda ("ARM: orion5x: use mac_pton() helper")
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      13a55372
    • David S. Miller's avatar
      Merge branch 'l2tp-fix-API-races-discovered-by-syzbot' · 44e524cf
      David S. Miller authored
      James Chapman says:
      
      ====================
      l2tp: fix API races discovered by syzbot
      
      This patch series addresses several races with L2TP APIs discovered by
      syzbot. There are no functional changes.
      
      The set of patches 1-5 in combination fix the following syzbot reports.
      
      19c09769f WARNING in debug_print_object
      347bd5acd KASAN: use-after-free Read in inet_shutdown
      6e6a5ec8d general protection fault in pppol2tp_connect
      9df43faf0 KASAN: use-after-free Read in pppol2tp_connect
      
      My first attempts to fix these issues were as net-next patches but
      the series included other refactoring and cleanup work. I was asked to
      separate out the bugfixes and redo for the net tree, which is what
      these patches are.
      
      The changes are:
      
       1. Fix inet_shutdown races when L2TP tunnels and sessions close. (patches 1-2)
       2. Fix races with tunnel and its socket. (patch 3)
       3. Fix race in pppol2tp_release with session and its socket. (patch 4)
       4. Fix tunnel lookup use-after-free. (patch 5)
      
      All of the syzbot reproducers hit races in the tunnel and pppol2tp
      session create and destroy paths. These tests create and destroy
      pppol2tp tunnels and sessions rapidly using multiple threads,
      provoking races in several tunnel/session create/destroy paths. The
      key problem was that each tunnel/session socket could be destroyed
      while its associated tunnel/session object still existed (patches 3,
      4). Patch 5 addresses a problem with the way tunnels are removed from
      the tunnel list. Patch 5 is tagged that it addresses all four syzbot
      issues, though all 5 patches are needed.
      ====================
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      44e524cf
    • James Chapman's avatar
      l2tp: fix tunnel lookup use-after-free race · 28f5bfb8
      James Chapman authored
      l2tp_tunnel_get walks the tunnel list to find a matching tunnel
      instance and if a match is found, its refcount is increased before
      returning the tunnel pointer. But when tunnel objects are destroyed,
      they are on the tunnel list after their refcount hits zero. Fix this
      by moving the code that removes the tunnel from the tunnel list from
      the tunnel socket destructor into in the l2tp_tunnel_delete path,
      before the tunnel refcount is decremented.
      
      refcount_t: increment on 0; use-after-free.
      WARNING: CPU: 3 PID: 13507 at lib/refcount.c:153 refcount_inc+0x47/0x50
      Modules linked in:
      CPU: 3 PID: 13507 Comm: syzbot_6e6a5ec8 Not tainted 4.16.0-rc2+ #36
      Hardware name: innotek GmbH VirtualBox/VirtualBox, BIOS VirtualBox 12/01/2006
      RIP: 0010:refcount_inc+0x47/0x50
      RSP: 0018:ffff8800136ffb20 EFLAGS: 00010286
      RAX: dffffc0000000008 RBX: ffff880017068e68 RCX: ffffffff814d3333
      RDX: 0000000000000000 RSI: ffff88001a59f6d8 RDI: ffff88001a59f6d8
      RBP: ffff8800136ffb28 R08: 0000000000000000 R09: 0000000000000000
      R10: ffff8800136ffab0 R11: 0000000000000000 R12: ffff880017068e50
      R13: 0000000000000000 R14: ffff8800174da800 R15: 0000000000000004
      FS:  00007f403ab1e700(0000) GS:ffff88001a580000(0000) knlGS:0000000000000000
      CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
      CR2: 00000000205fafd2 CR3: 0000000016770000 CR4: 00000000000006e0
      Call Trace:
       l2tp_tunnel_get+0x2dd/0x4e0
       pppol2tp_connect+0x428/0x13c0
       ? pppol2tp_session_create+0x170/0x170
       ? __might_fault+0x115/0x1d0
       ? lock_downgrade+0x860/0x860
       ? __might_fault+0xe5/0x1d0
       ? security_socket_connect+0x8e/0xc0
       SYSC_connect+0x1b6/0x310
       ? SYSC_bind+0x280/0x280
       ? __do_page_fault+0x5d1/0xca0
       ? up_read+0x1f/0x40
       ? __do_page_fault+0x3c8/0xca0
       SyS_connect+0x29/0x30
       ? SyS_accept+0x40/0x40
       do_syscall_64+0x1e0/0x730
       ? trace_hardirqs_off_thunk+0x1a/0x1c
       entry_SYSCALL_64_after_hwframe+0x42/0xb7
      RIP: 0033:0x7f403a42f259
      RSP: 002b:00007f403ab1dee8 EFLAGS: 00000296 ORIG_RAX: 000000000000002a
      RAX: ffffffffffffffda RBX: 00000000205fafe4 RCX: 00007f403a42f259
      RDX: 000000000000002e RSI: 00000000205fafd2 RDI: 0000000000000004
      RBP: 00007f403ab1df20 R08: 00007f403ab1e700 R09: 0000000000000000
      R10: 00007f403ab1e700 R11: 0000000000000296 R12: 0000000000000000
      R13: 00007ffc81906cbf R14: 0000000000000000 R15: 00007f403ab2b040
      Code: 3b ff 5b 5d c3 e8 ca 5f 3b ff 80 3d 49 8e 66 04 00 75 ea e8 bc 5f 3b ff 48 c7 c7 60 69 64 85 c6 05 34 8e 66 04 01 e8 59 49 15 ff <0f> 0b eb ce 0f 1f 44 00 00 55 48 89 e5 41 56 41 55 41 54 53 49
      
      Fixes: f8ccac0e ("l2tp: put tunnel socket release on a workqueue")
      Reported-and-tested-by: syzbot+19c09769f14b48810113@syzkaller.appspotmail.com
      Reported-and-tested-by: syzbot+347bd5acde002e353a36@syzkaller.appspotmail.com
      Reported-and-tested-by: syzbot+6e6a5ec8de31a94cd015@syzkaller.appspotmail.com
      Reported-and-tested-by: syzbot+9df43faf09bd400f2993@syzkaller.appspotmail.com
      Signed-off-by: default avatarJames Chapman <jchapman@katalix.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      28f5bfb8
    • James Chapman's avatar
      l2tp: fix race in pppol2tp_release with session object destroy · d02ba2a6
      James Chapman authored
      pppol2tp_release uses call_rcu to put the final ref on its socket. But
      the session object doesn't hold a ref on the session socket so may be
      freed while the pppol2tp_put_sk RCU callback is scheduled. Fix this by
      having the session hold a ref on its socket until the session is
      destroyed. It is this ref that is dropped via call_rcu.
      
      Sessions are also deleted via l2tp_tunnel_closeall. This must now also put
      the final ref via call_rcu. So move the call_rcu call site into
      pppol2tp_session_close so that this happens in both destroy paths. A
      common destroy path should really be implemented, perhaps with
      l2tp_tunnel_closeall calling l2tp_session_delete like pppol2tp_release
      does, but this will be looked at later.
      
      ODEBUG: activate active (active state 1) object type: rcu_head hint:           (null)
      WARNING: CPU: 3 PID: 13407 at lib/debugobjects.c:291 debug_print_object+0x166/0x220
      Modules linked in:
      CPU: 3 PID: 13407 Comm: syzbot_19c09769 Not tainted 4.16.0-rc2+ #38
      Hardware name: innotek GmbH VirtualBox/VirtualBox, BIOS VirtualBox 12/01/2006
      RIP: 0010:debug_print_object+0x166/0x220
      RSP: 0018:ffff880013647a00 EFLAGS: 00010082
      RAX: dffffc0000000008 RBX: 0000000000000003 RCX: ffffffff814d3333
      RDX: 0000000000000000 RSI: 0000000000000001 RDI: ffff88001a59f6d0
      RBP: ffff880013647a40 R08: 0000000000000000 R09: 0000000000000001
      R10: ffff8800136479a8 R11: 0000000000000000 R12: 0000000000000001
      R13: ffffffff86161420 R14: ffffffff85648b60 R15: 0000000000000000
      FS:  0000000000000000(0000) GS:ffff88001a580000(0000) knlGS:0000000000000000
      CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
      CR2: 0000000020e77000 CR3: 0000000006022000 CR4: 00000000000006e0
      Call Trace:
       debug_object_activate+0x38b/0x530
       ? debug_object_assert_init+0x3b0/0x3b0
       ? __mutex_unlock_slowpath+0x85/0x8b0
       ? pppol2tp_session_destruct+0x110/0x110
       __call_rcu.constprop.66+0x39/0x890
       ? __call_rcu.constprop.66+0x39/0x890
       call_rcu_sched+0x17/0x20
       pppol2tp_release+0x2c7/0x440
       ? fcntl_setlk+0xca0/0xca0
       ? sock_alloc_file+0x340/0x340
       sock_release+0x92/0x1e0
       sock_close+0x1b/0x20
       __fput+0x296/0x6e0
       ____fput+0x1a/0x20
       task_work_run+0x127/0x1a0
       do_exit+0x7f9/0x2ce0
       ? SYSC_connect+0x212/0x310
       ? mm_update_next_owner+0x690/0x690
       ? up_read+0x1f/0x40
       ? __do_page_fault+0x3c8/0xca0
       do_group_exit+0x10d/0x330
       ? do_group_exit+0x330/0x330
       SyS_exit_group+0x22/0x30
       do_syscall_64+0x1e0/0x730
       ? trace_hardirqs_off_thunk+0x1a/0x1c
       entry_SYSCALL_64_after_hwframe+0x42/0xb7
      RIP: 0033:0x7f362e471259
      RSP: 002b:00007ffe389abe08 EFLAGS: 00000202 ORIG_RAX: 00000000000000e7
      RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007f362e471259
      RDX: 00007f362e471259 RSI: 000000000000002e RDI: 0000000000000000
      RBP: 00007ffe389abe30 R08: 0000000000000000 R09: 00007f362e944270
      R10: 0000000000000000 R11: 0000000000000202 R12: 0000000000400b60
      R13: 00007ffe389abf50 R14: 0000000000000000 R15: 0000000000000000
      Code: 8d 3c dd a0 8f 64 85 48 89 fa 48 c1 ea 03 80 3c 02 00 75 7b 48 8b 14 dd a0 8f 64 85 4c 89 f6 48 c7 c7 20 85 64 85 e
      8 2a 55 14 ff <0f> 0b 83 05 ad 2a 68 04 01 48 83 c4 18 5b 41 5c 41 5d 41 5e 41
      
      Fixes: ee40fb2e ("l2tp: protect sock pointer of struct pppol2tp_session with RCU")
      Signed-off-by: default avatarJames Chapman <jchapman@katalix.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      d02ba2a6
    • James Chapman's avatar
      l2tp: fix races with tunnel socket close · d00fa9ad
      James Chapman authored
      The tunnel socket tunnel->sock (struct sock) is accessed when
      preparing a new ppp session on a tunnel at pppol2tp_session_init. If
      the socket is closed by a thread while another is creating a new
      session, the threads race. In pppol2tp_connect, the tunnel object may
      be created if the pppol2tp socket is associated with the special
      session_id 0 and the tunnel socket is looked up using the provided
      fd. When handling this, pppol2tp_connect cannot sock_hold the tunnel
      socket to prevent it being destroyed during pppol2tp_connect since
      this may itself may race with the socket being destroyed. Doing
      sockfd_lookup in pppol2tp_connect isn't sufficient to prevent
      tunnel->sock going away either because a given tunnel socket fd may be
      reused between calls to pppol2tp_connect. Instead, have
      l2tp_tunnel_create sock_hold the tunnel socket before it does
      sockfd_put. This ensures that the tunnel's socket is always extant
      while the tunnel object exists. Hold a ref on the socket until the
      tunnel is destroyed and ensure that all tunnel destroy paths go
      through a common function (l2tp_tunnel_delete) since this will do the
      final sock_put to release the tunnel socket.
      
      Since the tunnel's socket is now guaranteed to exist if the tunnel
      exists, we no longer need to use sockfd_lookup via l2tp_sock_to_tunnel
      to derive the tunnel from the socket since this is always
      sk_user_data.
      
      Also, sessions no longer sock_hold the tunnel socket since sessions
      already hold a tunnel ref and the tunnel sock will not be freed until
      the tunnel is freed. Removing these sock_holds in
      l2tp_session_register avoids a possible sock leak in the
      pppol2tp_connect error path if l2tp_session_register succeeds but
      attaching a ppp channel fails. The pppol2tp_connect error path could
      have been fixed instead and have the sock ref dropped when the session
      is freed, but doing a sock_put of the tunnel socket when the session
      is freed would require a new session_free callback. It is simpler to
      just remove the sock_hold of the tunnel socket in
      l2tp_session_register, now that the tunnel socket lifetime is
      guaranteed.
      
      Finally, some init code in l2tp_tunnel_create is reordered to ensure
      that the new tunnel object's refcount is set and the tunnel socket ref
      is taken before the tunnel socket destructor callbacks are set.
      
      kasan: CONFIG_KASAN_INLINE enabled
      kasan: GPF could be caused by NULL-ptr deref or user memory access
      general protection fault: 0000 [#1] SMP KASAN
      Modules linked in:
      CPU: 0 PID: 4360 Comm: syzbot_19c09769 Not tainted 4.16.0-rc2+ #34
      Hardware name: innotek GmbH VirtualBox/VirtualBox, BIOS VirtualBox 12/01/2006
      RIP: 0010:pppol2tp_session_init+0x1d6/0x500
      RSP: 0018:ffff88001377fb40 EFLAGS: 00010212
      RAX: dffffc0000000000 RBX: ffff88001636a940 RCX: ffffffff84836c1d
      RDX: 0000000000000045 RSI: 0000000055976744 RDI: 0000000000000228
      RBP: ffff88001377fb60 R08: ffffffff84836bc8 R09: 0000000000000002
      R10: ffff88001377fab8 R11: 0000000000000001 R12: 0000000000000000
      R13: ffff88001636aac8 R14: ffff8800160f81c0 R15: 1ffff100026eff76
      FS:  00007ffb3ea66700(0000) GS:ffff88001a400000(0000) knlGS:0000000000000000
      CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
      CR2: 0000000020e77000 CR3: 0000000016261000 CR4: 00000000000006f0
      Call Trace:
       pppol2tp_connect+0xd18/0x13c0
       ? pppol2tp_session_create+0x170/0x170
       ? __might_fault+0x115/0x1d0
       ? lock_downgrade+0x860/0x860
       ? __might_fault+0xe5/0x1d0
       ? security_socket_connect+0x8e/0xc0
       SYSC_connect+0x1b6/0x310
       ? SYSC_bind+0x280/0x280
       ? __do_page_fault+0x5d1/0xca0
       ? up_read+0x1f/0x40
       ? __do_page_fault+0x3c8/0xca0
       SyS_connect+0x29/0x30
       ? SyS_accept+0x40/0x40
       do_syscall_64+0x1e0/0x730
       ? trace_hardirqs_off_thunk+0x1a/0x1c
       entry_SYSCALL_64_after_hwframe+0x42/0xb7
      RIP: 0033:0x7ffb3e376259
      RSP: 002b:00007ffeda4f6508 EFLAGS: 00000202 ORIG_RAX: 000000000000002a
      RAX: ffffffffffffffda RBX: 0000000020e77012 RCX: 00007ffb3e376259
      RDX: 000000000000002e RSI: 0000000020e77000 RDI: 0000000000000004
      RBP: 00007ffeda4f6540 R08: 0000000000000000 R09: 0000000000000000
      R10: 0000000000000000 R11: 0000000000000202 R12: 0000000000400b60
      R13: 00007ffeda4f6660 R14: 0000000000000000 R15: 0000000000000000
      Code: 80 3d b0 ff 06 02 00 0f 84 07 02 00 00 e8 13 d6 db fc 49 8d bc 24 28 02 00 00 48 b8 00 00 00 00 00 fc ff df 48 89 f
      a 48 c1 ea 03 <80> 3c 02 00 0f 85 ed 02 00 00 4d 8b a4 24 28 02 00 00 e8 13 16
      
      Fixes: 80d84ef3 ("l2tp: prevent l2tp_tunnel_delete racing with userspace close")
      Signed-off-by: default avatarJames Chapman <jchapman@katalix.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      d00fa9ad
    • James Chapman's avatar
      l2tp: don't use inet_shutdown on ppp session destroy · 225eb264
      James Chapman authored
      Previously, if a ppp session was closed, we called inet_shutdown to mark
      the socket as unconnected such that userspace would get errors and
      then close the socket. This could race with userspace closing the
      socket. Instead, leave userspace to close the socket in its own time
      (our session will be detached anyway).
      
      BUG: KASAN: use-after-free in inet_shutdown+0x5d/0x1c0
      Read of size 4 at addr ffff880010ea3ac0 by task syzbot_347bd5ac/8296
      
      CPU: 3 PID: 8296 Comm: syzbot_347bd5ac Not tainted 4.16.0-rc1+ #91
      Hardware name: innotek GmbH VirtualBox/VirtualBox, BIOS VirtualBox 12/01/2006
      Call Trace:
       dump_stack+0x101/0x157
       ? inet_shutdown+0x5d/0x1c0
       print_address_description+0x78/0x260
       ? inet_shutdown+0x5d/0x1c0
       kasan_report+0x240/0x360
       __asan_load4+0x78/0x80
       inet_shutdown+0x5d/0x1c0
       ? pppol2tp_show+0x80/0x80
       pppol2tp_session_close+0x68/0xb0
       l2tp_tunnel_closeall+0x199/0x210
       ? udp_v6_flush_pending_frames+0x90/0x90
       l2tp_udp_encap_destroy+0x6b/0xc0
       ? l2tp_tunnel_del_work+0x2e0/0x2e0
       udpv6_destroy_sock+0x8c/0x90
       sk_common_release+0x47/0x190
       udp_lib_close+0x15/0x20
       inet_release+0x85/0xd0
       inet6_release+0x43/0x60
       sock_release+0x53/0x100
       ? sock_alloc_file+0x260/0x260
       sock_close+0x1b/0x20
       __fput+0x19f/0x380
       ____fput+0x1a/0x20
       task_work_run+0xd2/0x110
       exit_to_usermode_loop+0x18d/0x190
       do_syscall_64+0x389/0x3b0
       entry_SYSCALL_64_after_hwframe+0x26/0x9b
      RIP: 0033:0x7fe240a45259
      RSP: 002b:00007fe241132df8 EFLAGS: 00000297 ORIG_RAX: 0000000000000003
      RAX: 0000000000000000 RBX: 0000000000000000 RCX: 00007fe240a45259
      RDX: 00007fe240a45259 RSI: 0000000000000000 RDI: 00000000000000a5
      RBP: 00007fe241132e20 R08: 00007fe241133700 R09: 0000000000000000
      R10: 00007fe241133700 R11: 0000000000000297 R12: 0000000000000000
      R13: 00007ffc49aff84f R14: 0000000000000000 R15: 00007fe241141040
      
      Allocated by task 8331:
       save_stack+0x43/0xd0
       kasan_kmalloc+0xad/0xe0
       kasan_slab_alloc+0x12/0x20
       kmem_cache_alloc+0x144/0x3e0
       sock_alloc_inode+0x22/0x130
       alloc_inode+0x3d/0xf0
       new_inode_pseudo+0x1c/0x90
       sock_alloc+0x30/0x110
       __sock_create+0xaa/0x4c0
       SyS_socket+0xbe/0x130
       do_syscall_64+0x128/0x3b0
       entry_SYSCALL_64_after_hwframe+0x26/0x9b
      
      Freed by task 8314:
       save_stack+0x43/0xd0
       __kasan_slab_free+0x11a/0x170
       kasan_slab_free+0xe/0x10
       kmem_cache_free+0x88/0x2b0
       sock_destroy_inode+0x49/0x50
       destroy_inode+0x77/0xb0
       evict+0x285/0x340
       iput+0x429/0x530
       dentry_unlink_inode+0x28c/0x2c0
       __dentry_kill+0x1e3/0x2f0
       dput.part.21+0x500/0x560
       dput+0x24/0x30
       __fput+0x2aa/0x380
       ____fput+0x1a/0x20
       task_work_run+0xd2/0x110
       exit_to_usermode_loop+0x18d/0x190
       do_syscall_64+0x389/0x3b0
       entry_SYSCALL_64_after_hwframe+0x26/0x9b
      
      Fixes: fd558d18 ("l2tp: Split pppol2tp patch into separate l2tp and ppp parts")
      Signed-off-by: default avatarJames Chapman <jchapman@katalix.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      225eb264
    • James Chapman's avatar
      l2tp: don't use inet_shutdown on tunnel destroy · 76a6abdb
      James Chapman authored
      Previously, if a tunnel was closed, we called inet_shutdown to mark
      the socket as unconnected such that userspace would get errors and
      then close the socket. This could race with userspace closing the
      socket. Instead, leave userspace to close the socket in its own time
      (our tunnel will be detached anyway).
      
      BUG: unable to handle kernel NULL pointer dereference at 00000000000000a0
      IP: __lock_acquire+0x263/0x1630
      PGD 0 P4D 0
      Oops: 0000 [#1] SMP KASAN
      Modules linked in:
      CPU: 2 PID: 42 Comm: kworker/u8:2 Not tainted 4.15.0-rc7+ #129
      Workqueue: l2tp l2tp_tunnel_del_work
      RIP: 0010:__lock_acquire+0x263/0x1630
      RSP: 0018:ffff88001a37fc70 EFLAGS: 00010002
      RAX: 0000000000000001 RBX: 0000000000000088 RCX: 0000000000000000
      RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000000
      RBP: ffff88001a37fd18 R08: 0000000000000001 R09: 0000000000000000
      R10: 0000000000000000 R11: 00000000000076fd R12: 00000000000000a0
      R13: ffff88001a3722c0 R14: 0000000000000001 R15: 0000000000000000
      FS:  0000000000000000(0000) GS:ffff88001ad00000(0000) knlGS:0000000000000000
      CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
      CR2: 00000000000000a0 CR3: 000000001730b000 CR4: 00000000000006e0
      Call Trace:
       ? __lock_acquire+0xc77/0x1630
       ? console_trylock+0x11/0xa0
       lock_acquire+0x117/0x230
       ? lock_sock_nested+0x3a/0xa0
       _raw_spin_lock_bh+0x3a/0x50
       ? lock_sock_nested+0x3a/0xa0
       lock_sock_nested+0x3a/0xa0
       inet_shutdown+0x33/0xf0
       l2tp_tunnel_del_work+0x60/0xef
       process_one_work+0x1ea/0x5f0
       ? process_one_work+0x162/0x5f0
       worker_thread+0x48/0x3e0
       ? trace_hardirqs_on+0xd/0x10
       kthread+0x108/0x140
       ? process_one_work+0x5f0/0x5f0
       ? kthread_stop+0x2a0/0x2a0
       ret_from_fork+0x24/0x30
      Code: 00 41 81 ff ff 1f 00 00 0f 87 7a 13 00 00 45 85 f6 49 8b 85
      68 08 00 00 0f 84 ae 03 00 00 c7 44 24 18 00 00 00 00 e9 f0 00 00 00 <49> 81 3c
      24 80 93 3f 83 b8 00 00 00 00 44 0f 44 c0 83 fe 01 0f
      RIP: __lock_acquire+0x263/0x1630 RSP: ffff88001a37fc70
      CR2: 00000000000000a0
      
      Fixes: 309795f4 ("l2tp: Add netlink control API for L2TP")
      Signed-off-by: default avatarJames Chapman <jchapman@katalix.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      76a6abdb
  3. 23 Feb, 2018 21 commits
    • Linus Torvalds's avatar
      Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net · 9cb9c07d
      Linus Torvalds authored
      Pull networking fixes from David Miller:
      
       1) Fix TTL offset calculation in mac80211 mesh code, from Peter Oh.
      
       2) Fix races with procfs in ipt_CLUSTERIP, from Cong Wang.
      
       3) Memory leak fix in lpm_trie BPF map code, from Yonghong Song.
      
       4) Need to use GFP_ATOMIC in BPF cpumap allocations, from Jason Wang.
      
       5) Fix potential deadlocks in netfilter getsockopt() code paths, from
          Paolo Abeni.
      
       6) Netfilter stackpointer size checks really are needed to validate
          user input, from Florian Westphal.
      
       7) Missing timer init in x_tables, from Paolo Abeni.
      
       8) Don't use WQ_MEM_RECLAIM in mac80211 hwsim, from Johannes Berg.
      
       9) When an ibmvnic device is brought down then back up again, it can be
          sent queue entries from a previous session, handle this properly
          instead of crashing. From Thomas Falcon.
      
      10) Fix TCP checksum on LRO buffers in mlx5e, from Gal Pressman.
      
      11) When we are dumping filters in cls_api, the output SKB is empty, and
          the filter we are dumping is too large for the space in the SKB, we
          should return -EMSGSIZE like other netlink dump operations do.
          Otherwise userland has no signal that is needs to increase the size
          of its read buffer. From Roman Kapl.
      
      12) Several XDP fixes for virtio_net, from Jesper Dangaard Brouer.
      
      13) Module refcount leak in netlink when a dump start fails, from Jason
          Donenfeld.
      
      14) Handle sub-optimal GSO sizes better in TCP BBR congestion control,
          from Eric Dumazet.
      
      15) Releasing bpf per-cpu arraymaps can take a long time, add a
          condtional scheduling point. From Eric Dumazet.
      
      16) Implement retpolines for tail calls in x64 and arm64 bpf JITs. From
          Daniel Borkmann.
      
      17) Fix page leak in gianfar driver, from Andy Spencer.
      
      18) Missed clearing of estimator scratch buffer, from Eric Dumazet.
      
      * git://git.kernel.org/pub/scm/linux/kernel/git/davem/net: (76 commits)
        net_sched: gen_estimator: fix broken estimators based on percpu stats
        gianfar: simplify FCS handling and fix memory leak
        ipv6 sit: work around bogus gcc-8 -Wrestrict warning
        macvlan: fix use-after-free in macvlan_common_newlink()
        bpf, arm64: fix out of bounds access in tail call
        bpf, x64: implement retpoline for tail call
        rxrpc: Fix send in rxrpc_send_data_packet()
        net: aquantia: Fix error handling in aq_pci_probe()
        bpf: fix rcu lockdep warning for lpm_trie map_free callback
        bpf: add schedule points in percpu arrays management
        regulatory: add NUL to request alpha2
        ibmvnic: Fix early release of login buffer
        net/smc9194: Remove bogus CONFIG_MAC reference
        net: ipv4: Set addr_type in hash_keys for forwarded case
        tcp_bbr: better deal with suboptimal GSO
        smsc75xx: fix smsc75xx_set_features()
        netlink: put module reference if dump start fails
        selftests/bpf/test_maps: exit child process without error in ENOMEM case
        selftests/bpf: update gitignore with test_libbpf_open
        selftests/bpf: tcpbpf_kern: use in6_* macros from glibc
        ..
      9cb9c07d
    • Linus Torvalds's avatar
      Merge branch 'fixes-v4.16-rc3' of... · 2eb02aa9
      Linus Torvalds authored
      Merge branch 'fixes-v4.16-rc3' of git://git.kernel.org/pub/scm/linux/kernel/git/jmorris/linux-security
      
      Pull security subsystem fixes from James Morris:
      
       - keys fixes via David Howells:
            "A collection of fixes for Linux keyrings, mostly thanks to Eric
             Biggers:
      
              - Fix some PKCS#7 verification issues.
      
              - Fix handling of unsupported crypto in X.509.
      
              - Fix too-large allocation in big_key"
      
       - Seccomp updates via Kees Cook:
            "These are fixes for the get_metadata interface that landed during
             -rc1. While the new selftest is strictly not a bug fix, I think
             it's in the same spirit of avoiding bugs"
      
       - an IMA build fix from Randy Dunlap
      
      * 'fixes-v4.16-rc3' of git://git.kernel.org/pub/scm/linux/kernel/git/jmorris/linux-security:
        integrity/security: fix digsig.c build error with header file
        KEYS: Use individual pages in big_key for crypto buffers
        X.509: fix NULL dereference when restricting key with unsupported_sig
        X.509: fix BUG_ON() when hash algorithm is unsupported
        PKCS#7: fix direct verification of SignerInfo signature
        PKCS#7: fix certificate blacklisting
        PKCS#7: fix certificate chain verification
        seccomp: add a selftest for get_metadata
        ptrace, seccomp: tweak get_metadata behavior slightly
        seccomp, ptrace: switch get_metadata types to arch independent
      2eb02aa9
    • Linus Torvalds's avatar
      Merge tag 'arm64-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/arm64/linux · 65738c6b
      Linus Torvalds authored
      Pull arm64 fixes from Catalin Marinas:
       "arm64 and perf fixes:
      
         - build error when accessing MPIDR_HWID_BITMASK from .S
      
         - fix CTR_EL0 field definitions
      
         - remove/disable some kernel messages on user faults (unhandled
           signals, unimplemented syscalls)
      
         - fix kernel page fault in unwind_frame() with function graph tracing
      
         - fix perf sleeping while atomic errors when booting with ACPI"
      
      * tag 'arm64-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/arm64/linux:
        arm64: fix unwind_frame() for filtered out fn for function graph tracing
        arm64: Enforce BBM for huge IO/VMAP mappings
        arm64: perf: correct PMUVer probing
        arm_pmu: acpi: request IRQs up-front
        arm_pmu: note IRQs and PMUs per-cpu
        arm_pmu: explicitly enable/disable SPIs at hotplug
        arm_pmu: acpi: check for mismatched PPIs
        arm_pmu: add armpmu_alloc_atomic()
        arm_pmu: fold platform helpers into platform code
        arm_pmu: kill arm_pmu_platdata
        ARM: ux500: remove PMU IRQ bouncer
        arm64: __show_regs: Only resolve kernel symbols when running at EL1
        arm64: Remove unimplemented syscall log message
        arm64: Disable unhandled signal log messages by default
        arm64: cpufeature: Fix CTR_EL0 field definitions
        arm64: uaccess: Formalise types for access_ok()
        arm64: Fix compilation error while accessing MPIDR_HWID_BITMASK from .S files
      65738c6b
    • Linus Torvalds's avatar
      Merge tag 'mips_fixes_4.16_3' of git://git.kernel.org/pub/scm/linux/kernel/git/jhogan/mips · 2bd06ce7
      Linus Torvalds authored
      Pull MIPS fix from James Hogan:
       "A single MIPS fix for mismatching struct compat_flock, resulting in
        bus errors starting Firefox on Debian 8 since 4.13"
      
      * tag 'mips_fixes_4.16_3' of git://git.kernel.org/pub/scm/linux/kernel/git/jhogan/mips:
        MIPS: Drop spurious __unused in struct compat_flock
      2bd06ce7
    • Linus Torvalds's avatar
      Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/pmladek/printk · 13f514be
      Linus Torvalds authored
      Pull printk fixlet from Petr Mladek:
       "People expect to see the real pointer value for %px.
      
        Let's substitute '(null)' only for the other %p? format modifiers that
        need to deference the pointer"
      
      * 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/pmladek/printk:
        vsprintf: avoid misleading "(null)" for %px
      13f514be
    • Linus Torvalds's avatar
      Merge branch 'i2c/for-current' of git://git.kernel.org/pub/scm/linux/kernel/git/wsa/linux · 938e1426
      Linus Torvalds authored
      Pull i2c fixes from Wolfram Sang:
       "Two bugfixes, one v4.16 regression fix, and two documentation fixes"
      
      * 'i2c/for-current' of git://git.kernel.org/pub/scm/linux/kernel/git/wsa/linux:
        i2c: designware: Consider SCL GPIO optional
        i2c: busses: i2c-sirf: Fix spelling: "formular" -> "formula".
        i2c: bcm2835: Set up the rising/falling edge delays
        i2c: i801: Add missing documentation entries for Braswell and Kaby Lake
        i2c: designware: must wait for enable
      938e1426
    • Linus Torvalds's avatar
      Merge tag 'scsi-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/jejb/scsi · 170e07bf
      Linus Torvalds authored
      Pull SCSI fixes from James Bottomley:
       "These are mostly fixes for problems with merge window code.
      
        In addition we have one doc update (alua) and two dead code removals
        (aiclib and octogon) a spurious assignment removal (csiostor) and a
        performance improvement for storvsc involving better interrupt
        spreading and increasing the command per lun handling"
      
      * tag 'scsi-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/jejb/scsi:
        scsi: qla4xxx: skip error recovery in case of register disconnect.
        scsi: aacraid: fix shutdown crash when init fails
        scsi: qedi: Cleanup local str variable
        scsi: qedi: Fix truncation of CHAP name and secret
        scsi: qla2xxx: Fix incorrect handle for abort IOCB
        scsi: qla2xxx: Fix double free bug after firmware timeout
        scsi: storvsc: Increase cmd_per_lun for higher speed devices
        scsi: qla2xxx: Fix a locking imbalance in qlt_24xx_handle_els()
        scsi: scsi_dh: Document alua_rtpg_queue() arguments
        scsi: Remove Makefile entry for oktagon files
        scsi: aic7xxx: remove aiclib.c
        scsi: qla2xxx: Avoid triggering undefined behavior in qla2x00_mbx_completion()
        scsi: mptfusion: Add bounds check in mptctl_hp_targetinfo()
        scsi: sym53c8xx_2: iterator underflow in sym_getsync()
        scsi: bnx2fc: Fix check in SCSI completion handler for timed out request
        scsi: csiostor: remove redundant assignment to pointer 'ln'
        scsi: ufs: Enable quirk to ignore sending WRITE_SAME command
        scsi: ibmvfc: fix misdefined reserved field in ibmvfc_fcp_rsp_info
        scsi: qla2xxx: Fix memory corruption during hba reset test
        scsi: mpt3sas: fix an out of bound write
      170e07bf
    • Linus Torvalds's avatar
      Merge tag 'drm-fixes-for-v4.16-rc3' of git://people.freedesktop.org/~airlied/linux · 8961ca44
      Linus Torvalds authored
      Pull drm fixes from Dave Airlie:
       "A bunch of fixes for rc3:
      
        Exynos:
         - fixes for using monotonic timestamps
         - register definitions
         - removal of unused file
      
        ipu-v3L
         - minor changes
         - make some register arrays const+static
         - fix some leaks
      
        meson:
         - fix for vsync
      
        atomic:
         - fix for memory leak
      
        EDID parser:
         - add quirks for some more non-desktop devices
         - 6-bit panel fix.
      
        drm_mm:
         - fix a bug in the core drm mm hole handling
      
        cirrus:
         - fix lut loading regression
      
        Lastly there is a deadlock fix around runtime suspend for secondary
        GPUs.
      
        There was a deadlock between one thread trying to wait for a workqueue
        job to finish in the runtime suspend path, and the workqueue job it
        was waiting for in turn waiting for a runtime_get_sync to return.
      
        The fixes avoids it by not doing the runtime sync in the workqueue as
        then we always wait for all those tasks to complete before we runtime
        suspend"
      
      * tag 'drm-fixes-for-v4.16-rc3' of git://people.freedesktop.org/~airlied/linux: (25 commits)
        drm/tve200: fix kernel-doc documentation comment include
        drm/edid: quirk Sony PlayStation VR headset as non-desktop
        drm/edid: quirk Windows Mixed Reality headsets as non-desktop
        drm/edid: quirk Oculus Rift headsets as non-desktop
        drm/meson: fix vsync buffer update
        drm: Handle unexpected holes in color-eviction
        drm: exynos: Use proper macro definition for HDMI_I2S_PIN_SEL_1
        drm/exynos: remove exynos_drm_rotator.h
        drm/exynos: g2d: Delete an error message for a failed memory allocation in two functions
        drm/exynos: fix comparison to bitshift when dealing with a mask
        drm/exynos: g2d: use monotonic timestamps
        drm/edid: Add 6 bpc quirk for CPT panel in Asus UX303LA
        gpu: ipu-csi: add 10/12-bit grayscale support to mbus_code_to_bus_cfg
        gpu: ipu-cpmem: add 16-bit grayscale support to ipu_cpmem_set_image
        gpu: ipu-v3: prg: fix device node leak in ipu_prg_lookup_by_phandle
        gpu: ipu-v3: pre: fix device node leak in ipu_pre_lookup_by_phandle
        drm/amdgpu: Fix deadlock on runtime suspend
        drm/radeon: Fix deadlock on runtime suspend
        drm/nouveau: Fix deadlock on runtime suspend
        drm: Allow determining if current task is output poll worker
        ...
      8961ca44
    • Eric Dumazet's avatar
      net_sched: gen_estimator: fix broken estimators based on percpu stats · a5f7add3
      Eric Dumazet authored
      pfifo_fast got percpu stats lately, uncovering a bug I introduced last
      year in linux-4.10.
      
      I missed the fact that we have to clear our temporary storage
      before calling __gnet_stats_copy_basic() in the case of percpu stats.
      
      Without this fix, rate estimators (tc qd replace dev xxx root est 1sec
      4sec pfifo_fast) are utterly broken.
      
      Fixes: 1c0d32fd ("net_sched: gen_estimator: complete rewrite of rate estimators")
      Signed-off-by: default avatarEric Dumazet <edumazet@google.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      a5f7add3
    • David S. Miller's avatar
      Merge git://git.kernel.org/pub/scm/linux/kernel/git/bpf/bpf · 22170094
      David S. Miller authored
      Alexei Starovoitov says:
      
      ====================
      pull-request: bpf 2018-02-22
      
      The following pull-request contains BPF updates for your *net* tree.
      
      The main changes are:
      
      1) two urgent fixes for bpf_tail_call logic for x64 and arm64 JITs, from Daniel.
      
      2) cond_resched points in percpu array alloc/free paths, from Eric.
      
      3) lockdep and other minor fixes, from Yonghong, Arnd, Anders, Li.
      ====================
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      22170094
    • Andy Spencer's avatar
      gianfar: simplify FCS handling and fix memory leak · d903ec77
      Andy Spencer authored
      Previously, buffer descriptors containing only the frame check sequence
      (FCS) were skipped and not added to the skb. However, the page reference
      count was still incremented, leading to a memory leak.
      
      Fixing this inside gfar_add_rx_frag() is difficult due to reserved
      memory handling and page reuse. Instead, move the FCS handling to
      gfar_process_frame() and trim off the FCS before passing the skb up the
      networking stack.
      Signed-off-by: default avatarAndy Spencer <aspencer@spacex.com>
      Signed-off-by: default avatarJim Gruen <jgruen@spacex.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      d903ec77
    • Arnd Bergmann's avatar
      ipv6 sit: work around bogus gcc-8 -Wrestrict warning · ca79bec2
      Arnd Bergmann authored
      gcc-8 has a new warning that detects overlapping input and output arguments
      in memcpy(). It triggers for sit_init_net() calling ipip6_tunnel_clone_6rd(),
      which is actually correct:
      
      net/ipv6/sit.c: In function 'sit_init_net':
      net/ipv6/sit.c:192:3: error: 'memcpy' source argument is the same as destination [-Werror=restrict]
      
      The problem here is that the logic detecting the memcpy() arguments finds them
      to be the same, but the conditional that tests for the input and output of
      ipip6_tunnel_clone_6rd() to be identical is not a compile-time constant.
      
      We know that netdev_priv(t->dev) is the same as t for a tunnel device,
      and comparing "dev" directly here lets the compiler figure out as well
      that 'dev == sitn->fb_tunnel_dev' when called from sit_init_net(), so
      it no longer warns.
      
      This code is old, so Cc stable to make sure that we don't get the warning
      for older kernels built with new gcc.
      
      Cc: Martin Sebor <msebor@gmail.com>
      Link: https://gcc.gnu.org/bugzilla/show_bug.cgi?id=83456Signed-off-by: default avatarArnd Bergmann <arnd@arndb.de>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      ca79bec2
    • Alexey Kodanev's avatar
      macvlan: fix use-after-free in macvlan_common_newlink() · 4e14bf42
      Alexey Kodanev authored
      The following use-after-free was reported by KASan when running
      LTP macvtap01 test on 4.16-rc2:
      
      [10642.528443] BUG: KASAN: use-after-free in
                     macvlan_common_newlink+0x12ef/0x14a0 [macvlan]
      [10642.626607] Read of size 8 at addr ffff880ba49f2100 by task ip/18450
      ...
      [10642.963873] Call Trace:
      [10642.994352]  dump_stack+0x5c/0x7c
      [10643.035325]  print_address_description+0x75/0x290
      [10643.092938]  kasan_report+0x28d/0x390
      [10643.137971]  ? macvlan_common_newlink+0x12ef/0x14a0 [macvlan]
      [10643.207963]  macvlan_common_newlink+0x12ef/0x14a0 [macvlan]
      [10643.275978]  macvtap_newlink+0x171/0x260 [macvtap]
      [10643.334532]  rtnl_newlink+0xd4f/0x1300
      ...
      [10646.256176] Allocated by task 18450:
      [10646.299964]  kasan_kmalloc+0xa6/0xd0
      [10646.343746]  kmem_cache_alloc_trace+0xf1/0x210
      [10646.397826]  macvlan_common_newlink+0x6de/0x14a0 [macvlan]
      [10646.464386]  macvtap_newlink+0x171/0x260 [macvtap]
      [10646.522728]  rtnl_newlink+0xd4f/0x1300
      ...
      [10647.022028] Freed by task 18450:
      [10647.061549]  __kasan_slab_free+0x138/0x180
      [10647.111468]  kfree+0x9e/0x1c0
      [10647.147869]  macvlan_port_destroy+0x3db/0x650 [macvlan]
      [10647.211411]  rollback_registered_many+0x5b9/0xb10
      [10647.268715]  rollback_registered+0xd9/0x190
      [10647.319675]  register_netdevice+0x8eb/0xc70
      [10647.370635]  macvlan_common_newlink+0xe58/0x14a0 [macvlan]
      [10647.437195]  macvtap_newlink+0x171/0x260 [macvtap]
      
      Commit d02fd6e7 ("macvlan: Fix one possible double free") handles
      the case when register_netdevice() invokes ndo_uninit() on error and
      as a result free the port. But 'macvlan_port_get_rtnl(dev))' check
      (returns dev->rx_handler_data), which was added by this commit in order
      to prevent double free, is not quite correct:
      
      * for macvlan it always returns NULL because 'lowerdev' is the one that
        was used to register rx handler (port) in macvlan_port_create() as
        well as to unregister it in macvlan_port_destroy().
      * for macvtap it always returns a valid pointer because macvtap registers
        its own rx handler before macvlan_common_newlink().
      
      Fixes: d02fd6e7 ("macvlan: Fix one possible double free")
      Signed-off-by: default avatarAlexey Kodanev <alexey.kodanev@oracle.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      4e14bf42
    • Pratyush Anand's avatar
      arm64: fix unwind_frame() for filtered out fn for function graph tracing · 9f416319
      Pratyush Anand authored
      do_task_stat() calls get_wchan(), which further does unwind_frame().
      unwind_frame() restores frame->pc to original value in case function
      graph tracer has modified a return address (LR) in a stack frame to hook
      a function return. However, if function graph tracer has hit a filtered
      function, then we can't unwind it as ftrace_push_return_trace() has
      biased the index(frame->graph) with a 'huge negative'
      offset(-FTRACE_NOTRACE_DEPTH).
      
      Moreover, arm64 stack walker defines index(frame->graph) as unsigned
      int, which can not compare a -ve number.
      
      Similar problem we can have with calling of walk_stackframe() from
      save_stack_trace_tsk() or dump_backtrace().
      
      This patch fixes unwind_frame() to test the index for -ve value and
      restore index accordingly before we can restore frame->pc.
      
      Reproducer:
      
      cd /sys/kernel/debug/tracing/
      echo schedule > set_graph_notrace
      echo 1 > options/display-graph
      echo wakeup > current_tracer
      ps -ef | grep -i agent
      
      Above commands result in:
      Unable to handle kernel paging request at virtual address ffff801bd3d1e000
      pgd = ffff8003cbe97c00
      [ffff801bd3d1e000] *pgd=0000000000000000, *pud=0000000000000000
      Internal error: Oops: 96000006 [#1] SMP
      [...]
      CPU: 5 PID: 11696 Comm: ps Not tainted 4.11.0+ #33
      [...]
      task: ffff8003c21ba000 task.stack: ffff8003cc6c0000
      PC is at unwind_frame+0x12c/0x180
      LR is at get_wchan+0xd4/0x134
      pc : [<ffff00000808892c>] lr : [<ffff0000080860b8>] pstate: 60000145
      sp : ffff8003cc6c3ab0
      x29: ffff8003cc6c3ab0 x28: 0000000000000001
      x27: 0000000000000026 x26: 0000000000000026
      x25: 00000000000012d8 x24: 0000000000000000
      x23: ffff8003c1c04000 x22: ffff000008c83000
      x21: ffff8003c1c00000 x20: 000000000000000f
      x19: ffff8003c1bc0000 x18: 0000fffffc593690
      x17: 0000000000000000 x16: 0000000000000001
      x15: 0000b855670e2b60 x14: 0003e97f22cf1d0f
      x13: 0000000000000001 x12: 0000000000000000
      x11: 00000000e8f4883e x10: 0000000154f47ec8
      x9 : 0000000070f367c0 x8 : 0000000000000000
      x7 : 00008003f7290000 x6 : 0000000000000018
      x5 : 0000000000000000 x4 : ffff8003c1c03cb0
      x3 : ffff8003c1c03ca0 x2 : 00000017ffe80000
      x1 : ffff8003cc6c3af8 x0 : ffff8003d3e9e000
      
      Process ps (pid: 11696, stack limit = 0xffff8003cc6c0000)
      Stack: (0xffff8003cc6c3ab0 to 0xffff8003cc6c4000)
      [...]
      [<ffff00000808892c>] unwind_frame+0x12c/0x180
      [<ffff000008305008>] do_task_stat+0x864/0x870
      [<ffff000008305c44>] proc_tgid_stat+0x3c/0x48
      [<ffff0000082fde0c>] proc_single_show+0x5c/0xb8
      [<ffff0000082b27e0>] seq_read+0x160/0x414
      [<ffff000008289e6c>] __vfs_read+0x58/0x164
      [<ffff00000828b164>] vfs_read+0x88/0x144
      [<ffff00000828c2e8>] SyS_read+0x60/0xc0
      [<ffff0000080834a0>] __sys_trace_return+0x0/0x4
      
      Fixes: 20380bb3 (arm64: ftrace: fix a stack tracer's output under function graph tracer)
      Signed-off-by: default avatarPratyush Anand <panand@redhat.com>
      Signed-off-by: default avatarJerome Marchand <jmarchan@redhat.com>
      [catalin.marinas@arm.com: replace WARN_ON with WARN_ON_ONCE]
      Signed-off-by: default avatarCatalin Marinas <catalin.marinas@arm.com>
      9f416319
    • Randy Dunlap's avatar
      integrity/security: fix digsig.c build error with header file · 120f3b11
      Randy Dunlap authored
      security/integrity/digsig.c has build errors on some $ARCH due to a
      missing header file, so add it.
      
        security/integrity/digsig.c:146:2: error: implicit declaration of function 'vfree' [-Werror=implicit-function-declaration]
      Reported-by: default avatarMichael Ellerman <mpe@ellerman.id.au>
      Signed-off-by: default avatarRandy Dunlap <rdunlap@infradead.org>
      Cc: Mimi Zohar <zohar@linux.vnet.ibm.com>
      Cc: linux-integrity@vger.kernel.org
      Link: http://kisskb.ellerman.id.au/kisskb/head/13396/Signed-off-by: default avatarJames Morris <james.morris@microsoft.com>
      120f3b11
    • James Morris's avatar
      Merge tag 'keys-fixes-20180222-2' of... · 16c4db3b
      James Morris authored
      Merge tag 'keys-fixes-20180222-2' of https://git.kernel.org/pub/scm/linux/kernel/git/dhowells/linux-fs into fixes-v4.16-rc3
      
      Keyrings fixes.
      16c4db3b
    • Dave Airlie's avatar
      Merge tag 'imx-drm-next-2018-02-22' of git://git.pengutronix.de/git/pza/linux into drm-fixes · b17800e9
      Dave Airlie authored
      drm/imx: ipu-v3 fixups and grayscale support
      
      - Make const interrupt register arrays static, reduces object size.
      - Fix device_node leaks in PRE/PRG phandle lookup functions.
      - Add 8-bit and 16-bit grayscale buffer support to ipu_cpmem_set_image,
      - add 10-bit and 12-bit grayscale media bus support to ipu-csi,
        to be used by the imx-media driver.
      
      * tag 'imx-drm-next-2018-02-22' of git://git.pengutronix.de/git/pza/linux:
        gpu: ipu-csi: add 10/12-bit grayscale support to mbus_code_to_bus_cfg
        gpu: ipu-cpmem: add 16-bit grayscale support to ipu_cpmem_set_image
        gpu: ipu-v3: prg: fix device node leak in ipu_prg_lookup_by_phandle
        gpu: ipu-v3: pre: fix device node leak in ipu_pre_lookup_by_phandle
        gpu: ipu-cpmem: add 8-bit grayscale support to ipu_cpmem_set_image
        gpu: ipu-v3: make const arrays int_reg static, shrinks object size
      b17800e9
    • Kees Cook's avatar
      MIPS: boot: Define __ASSEMBLY__ for its.S build · 0f9da844
      Kees Cook authored
      The MIPS %.its.S compiler command did not define __ASSEMBLY__, which meant
      when compiler_types.h was added to kconfig.h, unexpected things appeared
      (e.g. struct declarations) which should not have been present. As done in
      the general %.S compiler command, __ASSEMBLY__ is now included here too.
      
      The failure was:
      
          Error: arch/mips/boot/vmlinux.gz.its:201.1-2 syntax error
          FATAL ERROR: Unable to parse input tree
          /usr/bin/mkimage: Can't read arch/mips/boot/vmlinux.gz.itb.tmp: Invalid argument
          /usr/bin/mkimage Can't add hashes to FIT blob
      Reported-by: default avatarkbuild test robot <lkp@intel.com>
      Fixes: 28128c61 ("kconfig.h: Include compiler types to avoid missed struct attributes")
      Signed-off-by: default avatarKees Cook <keescook@chromium.org>
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      0f9da844
    • Linus Torvalds's avatar
      Merge branch 'siginfo-linus' of... · bae6cfe8
      Linus Torvalds authored
      Merge branch 'siginfo-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/ebiederm/user-namespace
      
      Pull siginfo fix from Eric Biederman:
       "This fixes a build error that only shows up on blackfin"
      
      * 'siginfo-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/ebiederm/user-namespace:
        fs/signalfd: fix build error for BUS_MCEERR_AR
      bae6cfe8
    • Linus Torvalds's avatar
      Merge branch 'linus' of git://git.kernel.org/pub/scm/linux/kernel/git/herbert/crypto-2.6 · 0bb78166
      Linus Torvalds authored
      Pull crypto fix from Herbert Xu:
       "Fix an oops in the s5p-sss driver when used with ecb(aes)"
      
      * 'linus' of git://git.kernel.org/pub/scm/linux/kernel/git/herbert/crypto-2.6:
        crypto: s5p-sss - Fix kernel Oops in AES-ECB mode
      0bb78166
    • Daniel Borkmann's avatar
      bpf, arm64: fix out of bounds access in tail call · 16338a9b
      Daniel Borkmann authored
      I recently noticed a crash on arm64 when feeding a bogus index
      into BPF tail call helper. The crash would not occur when the
      interpreter is used, but only in case of JIT. Output looks as
      follows:
      
        [  347.007486] Unable to handle kernel paging request at virtual address fffb850e96492510
        [...]
        [  347.043065] [fffb850e96492510] address between user and kernel address ranges
        [  347.050205] Internal error: Oops: 96000004 [#1] SMP
        [...]
        [  347.190829] x13: 0000000000000000 x12: 0000000000000000
        [  347.196128] x11: fffc047ebe782800 x10: ffff808fd7d0fd10
        [  347.201427] x9 : 0000000000000000 x8 : 0000000000000000
        [  347.206726] x7 : 0000000000000000 x6 : 001c991738000000
        [  347.212025] x5 : 0000000000000018 x4 : 000000000000ba5a
        [  347.217325] x3 : 00000000000329c4 x2 : ffff808fd7cf0500
        [  347.222625] x1 : ffff808fd7d0fc00 x0 : ffff808fd7cf0500
        [  347.227926] Process test_verifier (pid: 4548, stack limit = 0x000000007467fa61)
        [  347.235221] Call trace:
        [  347.237656]  0xffff000002f3a4fc
        [  347.240784]  bpf_test_run+0x78/0xf8
        [  347.244260]  bpf_prog_test_run_skb+0x148/0x230
        [  347.248694]  SyS_bpf+0x77c/0x1110
        [  347.251999]  el0_svc_naked+0x30/0x34
        [  347.255564] Code: 9100075a d280220a 8b0a002a d37df04b (f86b694b)
        [...]
      
      In this case the index used in BPF r3 is the same as in r1
      at the time of the call, meaning we fed a pointer as index;
      here, it had the value 0xffff808fd7cf0500 which sits in x2.
      
      While I found tail calls to be working in general (also for
      hitting the error cases), I noticed the following in the code
      emission:
      
        # bpftool p d j i 988
        [...]
        38:   ldr     w10, [x1,x10]
        3c:   cmp     w2, w10
        40:   b.ge    0x000000000000007c              <-- signed cmp
        44:   mov     x10, #0x20                      // #32
        48:   cmp     x26, x10
        4c:   b.gt    0x000000000000007c
        50:   add     x26, x26, #0x1
        54:   mov     x10, #0x110                     // #272
        58:   add     x10, x1, x10
        5c:   lsl     x11, x2, #3
        60:   ldr     x11, [x10,x11]                  <-- faulting insn (f86b694b)
        64:   cbz     x11, 0x000000000000007c
        [...]
      
      Meaning, the tests passed because commit ddb55992 ("arm64:
      bpf: implement bpf_tail_call() helper") was using signed compares
      instead of unsigned which as a result had the test wrongly passing.
      
      Change this but also the tail call count test both into unsigned
      and cap the index as u32. Latter we did as well in 90caccdd
      ("bpf: fix bpf_tail_call() x64 JIT") and is needed in addition here,
      too. Tested on HiSilicon Hi1616.
      
      Result after patch:
      
        # bpftool p d j i 268
        [...]
        38:	ldr	w10, [x1,x10]
        3c:	add	w2, w2, #0x0
        40:	cmp	w2, w10
        44:	b.cs	0x0000000000000080
        48:	mov	x10, #0x20                  	// #32
        4c:	cmp	x26, x10
        50:	b.hi	0x0000000000000080
        54:	add	x26, x26, #0x1
        58:	mov	x10, #0x110                 	// #272
        5c:	add	x10, x1, x10
        60:	lsl	x11, x2, #3
        64:	ldr	x11, [x10,x11]
        68:	cbz	x11, 0x0000000000000080
        [...]
      
      Fixes: ddb55992 ("arm64: bpf: implement bpf_tail_call() helper")
      Signed-off-by: default avatarDaniel Borkmann <daniel@iogearbox.net>
      Signed-off-by: default avatarAlexei Starovoitov <ast@kernel.org>
      16338a9b
  4. 22 Feb, 2018 2 commits
    • Daniel Borkmann's avatar
      bpf, x64: implement retpoline for tail call · a493a87f
      Daniel Borkmann authored
      Implement a retpoline [0] for the BPF tail call JIT'ing that converts
      the indirect jump via jmp %rax that is used to make the long jump into
      another JITed BPF image. Since this is subject to speculative execution,
      we need to control the transient instruction sequence here as well
      when CONFIG_RETPOLINE is set, and direct it into a pause + lfence loop.
      The latter aligns also with what gcc / clang emits (e.g. [1]).
      
      JIT dump after patch:
      
        # bpftool p d x i 1
         0: (18) r2 = map[id:1]
         2: (b7) r3 = 0
         3: (85) call bpf_tail_call#12
         4: (b7) r0 = 2
         5: (95) exit
      
      With CONFIG_RETPOLINE:
      
        # bpftool p d j i 1
        [...]
        33:	cmp    %edx,0x24(%rsi)
        36:	jbe    0x0000000000000072  |*
        38:	mov    0x24(%rbp),%eax
        3e:	cmp    $0x20,%eax
        41:	ja     0x0000000000000072  |
        43:	add    $0x1,%eax
        46:	mov    %eax,0x24(%rbp)
        4c:	mov    0x90(%rsi,%rdx,8),%rax
        54:	test   %rax,%rax
        57:	je     0x0000000000000072  |
        59:	mov    0x28(%rax),%rax
        5d:	add    $0x25,%rax
        61:	callq  0x000000000000006d  |+
        66:	pause                      |
        68:	lfence                     |
        6b:	jmp    0x0000000000000066  |
        6d:	mov    %rax,(%rsp)         |
        71:	retq                       |
        72:	mov    $0x2,%eax
        [...]
      
        * relative fall-through jumps in error case
        + retpoline for indirect jump
      
      Without CONFIG_RETPOLINE:
      
        # bpftool p d j i 1
        [...]
        33:	cmp    %edx,0x24(%rsi)
        36:	jbe    0x0000000000000063  |*
        38:	mov    0x24(%rbp),%eax
        3e:	cmp    $0x20,%eax
        41:	ja     0x0000000000000063  |
        43:	add    $0x1,%eax
        46:	mov    %eax,0x24(%rbp)
        4c:	mov    0x90(%rsi,%rdx,8),%rax
        54:	test   %rax,%rax
        57:	je     0x0000000000000063  |
        59:	mov    0x28(%rax),%rax
        5d:	add    $0x25,%rax
        61:	jmpq   *%rax               |-
        63:	mov    $0x2,%eax
        [...]
      
        * relative fall-through jumps in error case
        - plain indirect jump as before
      
        [0] https://support.google.com/faqs/answer/7625886
        [1] https://github.com/gcc-mirror/gcc/commit/a31e654fa107be968b802786d747e962c2fcdb2bSigned-off-by: default avatarDaniel Borkmann <daniel@iogearbox.net>
      Signed-off-by: default avatarAlexei Starovoitov <ast@kernel.org>
      a493a87f
    • Randy Dunlap's avatar
      fs/signalfd: fix build error for BUS_MCEERR_AR · 9026e820
      Randy Dunlap authored
      Fix build error in fs/signalfd.c by using same method that is used in
      kernel/signal.c: separate blocks for different signal si_code values.
      
      ./fs/signalfd.c: error: 'BUS_MCEERR_AR' undeclared (first use in this function)
      Reported-by: default avatarGeert Uytterhoeven <geert@linux-m68k.org>
      Signed-off-by: default avatarRandy Dunlap <rdunlap@infradead.org>
      Cc: Alexander Viro <viro@zeniv.linux.org.uk>
      Signed-off-by: default avatarEric W. Biederman <ebiederm@xmission.com>
      9026e820