1. 25 Jul, 2018 27 commits
  2. 22 Jul, 2018 13 commits
    • Greg Kroah-Hartman's avatar
      Linux 4.4.143 · a8ea6276
      Greg Kroah-Hartman authored
      a8ea6276
    • Tetsuo Handa's avatar
      net/nfc: Avoid stalls when nfc_alloc_send_skb() returned NULL. · bb68d6a6
      Tetsuo Handa authored
      commit 3bc53be9 upstream.
      
      syzbot is reporting stalls at nfc_llcp_send_ui_frame() [1]. This is
      because nfc_llcp_send_ui_frame() is retrying the loop without any delay
      when nonblocking nfc_alloc_send_skb() returned NULL.
      
      Since there is no need to use MSG_DONTWAIT if we retry until
      sock_alloc_send_pskb() succeeds, let's use blocking call.
      Also, in case an unexpected error occurred, let's break the loop
      if blocking nfc_alloc_send_skb() failed.
      
      [1] https://syzkaller.appspot.com/bug?id=4a131cc571c3733e0eff6bc673f4e36ae48f19c6Signed-off-by: default avatarTetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
      Reported-by: default avatarsyzbot <syzbot+d29d18215e477cfbfbdd@syzkaller.appspotmail.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      bb68d6a6
    • Santosh Shilimkar's avatar
      rds: avoid unenecessary cong_update in loop transport · cfc501df
      Santosh Shilimkar authored
      commit f1693c63 upstream.
      
      Loop transport which is self loopback, remote port congestion
      update isn't relevant. Infact the xmit path already ignores it.
      Receive path needs to do the same.
      
      Reported-by: syzbot+4c20b3866171ce8441d2@syzkaller.appspotmail.com
      Reviewed-by: default avatarSowmini Varadhan <sowmini.varadhan@oracle.com>
      Signed-off-by: default avatarSantosh Shilimkar <santosh.shilimkar@oracle.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      cfc501df
    • Eric Biggers's avatar
      KEYS: DNS: fix parsing multiple options · 423f8b59
      Eric Biggers authored
      commit c604cb76 upstream.
      
      My recent fix for dns_resolver_preparse() printing very long strings was
      incomplete, as shown by syzbot which still managed to hit the
      WARN_ONCE() in set_precision() by adding a crafted "dns_resolver" key:
      
          precision 50001 too large
          WARNING: CPU: 7 PID: 864 at lib/vsprintf.c:2164 vsnprintf+0x48a/0x5a0
      
      The bug this time isn't just a printing bug, but also a logical error
      when multiple options ("#"-separated strings) are given in the key
      payload.  Specifically, when separating an option string into name and
      value, if there is no value then the name is incorrectly considered to
      end at the end of the key payload, rather than the end of the current
      option.  This bypasses validation of the option length, and also means
      that specifying multiple options is broken -- which presumably has gone
      unnoticed as there is currently only one valid option anyway.
      
      A similar problem also applied to option values, as the kstrtoul() when
      parsing the "dnserror" option will read past the end of the current
      option and into the next option.
      
      Fix these bugs by correctly computing the length of the option name and
      by copying the option value, null-terminated, into a temporary buffer.
      
      Reproducer for the WARN_ONCE() that syzbot hit:
      
          perl -e 'print "#A#", "\0" x 50000' | keyctl padd dns_resolver desc @s
      
      Reproducer for "dnserror" option being parsed incorrectly (expected
      behavior is to fail when seeing the unknown option "foo", actual
      behavior was to read the dnserror value as "1#foo" and fail there):
      
          perl -e 'print "#dnserror=1#foo\0"' | keyctl padd dns_resolver desc @s
      Reported-by: default avatarsyzbot <syzkaller@googlegroups.com>
      Fixes: 4a2d7892 ("DNS: If the DNS server returns an error, allow that to be cached [ver #2]")
      Signed-off-by: default avatarEric Biggers <ebiggers@google.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      423f8b59
    • Florian Westphal's avatar
      netfilter: ebtables: reject non-bridge targets · 88f65567
      Florian Westphal authored
      commit 11ff7288 upstream.
      
      the ebtables evaluation loop expects targets to return
      positive values (jumps), or negative values (absolute verdicts).
      
      This is completely different from what xtables does.
      In xtables, targets are expected to return the standard netfilter
      verdicts, i.e. NF_DROP, NF_ACCEPT, etc.
      
      ebtables will consider these as jumps.
      
      Therefore reject any target found due to unspec fallback.
      v2: also reject watchers.  ebtables ignores their return value, so
      a target that assumes skb ownership (and returns NF_STOLEN) causes
      use-after-free.
      
      The only watchers in the 'ebtables' front-end are log and nflog;
      both have AF_BRIDGE specific wrappers on kernel side.
      
      Reported-by: syzbot+2b43f681169a2a0d306a@syzkaller.appspotmail.com
      Signed-off-by: default avatarFlorian Westphal <fw@strlen.de>
      Signed-off-by: default avatarPablo Neira Ayuso <pablo@netfilter.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      88f65567
    • Paul Burton's avatar
      MIPS: Use async IPIs for arch_trigger_cpumask_backtrace() · 3a7031fd
      Paul Burton authored
      commit b63e132b upstream.
      
      The current MIPS implementation of arch_trigger_cpumask_backtrace() is
      broken because it attempts to use synchronous IPIs despite the fact that
      it may be run with interrupts disabled.
      
      This means that when arch_trigger_cpumask_backtrace() is invoked, for
      example by the RCU CPU stall watchdog, we may:
      
        - Deadlock due to use of synchronous IPIs with interrupts disabled,
          causing the CPU that's attempting to generate the backtrace output
          to hang itself.
      
        - Not succeed in generating the desired output from remote CPUs.
      
        - Produce warnings about this from smp_call_function_many(), for
          example:
      
          [42760.526910] INFO: rcu_sched detected stalls on CPUs/tasks:
          [42760.535755]  0-...!: (1 GPs behind) idle=ade/140000000000000/0 softirq=526944/526945 fqs=0
          [42760.547874]  1-...!: (0 ticks this GP) idle=e4a/140000000000000/0 softirq=547885/547885 fqs=0
          [42760.559869]  (detected by 2, t=2162 jiffies, g=266689, c=266688, q=33)
          [42760.568927] ------------[ cut here ]------------
          [42760.576146] WARNING: CPU: 2 PID: 1216 at kernel/smp.c:416 smp_call_function_many+0x88/0x20c
          [42760.587839] Modules linked in:
          [42760.593152] CPU: 2 PID: 1216 Comm: sh Not tainted 4.15.4-00373-gee058bb4d0c2 #2
          [42760.603767] Stack : 8e09bd20 8e09bd20 8e09bd20 fffffff0 00000007 00000006 00000000 8e09bca8
          [42760.616937]         95b2b379 95b2b379 807a0080 00000007 81944518 0000018a 00000032 00000000
          [42760.630095]         00000000 00000030 80000000 00000000 806eca74 00000009 8017e2b8 000001a0
          [42760.643169]         00000000 00000002 00000000 8e09baa4 00000008 808b8008 86d69080 8e09bca0
          [42760.656282]         8e09ad50 805e20aa 00000000 00000000 00000000 8017e2b8 00000009 801070ca
          [42760.669424]         ...
          [42760.673919] Call Trace:
          [42760.678672] [<27fde568>] show_stack+0x70/0xf0
          [42760.685417] [<84751641>] dump_stack+0xaa/0xd0
          [42760.692188] [<699d671c>] __warn+0x80/0x92
          [42760.698549] [<68915d41>] warn_slowpath_null+0x28/0x36
          [42760.705912] [<f7c76c1c>] smp_call_function_many+0x88/0x20c
          [42760.713696] [<6bbdfc2a>] arch_trigger_cpumask_backtrace+0x30/0x4a
          [42760.722216] [<f845bd33>] rcu_dump_cpu_stacks+0x6a/0x98
          [42760.729580] [<796e7629>] rcu_check_callbacks+0x672/0x6ac
          [42760.737476] [<059b3b43>] update_process_times+0x18/0x34
          [42760.744981] [<6eb94941>] tick_sched_handle.isra.5+0x26/0x38
          [42760.752793] [<478d3d70>] tick_sched_timer+0x1c/0x50
          [42760.759882] [<e56ea39f>] __hrtimer_run_queues+0xc6/0x226
          [42760.767418] [<e88bbcae>] hrtimer_interrupt+0x88/0x19a
          [42760.775031] [<6765a19e>] gic_compare_interrupt+0x2e/0x3a
          [42760.782761] [<0558bf5f>] handle_percpu_devid_irq+0x78/0x168
          [42760.790795] [<90c11ba2>] generic_handle_irq+0x1e/0x2c
          [42760.798117] [<1b6d462c>] gic_handle_local_int+0x38/0x86
          [42760.805545] [<b2ada1c7>] gic_irq_dispatch+0xa/0x14
          [42760.812534] [<90c11ba2>] generic_handle_irq+0x1e/0x2c
          [42760.820086] [<c7521934>] do_IRQ+0x16/0x20
          [42760.826274] [<9aef3ce6>] plat_irq_dispatch+0x62/0x94
          [42760.833458] [<6a94b53c>] except_vec_vi_end+0x70/0x78
          [42760.840655] [<22284043>] smp_call_function_many+0x1ba/0x20c
          [42760.848501] [<54022b58>] smp_call_function+0x1e/0x2c
          [42760.855693] [<ab9fc705>] flush_tlb_mm+0x2a/0x98
          [42760.862730] [<0844cdd0>] tlb_flush_mmu+0x1c/0x44
          [42760.869628] [<cb259b74>] arch_tlb_finish_mmu+0x26/0x3e
          [42760.877021] [<1aeaaf74>] tlb_finish_mmu+0x18/0x66
          [42760.883907] [<b3fce717>] exit_mmap+0x76/0xea
          [42760.890428] [<c4c8a2f6>] mmput+0x80/0x11a
          [42760.896632] [<a41a08f4>] do_exit+0x1f4/0x80c
          [42760.903158] [<ee01cef6>] do_group_exit+0x20/0x7e
          [42760.909990] [<13fa8d54>] __wake_up_parent+0x0/0x1e
          [42760.917045] [<46cf89d0>] smp_call_function_many+0x1a2/0x20c
          [42760.924893] [<8c21a93b>] syscall_common+0x14/0x1c
          [42760.931765] ---[ end trace 02aa09da9dc52a60 ]---
          [42760.938342] ------------[ cut here ]------------
          [42760.945311] WARNING: CPU: 2 PID: 1216 at kernel/smp.c:291 smp_call_function_single+0xee/0xf8
          ...
      
      This patch switches MIPS' arch_trigger_cpumask_backtrace() to use async
      IPIs & smp_call_function_single_async() in order to resolve this
      problem. We ensure use of the pre-allocated call_single_data_t
      structures is serialized by maintaining a cpumask indicating that
      they're busy, and refusing to attempt to send an IPI when a CPU's bit is
      set in this mask. This should only happen if a CPU hasn't responded to a
      previous backtrace IPI - ie. if it's hung - and we print a warning to
      the console in this case.
      
      I've marked this for stable branches as far back as v4.9, to which it
      applies cleanly. Strictly speaking the faulty MIPS implementation can be
      traced further back to commit 856839b7 ("MIPS: Add
      arch_trigger_all_cpu_backtrace() function") in v3.19, but kernel
      versions v3.19 through v4.8 will require further work to backport due to
      the rework performed in commit 9a01c3ed ("nmi_backtrace: add more
      trigger_*_cpu_backtrace() methods").
      Signed-off-by: default avatarPaul Burton <paul.burton@mips.com>
      Patchwork: https://patchwork.linux-mips.org/patch/19597/
      Cc: James Hogan <jhogan@kernel.org>
      Cc: Ralf Baechle <ralf@linux-mips.org>
      Cc: Huacai Chen <chenhc@lemote.com>
      Cc: linux-mips@linux-mips.org
      Cc: stable@vger.kernel.org # v4.9+
      Fixes: 856839b7 ("MIPS: Add arch_trigger_all_cpu_backtrace() function")
      Fixes: 9a01c3ed ("nmi_backtrace: add more trigger_*_cpu_backtrace() methods")
      [ Huacai: backported to 4.4: Restruction since generic NMI solution is unavailable ]
      Signed-off-by: default avatarHuacai Chen <chenhc@lemote.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      3a7031fd
    • Paul Burton's avatar
      MIPS: Call dump_stack() from show_regs() · 5396b1a6
      Paul Burton authored
      commit 5a267832 upstream.
      
      The generic nmi_cpu_backtrace() function calls show_regs() when a struct
      pt_regs is available, and dump_stack() otherwise. If we were to make use
      of the generic nmi_cpu_backtrace() with MIPS' current implementation of
      show_regs() this would mean that we see only register data with no
      accompanying stack information, in contrast with our current
      implementation which calls dump_stack() regardless of whether register
      state is available.
      
      In preparation for making use of the generic nmi_cpu_backtrace() to
      implement arch_trigger_cpumask_backtrace(), have our implementation of
      show_regs() call dump_stack() and drop the explicit dump_stack() call in
      arch_dump_stack() which is invoked by arch_trigger_cpumask_backtrace().
      
      This will allow the output we produce to remain the same after a later
      patch switches to using nmi_cpu_backtrace(). It may mean that we produce
      extra stack output in other uses of show_regs(), but this:
      
        1) Seems harmless.
        2) Is good for consistency between arch_trigger_cpumask_backtrace()
           and other users of show_regs().
        3) Matches the behaviour of the ARM & PowerPC architectures.
      
      Marked for stable back to v4.9 as a prerequisite of the following patch
      "MIPS: Call dump_stack() from show_regs()".
      Signed-off-by: default avatarPaul Burton <paul.burton@mips.com>
      Patchwork: https://patchwork.linux-mips.org/patch/19596/
      Cc: James Hogan <jhogan@kernel.org>
      Cc: Ralf Baechle <ralf@linux-mips.org>
      Cc: Huacai Chen <chenhc@lemote.com>
      Cc: linux-mips@linux-mips.org
      Cc: stable@vger.kernel.org # v4.9+
      Signed-off-by: default avatarHuacai Chen <chenhc@lemote.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      5396b1a6
    • Ping-Ke Shih's avatar
      rtlwifi: rtl8821ae: fix firmware is not ready to run · 99f303b3
      Ping-Ke Shih authored
      commit 9a98302d upstream.
      
      Without this patch, firmware will not run properly on rtl8821ae, and it
      causes bad user experience. For example, bad connection performance with
      low rate, higher power consumption, and so on.
      
      rtl8821ae uses two kinds of firmwares for normal and WoWlan cases, and
      each firmware has firmware data buffer and size individually. Original
      code always overwrite size of normal firmware rtlpriv->rtlhal.fwsize, and
      this mismatch causes firmware checksum error, then firmware can't start.
      
      In this situation, driver gives message "Firmware is not ready to run!".
      
      Fixes: fe89707f ("rtlwifi: rtl8821ae: Simplify loading of WOWLAN firmware")
      Signed-off-by: default avatarPing-Ke Shih <pkshih@realtek.com>
      Cc: Stable <stable@vger.kernel.org> # 4.0+
      Reviewed-by: default avatarLarry Finger <Larry.Finger@lwfinger.net>
      Signed-off-by: default avatarKalle Valo <kvalo@codeaurora.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      99f303b3
    • Gustavo A. R. Silva's avatar
      net: cxgb3_main: fix potential Spectre v1 · f6927277
      Gustavo A. R. Silva authored
      commit 676bcfec upstream.
      
      t.qset_idx can be indirectly controlled by user-space, hence leading to
      a potential exploitation of the Spectre variant 1 vulnerability.
      
      This issue was detected with the help of Smatch:
      
      drivers/net/ethernet/chelsio/cxgb3/cxgb3_main.c:2286 cxgb_extension_ioctl()
      warn: potential spectre issue 'adapter->msix_info'
      
      Fix this by sanitizing t.qset_idx before using it to index
      adapter->msix_info
      
      Notice that given that speculation windows are large, the policy is
      to kill the speculation on the first load and not worry if it can be
      completed with a dependent load/store [1].
      
      [1] https://marc.info/?l=linux-kernel&m=152449131114778&w=2
      
      Cc: stable@vger.kernel.org
      Signed-off-by: default avatarGustavo A. R. Silva <gustavo@embeddedor.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      f6927277
    • Alex Vesker's avatar
      net/mlx5: Fix command interface race in polling mode · be86990b
      Alex Vesker authored
      [ Upstream commit d412c31d ]
      
      The command interface can work in two modes: Events and Polling.
      In the general case, each time we invoke a command, a work is
      queued to handle it.
      
      When working in events, the interrupt handler completes the
      command execution. On the other hand, when working in polling
      mode, the work itself completes it.
      
      Due to a bug in the work handler, a command could have been
      completed by the interrupt handler, while the work handler
      hasn't finished yet, causing the it to complete once again
      if the command interface mode was changed from Events to
      polling after the interrupt handler was called.
      
      mlx5_unload_one()
              mlx5_stop_eqs()
                      // Destroy the EQ before cmd EQ
                      ...cmd_work_handler()
                              write_doorbell()
                              --> EVENT_TYPE_CMD
                                      mlx5_cmd_comp_handler() // First free
                                              free_ent(cmd, ent->idx)
                                              complete(&ent->done)
      
              <-- mlx5_stop_eqs //cmd was complete
                      // move to polling before destroying the last cmd EQ
                      mlx5_cmd_use_polling()
                              cmd->mode = POLL;
      
                      --> cmd_work_handler (continues)
                              if (cmd->mode == POLL)
                                      mlx5_cmd_comp_handler() // Double free
      
      The solution is to store the cmd->mode before writing the doorbell.
      
      Fixes: e126ba97 ("mlx5: Add driver for Mellanox Connect-IB adapters")
      Signed-off-by: default avatarAlex Vesker <valex@mellanox.com>
      Signed-off-by: default avatarSaeed Mahameed <saeedm@mellanox.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      be86990b
    • Konstantin Khlebnikov's avatar
      net_sched: blackhole: tell upper qdisc about dropped packets · be604aa5
      Konstantin Khlebnikov authored
      [ Upstream commit 7e85dc8c ]
      
      When blackhole is used on top of classful qdisc like hfsc it breaks
      qlen and backlog counters because packets are disappear without notice.
      
      In HFSC non-zero qlen while all classes are inactive triggers warning:
      WARNING: ... at net/sched/sch_hfsc.c:1393 hfsc_dequeue+0xba4/0xe90 [sch_hfsc]
      and schedules watchdog work endlessly.
      
      This patch return __NET_XMIT_BYPASS in addition to NET_XMIT_SUCCESS,
      this flag tells upper layer: this packet is gone and isn't queued.
      Signed-off-by: default avatarKonstantin Khlebnikov <khlebnikov@yandex-team.ru>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      be604aa5
    • Jason Wang's avatar
      vhost_net: validate sock before trying to put its fd · 5e6b3946
      Jason Wang authored
      [ Upstream commit b8f1f658 ]
      
      Sock will be NULL if we pass -1 to vhost_net_set_backend(), but when
      we meet errors during ubuf allocation, the code does not check for
      NULL before calling sockfd_put(), this will lead NULL
      dereferencing. Fixing by checking sock pointer before.
      
      Fixes: bab632d6 ("vhost: vhost TX zero-copy support")
      Reported-by: default avatarDan Carpenter <dan.carpenter@oracle.com>
      Signed-off-by: default avatarJason Wang <jasowang@redhat.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      5e6b3946
    • Ilpo Järvinen's avatar
      tcp: prevent bogus FRTO undos with non-SACK flows · 61c66cc5
      Ilpo Järvinen authored
      [ Upstream commit 1236f22f ]
      
      If SACK is not enabled and the first cumulative ACK after the RTO
      retransmission covers more than the retransmitted skb, a spurious
      FRTO undo will trigger (assuming FRTO is enabled for that RTO).
      The reason is that any non-retransmitted segment acknowledged will
      set FLAG_ORIG_SACK_ACKED in tcp_clean_rtx_queue even if there is
      no indication that it would have been delivered for real (the
      scoreboard is not kept with TCPCB_SACKED_ACKED bits in the non-SACK
      case so the check for that bit won't help like it does with SACK).
      Having FLAG_ORIG_SACK_ACKED set results in the spurious FRTO undo
      in tcp_process_loss.
      
      We need to use more strict condition for non-SACK case and check
      that none of the cumulatively ACKed segments were retransmitted
      to prove that progress is due to original transmissions. Only then
      keep FLAG_ORIG_SACK_ACKED set, allowing FRTO undo to proceed in
      non-SACK case.
      
      (FLAG_ORIG_SACK_ACKED is planned to be renamed to FLAG_ORIG_PROGRESS
      to better indicate its purpose but to keep this change minimal, it
      will be done in another patch).
      
      Besides burstiness and congestion control violations, this problem
      can result in RTO loop: When the loss recovery is prematurely
      undoed, only new data will be transmitted (if available) and
      the next retransmission can occur only after a new RTO which in case
      of multiple losses (that are not for consecutive packets) requires
      one RTO per loss to recover.
      Signed-off-by: default avatarIlpo Järvinen <ilpo.jarvinen@helsinki.fi>
      Tested-by: default avatarNeal Cardwell <ncardwell@google.com>
      Acked-by: default avatarNeal Cardwell <ncardwell@google.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      61c66cc5