1. 30 Nov, 2017 4 commits
  2. 29 Nov, 2017 20 commits
    • Linus Torvalds's avatar
      Merge tag 'nfsd-4.15-1' of git://linux-nfs.org/~bfields/linux · b9151761
      Linus Torvalds authored
      Pull nfsd fixes from Bruce Fields:
       "I screwed up my merge window pull request; I only sent half of what I
        meant to.
      
        There were no new features, just bugfixes of various importance and
        some very minor cleanup, so I think it's all still appropriate for
        -rc2.
      
        Highlights:
      
         - Fixes from Trond for some races in the NFSv4 state code.
      
         - Fix from Naofumi Honda for a typo in the blocked lock notificiation
           code
      
         - Fixes from Vasily Averin for some problems starting and stopping
           lockd especially in network namespaces"
      
      * tag 'nfsd-4.15-1' of git://linux-nfs.org/~bfields/linux: (23 commits)
        lockd: fix "list_add double add" caused by legacy signal interface
        nlm_shutdown_hosts_net() cleanup
        race of nfsd inetaddr notifiers vs nn->nfsd_serv change
        race of lockd inetaddr notifiers vs nlmsvc_rqst change
        SUNRPC: make cache_detail structures const
        NFSD: make cache_detail structures const
        sunrpc: make the function arg as const
        nfsd: check for use of the closed special stateid
        nfsd: fix panic in posix_unblock_lock called from nfs4_laundromat
        lockd: lost rollback of set_grace_period() in lockd_down_net()
        lockd: added cleanup checks in exit_net hook
        grace: replace BUG_ON by WARN_ONCE in exit_net hook
        nfsd: fix locking validator warning on nfs4_ol_stateid->st_mutex class
        lockd: remove net pointer from messages
        nfsd: remove net pointer from debug messages
        nfsd: Fix races with check_stateid_generation()
        nfsd: Ensure we check stateid validity in the seqid operation checks
        nfsd: Fix race in lock stateid creation
        nfsd4: move find_lock_stateid
        nfsd: Ensure we don't recognise lock stateids after freeing them
        ...
      b9151761
    • Linus Torvalds's avatar
      Merge tag 'for-4.15-rc2-tag' of git://git.kernel.org/pub/scm/linux/kernel/git/kdave/linux · 26cd9474
      Linus Torvalds authored
      Pull btrfs fixes from David Sterba:
       "We've collected some fixes in since the pre-merge window freeze.
      
        There's technically only one regression fix for 4.15, but the rest
        seems important and candidates for stable.
      
         - fix missing flush bio puts in error cases (is serious, but rarely
           happens)
      
         - fix reporting stat::st_blocks for buffered append writes
      
         - fix space cache invalidation
      
         - fix out of bound memory access when setting zlib level
      
         - fix potential memory corruption when fsync fails in the middle
      
         - fix crash in integrity checker
      
         - incremetnal send fix, path mixup for certain unlink/rename
           combination
      
         - pass flags to writeback so compressed writes can be throttled
           properly
      
         - error handling fixes"
      
      * tag 'for-4.15-rc2-tag' of git://git.kernel.org/pub/scm/linux/kernel/git/kdave/linux:
        Btrfs: incremental send, fix wrong unlink path after renaming file
        btrfs: tree-checker: Fix false panic for sanity test
        Btrfs: fix list_add corruption and soft lockups in fsync
        btrfs: Fix wild memory access in compression level parser
        btrfs: fix deadlock when writing out space cache
        btrfs: clear space cache inode generation always
        Btrfs: fix reported number of inode blocks after buffered append writes
        Btrfs: move definition of the function btrfs_find_new_delalloc_bytes
        Btrfs: bail out gracefully rather than BUG_ON
        btrfs: dev_alloc_list is not protected by RCU, use normal list_del
        btrfs: add missing device::flush_bio puts
        btrfs: Fix transaction abort during failure in btrfs_rm_dev_item
        Btrfs: add write_flags for compression bio
      26cd9474
    • Linus Torvalds's avatar
      Merge tag 'microblaze-4.15-rc2' of git://git.monstr.eu/linux-2.6-microblaze · 198e0c0c
      Linus Torvalds authored
      Pull Microblaze fix from Michal Simek:
       "Add missing header to mmu_context_mm.h"
      
      * tag 'microblaze-4.15-rc2' of git://git.monstr.eu/linux-2.6-microblaze:
        microblaze: add missing include to mmu_context_mm.h
      198e0c0c
    • Linus Torvalds's avatar
      Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/sparc · fccfde44
      Linus Torvalds authored
      Pull sparc fix from David Miller:
       "Sparc T4 and later cpu bootup regression fix"
      
      * git://git.kernel.org/pub/scm/linux/kernel/git/davem/sparc:
        sparc64: Fix boot on T4 and later.
      fccfde44
    • Linus Torvalds's avatar
      Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net · 96c22a49
      Linus Torvalds authored
      Pull networking fixes from David Miller:
      
       1) The forcedeth conversion from pci_*() DMA interfaces to dma_*() ones
          missed one spot. From Zhu Yanjun.
      
       2) Missing CRYPTO_SHA256 Kconfig dep in cfg80211, from Johannes Berg.
      
       3) Fix checksum offloading in thunderx driver, from Sunil Goutham.
      
       4) Add SPDX to vm_sockets_diag.h, from Stephen Hemminger.
      
       5) Fix use after free of packet headers in TIPC, from Jon Maloy.
      
       6) "sizeof(ptr)" vs "sizeof(*ptr)" bug in i40e, from Gustavo A R Silva.
      
       7) Tunneling fixes in mlxsw driver, from Petr Machata.
      
       8) Fix crash in fanout_demux_rollover() of AF_PACKET, from Mike
          Maloney.
      
       9) Fix race in AF_PACKET bind() vs. NETDEV_UP notifier, from Eric
          Dumazet.
      
      10) Fix regression in sch_sfq.c due to one of the timer_setup()
          conversions. From Paolo Abeni.
      
      11) SCTP does list_for_each_entry() using wrong struct member, fix from
          Xin Long.
      
      12) Don't use big endian netlink attribute read for
          IFLA_BOND_AD_ACTOR_SYSTEM, it is in cpu endianness. Also from Xin
          Long.
      
      13) Fix mis-initialization of q->link.clock in CBQ scheduler, preventing
          adding filters there. From Jiri Pirko.
      
      * git://git.kernel.org/pub/scm/linux/kernel/git/davem/net: (67 commits)
        ethernet: dwmac-stm32: Fix copyright
        net: via: via-rhine: use %p to format void * address instead of %x
        net: ethernet: xilinx: Mark XILINX_LL_TEMAC broken on 64-bit
        myri10ge: Update MAINTAINERS
        net: sched: cbq: create block for q->link.block
        atm: suni: remove extraneous space to fix indentation
        atm: lanai: use %p to format kernel addresses instead of %x
        VSOCK: Don't set sk_state to TCP_CLOSE before testing it
        atm: fore200e: use %pK to format kernel addresses instead of %x
        ambassador: fix incorrect indentation of assignment statement
        vxlan: use __be32 type for the param vni in __vxlan_fdb_delete
        bonding: use nla_get_u64 to extract the value for IFLA_BOND_AD_ACTOR_SYSTEM
        sctp: use right member as the param of list_for_each_entry
        sch_sfq: fix null pointer dereference at timer expiration
        cls_bpf: don't decrement net's refcount when offload fails
        net/packet: fix a race in packet_bind() and packet_notifier()
        packet: fix crash in fanout_demux_rollover()
        sctp: remove extern from stream sched
        sctp: force the params with right types for sctp csum apis
        sctp: force SCTP_ERROR_INV_STRM with __u32 when calling sctp_chunk_fail
        ...
      96c22a49
    • David S. Miller's avatar
      sparc64: Fix boot on T4 and later. · e5372cd5
      David S. Miller authored
      If we don't put the NG4fls.o object into the same part of
      the link as the generic sparc64 objects for fls() and __fls()
      then the relocation in the branch we use for patching will
      not fit.
      
      Move NG4fls.o into lib-y to fix this problem.
      
      Fixes: 46ad8d2d ("sparc64: Use sparc optimized fls and __fls for T4 and above")
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Reported-by: default avatarAnatoly Pugachev <matorola@gmail.com>
      Tested-by: default avatarAnatoly Pugachev <matorola@gmail.com>
      e5372cd5
    • Linus Torvalds's avatar
      vsprintf: don't use 'restricted_pointer()' when not restricting · ef0010a3
      Linus Torvalds authored
      Instead, just fall back on the new '%p' behavior which hashes the
      pointer.
      
      Otherwise, '%pK' - that was intended to mark a pointer as restricted -
      just ends up leaking pointers that a normal '%p' wouldn't leak.  Which
      just make the whole thing pointless.
      
      I suspect we should actually get rid of '%pK' entirely, and make it just
      work as '%p' regardless, but this is the minimal obvious fix.  People
      who actually use 'kptr_restrict' should weigh in on which behavior they
      want.
      
      Cc: Tobin Harding <me@tobin.cc>
      Cc: Kees Cook <keescook@chromium.org>
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      ef0010a3
    • Linus Torvalds's avatar
      kallsyms: take advantage of the new '%px' format · 668533dc
      Linus Torvalds authored
      The conditional kallsym hex printing used a special fixed-width '%lx'
      output (KALLSYM_FMT) in preparation for the hashing of %p, but that
      series ended up adding a %px specifier to help with the conversions.
      
      Use it, and avoid the "print pointer as an unsigned long" code.
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      668533dc
    • Linus Torvalds's avatar
      Merge tag 'printk-hash-pointer-4.15-rc2' of git://github.com/tcharding/linux · da6af54d
      Linus Torvalds authored
      Pull printk pointer hashing update from Tobin Harding:
       "Here is the patch set that implements hashing of printk specifier %p.
      
        First we have two clean up patches then we do the hashing. Hashing is
        done via the SipHash algorithm. The next patch adds printk specifier
        %px for printing pointers when we _really_ want to see the address i.e
        %px is functionally equivalent to %lx. Final patch in the set fixes
        KASAN since we break it by hashing %p.
      
        For the record here is the justification for the series:
      
          Currently there exist approximately 14 000 places in the Kernel
          where addresses are being printed using an unadorned %p. This
          potentially leaks sensitive information about the Kernel layout in
          memory. Many of these calls are stale, instead of fixing every call
          we hash the address by default before printing. We then add %px to
          provide a way to print the actual address. Although this is
          achievable using %lx, using %px will assist us if we ever want to
          change pointer printing behaviour. %px is more uniquely grep'able
          (there are already >50 000 uses of %lx).
      
          The added advantage of hashing %p is that security is now opt-out,
          if you _really_ want the address you have to work a little harder
          and use %px.
      
        This will of course break some users, forcing code printing needed
        addresses to be updated"
      
      [ I do expect this to be an annoyance, and a number of %px users to be
        added for debuggability. But nobody is willing to audit existing %p
        users for information leaks, and a number of places really only use
        the pointer as an object identifier rather than really 'I need the
        address'.
      
        IOW - sorry for the inconvenience, but it's the least inconvenient of
        the options.    - Linus ]
      
      * tag 'printk-hash-pointer-4.15-rc2' of git://github.com/tcharding/linux:
        kasan: use %px to print addresses instead of %p
        vsprintf: add printk specifier %px
        printk: hash addresses printed with %p
        vsprintf: refactor %pK code out of pointer()
        docs: correct documentation for %pK
      da6af54d
    • Linus Torvalds's avatar
      Revert "mm, thp: Do not make pmd/pud dirty without a reason" · f55e1014
      Linus Torvalds authored
      This reverts commit 152e93af.
      
      It was a nice cleanup in theory, but as Nicolai Stange points out, we do
      need to make the page dirty for the copy-on-write case even when we
      didn't end up making it writable, since the dirty bit is what we use to
      check that we've gone through a COW cycle.
      Reported-by: default avatarMichal Hocko <mhocko@kernel.org>
      Acked-by: default avatarKirill A. Shutemov <kirill.shutemov@linux.intel.com>
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      f55e1014
    • Benjamin Gaignard's avatar
      ethernet: dwmac-stm32: Fix copyright · f6454f80
      Benjamin Gaignard authored
      Uniformize STMicroelectronics copyrights header
      Signed-off-by: default avatarBenjamin Gaignard <benjamin.gaignard@st.com>
      CC: Alexandre Torgue <alexandre.torgue@st.com>
      Acked-by: default avatarAlexandre TORGUE <alexandre.torgue@st.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      f6454f80
    • Colin Ian King's avatar
      net: via: via-rhine: use %p to format void * address instead of %x · a7e4fbbf
      Colin Ian King authored
      Don't use %x and casting to print out an address, instead use %p
      and remove the casting.  Cleans up smatch warnings:
      
      drivers/net/ethernet/via/via-rhine.c:998 rhine_init_one_common()
      warn: argument 4 to %lx specifier is cast from pointer
      Signed-off-by: default avatarColin Ian King <colin.king@canonical.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      a7e4fbbf
    • Geert Uytterhoeven's avatar
      net: ethernet: xilinx: Mark XILINX_LL_TEMAC broken on 64-bit · 15bfe05c
      Geert Uytterhoeven authored
      On 64-bit (e.g. powerpc64/allmodconfig):
      
          drivers/net/ethernet/xilinx/ll_temac_main.c: In function 'temac_start_xmit_done':
          drivers/net/ethernet/xilinx/ll_temac_main.c:633:22: warning: cast to pointer from integer of different size [-Wint-to-pointer-cast]
      	dev_kfree_skb_irq((struct sk_buff *)cur_p->app4);
      			  ^
      
      cdmac_bd.app4 is u32, so it is too small to hold a kernel pointer.
      
      Note that several other fields in struct cdmac_bd are also too small to
      hold physical addresses on 64-bit platforms.
      Signed-off-by: default avatarGeert Uytterhoeven <geert+renesas@glider.be>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      15bfe05c
    • Hyong-Youb Kim's avatar
      myri10ge: Update MAINTAINERS · 01e4fab6
      Hyong-Youb Kim authored
      Change the maintainer to Chris Lee who has access to Myricom hardware
      and can test/review. Update the website URL.
      Signed-off-by: default avatarHyong-Youb Kim <hykim@myri.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      01e4fab6
    • Tobin C. Harding's avatar
      kasan: use %px to print addresses instead of %p · 6424f6bb
      Tobin C. Harding authored
      Pointers printed with %p are now hashed by default. Kasan needs the
      actual address. We can use the new printk specifier %px for this
      purpose.
      
      Use %px instead of %p to print addresses.
      Signed-off-by: default avatarTobin C. Harding <me@tobin.cc>
      6424f6bb
    • Tobin C. Harding's avatar
      vsprintf: add printk specifier %px · 7b1924a1
      Tobin C. Harding authored
      printk specifier %p now hashes all addresses before printing. Sometimes
      we need to see the actual unmodified address. This can be achieved using
      %lx but then we face the risk that if in future we want to change the
      way the Kernel handles printing of pointers we will have to grep through
      the already existent 50 000 %lx call sites. Let's add specifier %px as a
      clear, opt-in, way to print a pointer and maintain some level of
      isolation from all the other hex integer output within the Kernel.
      
      Add printk specifier %px to print the actual unmodified address.
      Signed-off-by: default avatarTobin C. Harding <me@tobin.cc>
      7b1924a1
    • Tobin C. Harding's avatar
      printk: hash addresses printed with %p · ad67b74d
      Tobin C. Harding authored
      Currently there exist approximately 14 000 places in the kernel where
      addresses are being printed using an unadorned %p. This potentially
      leaks sensitive information regarding the Kernel layout in memory. Many
      of these calls are stale, instead of fixing every call lets hash the
      address by default before printing. This will of course break some
      users, forcing code printing needed addresses to be updated.
      
      Code that _really_ needs the address will soon be able to use the new
      printk specifier %px to print the address.
      
      For what it's worth, usage of unadorned %p can be broken down as
      follows (thanks to Joe Perches).
      
      $ git grep -E '%p[^A-Za-z0-9]' | cut -f1 -d"/" | sort | uniq -c
         1084 arch
           20 block
           10 crypto
           32 Documentation
         8121 drivers
         1221 fs
          143 include
          101 kernel
           69 lib
          100 mm
         1510 net
           40 samples
            7 scripts
           11 security
          166 sound
          152 tools
            2 virt
      
      Add function ptr_to_id() to map an address to a 32 bit unique
      identifier. Hash any unadorned usage of specifier %p and any malformed
      specifiers.
      Signed-off-by: default avatarTobin C. Harding <me@tobin.cc>
      ad67b74d
    • Tobin C. Harding's avatar
      vsprintf: refactor %pK code out of pointer() · 57e73442
      Tobin C. Harding authored
      Currently code to handle %pK is all within the switch statement in
      pointer(). This is the wrong level of abstraction. Each of the other switch
      clauses call a helper function, pK should do the same.
      
      Refactor code out of pointer() to new function restricted_pointer().
      Signed-off-by: default avatarTobin C. Harding <me@tobin.cc>
      57e73442
    • Tobin C. Harding's avatar
      docs: correct documentation for %pK · 553d8e8b
      Tobin C. Harding authored
      Current documentation indicates that %pK prints a leading '0x'. This is
      not the case.
      
      Correct documentation for printk specifier %pK.
      Signed-off-by: default avatarTobin C. Harding <me@tobin.cc>
      553d8e8b
    • Linus Torvalds's avatar
      Merge branch 'linus' of git://git.kernel.org/pub/scm/linux/kernel/git/herbert/crypto-2.6 · 43570f03
      Linus Torvalds authored
      Pull crypto fixes from Herbert Xu:
      
       - avoid potential bogus alignment for some AEAD operations
      
       - fix crash in algif_aead
      
       - avoid sleeping in softirq context with async af_alg
      
      * 'linus' of git://git.kernel.org/pub/scm/linux/kernel/git/herbert/crypto-2.6:
        crypto: skcipher - Fix skcipher_walk_aead_common
        crypto: af_alg - remove locking in async callback
        crypto: algif_aead - skip SGL entries with NULL page
      43570f03
  3. 28 Nov, 2017 16 commits
    • Jiri Pirko's avatar
      net: sched: cbq: create block for q->link.block · d51aae68
      Jiri Pirko authored
      q->link.block is not initialized, that leads to EINVAL when one tries to
      add filter there. So initialize it properly.
      
      This can be reproduced by:
      $ tc qdisc add dev eth0 root handle 1: cbq avpkt 1000 rate 1000Mbit bandwidth 1000Mbit
      $ tc filter add dev eth0 parent 1: protocol ip prio 100 u32 match ip protocol 0 0x00 flowid 1:1
      Reported-by: default avatarJaroslav Aster <jaster@redhat.com>
      Reported-by: default avatarIvan Vecera <ivecera@redhat.com>
      Fixes: 6529eaba ("net: sched: introduce tcf block infractructure")
      Signed-off-by: default avatarJiri Pirko <jiri@mellanox.com>
      Acked-by: default avatarEelco Chaudron <echaudro@redhat.com>
      Reviewed-by: default avatarIvan Vecera <ivecera@redhat.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      d51aae68
    • Colin Ian King's avatar
      atm: suni: remove extraneous space to fix indentation · 0195a210
      Colin Ian King authored
      Remove a leading space, fixes indentation
      Signed-off-by: default avatarColin Ian King <colin.king@canonical.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      0195a210
    • Colin Ian King's avatar
      atm: lanai: use %p to format kernel addresses instead of %x · 6c906542
      Colin Ian King authored
      Don't use %x and casting to print out a kernel address, instead use %p
      and remove the casting.  Cleans up smatch warnings:
      
      drivers/atm/lanai.c:1589 service_buffer_allocate() warn: argument 2 to
      %08lX specifier is cast from pointer
      drivers/atm/lanai.c:2221 lanai_dev_open() warn: argument 4 to %lx
      specifier is cast from pointer
      Signed-off-by: default avatarColin Ian King <colin.king@canonical.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      6c906542
    • Jorgen Hansen's avatar
      VSOCK: Don't set sk_state to TCP_CLOSE before testing it · 4a5def7f
      Jorgen Hansen authored
      A recent commit (3b4477d2) converted the sk_state to use
      TCP constants. In that change, vmci_transport_handle_detach
      was changed such that sk->sk_state was set to TCP_CLOSE before
      we test whether it is TCP_SYN_SENT. This change moves the
      sk_state change back to the original locations in that function.
      Signed-off-by: default avatarJorgen Hansen <jhansen@vmware.com>
      Reviewed-by: default avatarStefan Hajnoczi <stefanha@redhat.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      4a5def7f
    • Colin Ian King's avatar
      atm: fore200e: use %pK to format kernel addresses instead of %x · 22dac9f1
      Colin Ian King authored
      Don't use %x and casting to print out a kernel address, instead use the
      %pK and remove the casting.  Cleans up smatch warning:
      
      drivers/atm/fore200e.c:3093 fore200e_proc_read() warn: argument 3 to %08x
      specifier is cast from pointer
      Signed-off-by: default avatarColin Ian King <colin.king@canonical.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      22dac9f1
    • Colin Ian King's avatar
      ambassador: fix incorrect indentation of assignment statement · c95c3fe5
      Colin Ian King authored
      Remove one extraneous level of indentation on assignment statement.
      Signed-off-by: default avatarColin Ian King <colin.king@canonical.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      c95c3fe5
    • Xin Long's avatar
      vxlan: use __be32 type for the param vni in __vxlan_fdb_delete · fc39c38b
      Xin Long authored
      All callers of __vxlan_fdb_delete pass vni with __be32 type, and
      this param should be declared as __be32 type.
      
      Fixes: 3ad7a4b1 ("vxlan: support fdb and learning in COLLECT_METADATA mode")
      Signed-off-by: default avatarXin Long <lucien.xin@gmail.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      fc39c38b
    • Xin Long's avatar
      bonding: use nla_get_u64 to extract the value for IFLA_BOND_AD_ACTOR_SYSTEM · 5eb3d22a
      Xin Long authored
      bond_opt_initval expects a u64 type param, it's better to use
      nla_get_u64 to extract the value here, to eliminate a sparse
      endianness mismatch warning.
      
      Fixes: 171a42c3 ("bonding: add netlink support for sys prio, actor sys mac, and port key")
      Signed-off-by: default avatarXin Long <lucien.xin@gmail.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      5eb3d22a
    • Xin Long's avatar
      sctp: use right member as the param of list_for_each_entry · a8dd3979
      Xin Long authored
      Commit d04adf1b ("sctp: reset owner sk for data chunks on out queues
      when migrating a sock") made a mistake that using 'list' as the param of
      list_for_each_entry to traverse the retransmit, sacked and abandoned
      queues, while chunks are using 'transmitted_list' to link into these
      queues.
      
      It could cause NULL dereference panic if there are chunks in any of these
      queues when peeling off one asoc.
      
      So use the chunk member 'transmitted_list' instead in this patch.
      
      Fixes: d04adf1b ("sctp: reset owner sk for data chunks on out queues when migrating a sock")
      Signed-off-by: default avatarXin Long <lucien.xin@gmail.com>
      Acked-by: default avatarMarcelo Ricardo Leitner <marcelo.leitner@gmail.com>
      Acked-by: default avatarNeil Horman <nhorman@tuxdriver.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      a8dd3979
    • Paolo Abeni's avatar
      sch_sfq: fix null pointer dereference at timer expiration · f85729d0
      Paolo Abeni authored
      While converting sch_sfq to use timer_setup(), the commit cdeabbb8
      ("net: sched: Convert timers to use timer_setup()") forgot to
      initialize the 'sch' field. As a result, the timer callback tries to
      dereference a NULL pointer, and the kernel does oops.
      
      Fix it initializing such field at qdisc creation time.
      
      Fixes: cdeabbb8 ("net: sched: Convert timers to use timer_setup()")
      Signed-off-by: default avatarPaolo Abeni <pabeni@redhat.com>
      Acked-by: default avatarCong Wang <xiyou.wangcong@gmail.com>
      Acked-by: default avatarKees Cook <keescook@chromium.org>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      f85729d0
    • Jakub Kicinski's avatar
      cls_bpf: don't decrement net's refcount when offload fails · 25415cec
      Jakub Kicinski authored
      When cls_bpf offload was added it seemed like a good idea to
      call cls_bpf_delete_prog() instead of extending the error
      handling path, since the software state is fully initialized
      at that point.  This handling of errors without jumping to
      the end of the function is error prone, as proven by later
      commit missing that extra call to __cls_bpf_delete_prog().
      
      __cls_bpf_delete_prog() is now expected to be invoked with
      a reference on exts->net or the field zeroed out.  The call
      on the offload's error patch does not fullfil this requirement,
      leading to each error stealing a reference on net namespace.
      
      Create a function undoing what cls_bpf_set_parms() did and
      use it from __cls_bpf_delete_prog() and the error path.
      
      Fixes: aae2c35e ("cls_bpf: use tcf_exts_get_net() before call_rcu()")
      Signed-off-by: default avatarJakub Kicinski <jakub.kicinski@netronome.com>
      Reviewed-by: default avatarSimon Horman <simon.horman@netronome.com>
      Acked-by: default avatarDaniel Borkmann <daniel@iogearbox.net>
      Acked-by: default avatarCong Wang <xiyou.wangcong@gmail.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      25415cec
    • Linus Torvalds's avatar
      Merge tag 'drm-for-v4.15-part2-fixes' of git://people.freedesktop.org/~airlied/linux · 43f462f1
      Linus Torvalds authored
      Pull drm fixes from Dave Airlie:
      
       - TTM regression fix for some virt gpus (bochs vga)
      
       - a few i915 stable fixes
      
       - one vc4 fix
      
       - one uapi fix
      
      * tag 'drm-for-v4.15-part2-fixes' of git://people.freedesktop.org/~airlied/linux:
        drm/ttm: don't attempt to use hugepages if dma32 requested (v2)
        drm/vblank: Pass crtc_id to page_flip_ioctl.
        drm/i915: Fix init_clock_gating for resume
        drm/i915: Mark the userptr invalidate workqueue as WQ_MEM_RECLAIM
        drm/i915: Clear breadcrumb node when cancelling signaling
        drm/i915/gvt: ensure -ve return value is handled correctly
        drm/i915: Re-register PMIC bus access notifier on runtime resume
        drm/i915: Fix false-positive assert_rpm_wakelock_held in i915_pmic_bus_access_notifier v2
        drm/edid: Don't send non-zero YQ in AVI infoframe for HDMI 1.x sinks
        drm/vc4: Account for interrupts in flight
      43f462f1
    • Takashi Iwai's avatar
      Revert "ALSA: usb-audio: Fix potential zero-division at parsing FU" · 3c02a6d9
      Takashi Iwai authored
      The commit 8428a8eb ("ALSA: usb-audio: Fix potential zero-division
      at parsing FU") is utterly bogus and breaks the case with csize=1
      instead of fixing anything.  Just take it back again.
      Reported-by: default avatarJörg Otte <jrg.otte@gmail.com>
      Fixes: 8428a8eb ("ALSA: usb-audio: Fix potential zero-division at parsing FU"
      Signed-off-by: default avatarTakashi Iwai <tiwai@suse.de>
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      3c02a6d9
    • Filipe Manana's avatar
      Btrfs: incremental send, fix wrong unlink path after renaming file · ea37d599
      Filipe Manana authored
      Under some circumstances, an incremental send operation can issue wrong
      paths for unlink commands related to files that have multiple hard links
      and some (or all) of those links were renamed between the parent and send
      snapshots. Consider the following example:
      
      Parent snapshot
      
       .                                                      (ino 256)
       |---- a/                                               (ino 257)
       |     |---- b/                                         (ino 259)
       |     |     |---- c/                                   (ino 260)
       |     |     |---- f2                                   (ino 261)
       |     |
       |     |---- f2l1                                       (ino 261)
       |
       |---- d/                                               (ino 262)
             |---- f1l1_2                                     (ino 258)
             |---- f2l2                                       (ino 261)
             |---- f1_2                                       (ino 258)
      
      Send snapshot
      
       .                                                      (ino 256)
       |---- a/                                               (ino 257)
       |     |---- f2l1/                                      (ino 263)
       |             |---- b2/                                (ino 259)
       |                   |---- c/                           (ino 260)
       |                   |     |---- d3                     (ino 262)
       |                   |           |---- f1l1_2           (ino 258)
       |                   |           |---- f2l2_2           (ino 261)
       |                   |           |---- f1_2             (ino 258)
       |                   |
       |                   |---- f2                           (ino 261)
       |                   |---- f1l2                         (ino 258)
       |
       |---- d                                                (ino 261)
      
      When computing the incremental send stream the following steps happen:
      
      1) When processing inode 261, a rename operation is issued that renames
         inode 262, which currently as a path of "d", to an orphan name of
         "o262-7-0". This is done because in the send snapshot, inode 261 has
         of its hard links with a path of "d" as well.
      
      2) Two link operations are issued that create the new hard links for
         inode 261, whose names are "d" and "f2l2_2", at paths "/" and
         "o262-7-0/" respectively.
      
      3) Still while processing inode 261, unlink operations are issued to
         remove the old hard links of inode 261, with names "f2l1" and "f2l2",
         at paths "a/" and "d/". However path "d/" does not correspond anymore
         to the directory inode 262 but corresponds instead to a hard link of
         inode 261 (link command issued in the previous step). This makes the
         receiver fail with a ENOTDIR error when attempting the unlink
         operation.
      
      The problem happens because before sending the unlink operation, we failed
      to detect that inode 262 was one of ancestors for inode 261 in the parent
      snapshot, and therefore we didn't recompute the path for inode 262 before
      issuing the unlink operation for the link named "f2l2" of inode 262. The
      detection failed because the function "is_ancestor()" only follows the
      first hard link it finds for an inode instead of all of its hard links
      (as it was originally created for being used with directories only, for
      which only one hard link exists). So fix this by making "is_ancestor()"
      follow all hard links of the input inode.
      
      A test case for fstests follows soon.
      Signed-off-by: default avatarFilipe Manana <fdmanana@suse.com>
      Signed-off-by: default avatarDavid Sterba <dsterba@suse.com>
      ea37d599
    • Eric Dumazet's avatar
      net/packet: fix a race in packet_bind() and packet_notifier() · 15fe076e
      Eric Dumazet authored
      syzbot reported crashes [1] and provided a C repro easing bug hunting.
      
      When/if packet_do_bind() calls __unregister_prot_hook() and releases
      po->bind_lock, another thread can run packet_notifier() and process an
      NETDEV_UP event.
      
      This calls register_prot_hook() and hooks again the socket right before
      first thread is able to grab again po->bind_lock.
      
      Fixes this issue by temporarily setting po->num to 0, as suggested by
      David Miller.
      
      [1]
      dev_remove_pack: ffff8801bf16fa80 not found
      ------------[ cut here ]------------
      kernel BUG at net/core/dev.c:7945!  ( BUG_ON(!list_empty(&dev->ptype_all)); )
      invalid opcode: 0000 [#1] SMP KASAN
      Dumping ftrace buffer:
         (ftrace buffer empty)
      Modules linked in:
      device syz0 entered promiscuous mode
      CPU: 0 PID: 3161 Comm: syzkaller404108 Not tainted 4.14.0+ #190
      Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
      task: ffff8801cc57a500 task.stack: ffff8801cc588000
      RIP: 0010:netdev_run_todo+0x772/0xae0 net/core/dev.c:7945
      RSP: 0018:ffff8801cc58f598 EFLAGS: 00010293
      RAX: ffff8801cc57a500 RBX: dffffc0000000000 RCX: ffffffff841f75b2
      RDX: 0000000000000000 RSI: 1ffff100398b1ede RDI: ffff8801bf1f8810
      device syz0 entered promiscuous mode
      RBP: ffff8801cc58f898 R08: 0000000000000001 R09: 0000000000000000
      R10: 0000000000000000 R11: 0000000000000000 R12: ffff8801bf1f8cd8
      R13: ffff8801cc58f870 R14: ffff8801bf1f8780 R15: ffff8801cc58f7f0
      FS:  0000000001716880(0000) GS:ffff8801db400000(0000) knlGS:0000000000000000
      CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
      CR2: 0000000020b13000 CR3: 0000000005e25000 CR4: 00000000001406f0
      DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
      DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
      Call Trace:
       rtnl_unlock+0xe/0x10 net/core/rtnetlink.c:106
       tun_detach drivers/net/tun.c:670 [inline]
       tun_chr_close+0x49/0x60 drivers/net/tun.c:2845
       __fput+0x333/0x7f0 fs/file_table.c:210
       ____fput+0x15/0x20 fs/file_table.c:244
       task_work_run+0x199/0x270 kernel/task_work.c:113
       exit_task_work include/linux/task_work.h:22 [inline]
       do_exit+0x9bb/0x1ae0 kernel/exit.c:865
       do_group_exit+0x149/0x400 kernel/exit.c:968
       SYSC_exit_group kernel/exit.c:979 [inline]
       SyS_exit_group+0x1d/0x20 kernel/exit.c:977
       entry_SYSCALL_64_fastpath+0x1f/0x96
      RIP: 0033:0x44ad19
      
      Fixes: 30f7ea1c ("packet: race condition in packet_bind")
      Signed-off-by: default avatarEric Dumazet <edumazet@google.com>
      Reported-by: default avatarsyzbot <syzkaller@googlegroups.com>
      Cc: Francesco Ruggeri <fruggeri@aristanetworks.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      15fe076e
    • Mike Maloney's avatar
      packet: fix crash in fanout_demux_rollover() · 57f015f5
      Mike Maloney authored
      syzkaller found a race condition fanout_demux_rollover() while removing
      a packet socket from a fanout group.
      
      po->rollover is read and operated on during packet_rcv_fanout(), via
      fanout_demux_rollover(), but the pointer is currently cleared before the
      synchronization in packet_release().   It is safer to delay the cleanup
      until after synchronize_net() has been called, ensuring all calls to
      packet_rcv_fanout() for this socket have finished.
      
      To further simplify synchronization around the rollover structure, set
      po->rollover in fanout_add() only if there are no errors.  This removes
      the need for rcu in the struct and in the call to
      packet_getsockopt(..., PACKET_ROLLOVER_STATS, ...).
      
      Crashing stack trace:
       fanout_demux_rollover+0xb6/0x4d0 net/packet/af_packet.c:1392
       packet_rcv_fanout+0x649/0x7c8 net/packet/af_packet.c:1487
       dev_queue_xmit_nit+0x835/0xc10 net/core/dev.c:1953
       xmit_one net/core/dev.c:2975 [inline]
       dev_hard_start_xmit+0x16b/0xac0 net/core/dev.c:2995
       __dev_queue_xmit+0x17a4/0x2050 net/core/dev.c:3476
       dev_queue_xmit+0x17/0x20 net/core/dev.c:3509
       neigh_connected_output+0x489/0x720 net/core/neighbour.c:1379
       neigh_output include/net/neighbour.h:482 [inline]
       ip6_finish_output2+0xad1/0x22a0 net/ipv6/ip6_output.c:120
       ip6_finish_output+0x2f9/0x920 net/ipv6/ip6_output.c:146
       NF_HOOK_COND include/linux/netfilter.h:239 [inline]
       ip6_output+0x1f4/0x850 net/ipv6/ip6_output.c:163
       dst_output include/net/dst.h:459 [inline]
       NF_HOOK.constprop.35+0xff/0x630 include/linux/netfilter.h:250
       mld_sendpack+0x6a8/0xcc0 net/ipv6/mcast.c:1660
       mld_send_initial_cr.part.24+0x103/0x150 net/ipv6/mcast.c:2072
       mld_send_initial_cr net/ipv6/mcast.c:2056 [inline]
       ipv6_mc_dad_complete+0x99/0x130 net/ipv6/mcast.c:2079
       addrconf_dad_completed+0x595/0x970 net/ipv6/addrconf.c:4039
       addrconf_dad_work+0xac9/0x1160 net/ipv6/addrconf.c:3971
       process_one_work+0xbf0/0x1bc0 kernel/workqueue.c:2113
       worker_thread+0x223/0x1990 kernel/workqueue.c:2247
       kthread+0x35e/0x430 kernel/kthread.c:231
       ret_from_fork+0x2a/0x40 arch/x86/entry/entry_64.S:432
      
      Fixes: 0648ab70 ("packet: rollover prepare: per-socket state")
      Fixes: 509c7a1e ("packet: avoid panic in packet_getsockopt()")
      Reported-by: default avatarsyzbot <syzkaller@googlegroups.com>
      Signed-off-by: default avatarMike Maloney <maloney@google.com>
      Reviewed-by: default avatarEric Dumazet <edumazet@google.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      57f015f5