1. 28 Sep, 2017 2 commits
    • Stefan Chulski's avatar
      net: mvpp2: fix parsing fragmentation detection · aff3da39
      Stefan Chulski authored
      Parsing fragmentation detection failed due to wrong configured
      parser TCAM entry's. Some traffic was marked as fragmented in RX
      descriptor, even it wasn't IP fragmented. The hardware also failed to
      calculate checksums which lead to use software checksum and caused
      performance degradation.
      
      Fixes: 3f518509 ("ethernet: Add new driver for Marvell Armada 375 network unit")
      Signed-off-by: default avatarAntoine Tenart <antoine.tenart@free-electrons.com>
      Signed-off-by: default avatarStefan Chulski <stefanc@marvell.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      aff3da39
    • Alexander Potapenko's avatar
      tun: bail out from tun_get_user() if the skb is empty · 2580c4c1
      Alexander Potapenko authored
      KMSAN (https://github.com/google/kmsan) reported accessing uninitialized
      skb->data[0] in the case the skb is empty (i.e. skb->len is 0):
      
      ================================================
      BUG: KMSAN: use of uninitialized memory in tun_get_user+0x19ba/0x3770
      CPU: 0 PID: 3051 Comm: probe Not tainted 4.13.0+ #3140
      Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011
      Call Trace:
      ...
       __msan_warning_32+0x66/0xb0 mm/kmsan/kmsan_instr.c:477
       tun_get_user+0x19ba/0x3770 drivers/net/tun.c:1301
       tun_chr_write_iter+0x19f/0x300 drivers/net/tun.c:1365
       call_write_iter ./include/linux/fs.h:1743
       new_sync_write fs/read_write.c:457
       __vfs_write+0x6c3/0x7f0 fs/read_write.c:470
       vfs_write+0x3e4/0x770 fs/read_write.c:518
       SYSC_write+0x12f/0x2b0 fs/read_write.c:565
       SyS_write+0x55/0x80 fs/read_write.c:557
       do_syscall_64+0x242/0x330 arch/x86/entry/common.c:284
       entry_SYSCALL64_slow_path+0x25/0x25 arch/x86/entry/entry_64.S:245
      ...
      origin:
      ...
       kmsan_poison_shadow+0x6e/0xc0 mm/kmsan/kmsan.c:211
       slab_alloc_node mm/slub.c:2732
       __kmalloc_node_track_caller+0x351/0x370 mm/slub.c:4351
       __kmalloc_reserve net/core/skbuff.c:138
       __alloc_skb+0x26a/0x810 net/core/skbuff.c:231
       alloc_skb ./include/linux/skbuff.h:903
       alloc_skb_with_frags+0x1d7/0xc80 net/core/skbuff.c:4756
       sock_alloc_send_pskb+0xabf/0xfe0 net/core/sock.c:2037
       tun_alloc_skb drivers/net/tun.c:1144
       tun_get_user+0x9a8/0x3770 drivers/net/tun.c:1274
       tun_chr_write_iter+0x19f/0x300 drivers/net/tun.c:1365
       call_write_iter ./include/linux/fs.h:1743
       new_sync_write fs/read_write.c:457
       __vfs_write+0x6c3/0x7f0 fs/read_write.c:470
       vfs_write+0x3e4/0x770 fs/read_write.c:518
       SYSC_write+0x12f/0x2b0 fs/read_write.c:565
       SyS_write+0x55/0x80 fs/read_write.c:557
       do_syscall_64+0x242/0x330 arch/x86/entry/common.c:284
       return_from_SYSCALL_64+0x0/0x6a arch/x86/entry/entry_64.S:245
      ================================================
      
      Make sure tun_get_user() doesn't touch skb->data[0] unless there is
      actual data.
      
      C reproducer below:
      ==========================
          // autogenerated by syzkaller (http://github.com/google/syzkaller)
      
          #define _GNU_SOURCE
      
          #include <fcntl.h>
          #include <linux/if_tun.h>
          #include <netinet/ip.h>
          #include <net/if.h>
          #include <string.h>
          #include <sys/ioctl.h>
      
          int main()
          {
            int sock = socket(PF_INET, SOCK_STREAM, IPPROTO_IP);
            int tun_fd = open("/dev/net/tun", O_RDWR);
            struct ifreq req;
            memset(&req, 0, sizeof(struct ifreq));
            strcpy((char*)&req.ifr_name, "gre0");
            req.ifr_flags = IFF_UP | IFF_MULTICAST;
            ioctl(tun_fd, TUNSETIFF, &req);
            ioctl(sock, SIOCSIFFLAGS, "gre0");
            write(tun_fd, "hi", 0);
            return 0;
          }
      ==========================
      Signed-off-by: default avatarAlexander Potapenko <glider@google.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      2580c4c1
  2. 27 Sep, 2017 2 commits
    • Dan Carpenter's avatar
      sctp: Fix a big endian bug in sctp_diag_dump() · c2cc187e
      Dan Carpenter authored
      The sctp_for_each_transport() function takes an pointer to int.  The
      cb->args[] array holds longs so it's only using the high 32 bits.  It
      works on little endian system but will break on big endian 64 bit
      machines.
      
      Fixes: d25adbeb ("sctp: fix an use-after-free issue in sctp_sock_dump")
      Signed-off-by: default avatarDan Carpenter <dan.carpenter@oracle.com>
      Acked-by: default avatarNeil Horman <nhorman@tuxdriver.com>
      Reviewed-by: default avatarXin Long <lucien.xin@gmail.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      c2cc187e
    • David S. Miller's avatar
      Merge tag 'wireless-drivers-for-davem-2017-09-25' of... · 20c62c79
      David S. Miller authored
      Merge tag 'wireless-drivers-for-davem-2017-09-25' of git://git.kernel.org/pub/scm/linux/kernel/git/kvalo/wireless-drivers
      
      Kalle Valo says:
      
      ====================
      wireless-drivers fixes for 4.14
      
      Quite a lot of fixes this time. Most notable is the brcmfmac fix for a
      CVE issue.
      
      iwlwifi
      
      * a couple of bugzilla bugs related to multicast handling
      
      * two fixes for WoWLAN bugs that were causing queue hangs and
        re-initialization problems
      
      * two fixes for potential uninitialized variable use reported by Dan
        Carpenter in relation to a recently introduced patch
      
      * a fix for buffer reordering in the newly supported 9000 device
        family
      
      * fix a race when starting aggregation
      
      * small fix for a recent patch to wake mac80211 queues
      
      * send non-bufferable management frames in the generic queue so they
        are not sent on queues that are under power-save
      
      ath10k
      
      * fix a PCI PM related gcc warning
      
      brcmfmac
      
      * CVE-2017-0786: add length check scan results from firmware
      
      * respect passive scan requests from user space
      
      qtnfmac
      
      * fix race in tx path when using multiple interfaces
      
      * cancel ongoing scan when removing the wireless interface
      ====================
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      20c62c79
  3. 26 Sep, 2017 9 commits
    • David S. Miller's avatar
      Merge branch 'aquantia-fixes' · 2760f5a3
      David S. Miller authored
      Igor Russkikh says:
      
      ====================
      aquantia: Atlantic driver bugfixes und improvements
      
      This series contains bugfixes for aQuantia Atlantic driver.
      
      Changes in v2:
      Review comments applied:
      - min_mtu set removed
      - extra mtu range check is removed
      - err codes handling improved
      ====================
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      2760f5a3
    • Pavel Belous's avatar
      atlantic: fix iommu errors · c7545689
      Pavel Belous authored
      Call skb_frag_dma_map multiple times if tx length is greater than
      device max and avoid processing tx ring until entire packet has been
      sent.
      Signed-off-by: default avatarIgor Russkikh <igor.russkikh@aquantia.com>
      Signed-off-by: default avatarPavel Belous <pavel.belous@aquantia.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      c7545689
    • Igor Russkikh's avatar
      aquantia: Fix transient invalid link down/up indications · a7bb1bea
      Igor Russkikh authored
      Due to a bug in aquantia atlantic card firmware, it sometimes reports
      invalid link speed bits. That caused driver to report link down events,
      although link itself is totally fine.
      
      This patch ignores such out of blue readings.
      Signed-off-by: default avatarPavel Belous <Pavel.Belous@aquantia.com>
      Signed-off-by: default avatarIgor Russkikh <igor.russkikh@aquantia.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      a7bb1bea
    • Igor Russkikh's avatar
      aquantia: Fix Tx queue hangups · 3aec6412
      Igor Russkikh authored
      Driver did a poor job in managing its Tx queues: Sometimes it could stop
      tx queues due to link down condition in aq_nic_xmit - but never waked up
      them. That led to Tx path total suspend.
      This patch fixes this and improves generic queue management:
      - introduces queue restart counter
      - uses generic netif_ interface to disable and enable tx path
      - refactors link up/down condition and introduces dmesg log event when
        link changes.
      - introduces new constant for minimum descriptors count required for queue
        wakeup
      Signed-off-by: default avatarPavel Belous <Pavel.Belous@aquantia.com>
      Signed-off-by: default avatarIgor Russkikh <igor.russkikh@aquantia.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      3aec6412
    • Igor Russkikh's avatar
      aquantia: Setup max_mtu in ndev to enable jumbo frames · d85fc17b
      Igor Russkikh authored
      Although hardware is capable for almost 16K MTU, without max_mtu field
      correctly set it only allows standard MTU to be used.
      This patch enables max MTU, calculating it from hardware maximum frame size
      of 16352 octets (including FCS).
      
      Fixes: 5513e164 ("net: ethernet: aquantia: Fixes for aq_ndev_change_mtu")
      Signed-off-by: default avatarPavel Belous <Pavel.Belous@aquantia.com>
      Signed-off-by: default avatarIgor Russkikh <igor.russkikh@aquantia.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      d85fc17b
    • Sabrina Dubroca's avatar
      l2tp: fix race condition in l2tp_tunnel_delete · 62b982ee
      Sabrina Dubroca authored
      If we try to delete the same tunnel twice, the first delete operation
      does a lookup (l2tp_tunnel_get), finds the tunnel, calls
      l2tp_tunnel_delete, which queues it for deletion by
      l2tp_tunnel_del_work.
      
      The second delete operation also finds the tunnel and calls
      l2tp_tunnel_delete. If the workqueue has already fired and started
      running l2tp_tunnel_del_work, then l2tp_tunnel_delete will queue the
      same tunnel a second time, and try to free the socket again.
      
      Add a dead flag to prevent firing the workqueue twice. Then we can
      remove the check of queue_work's result that was meant to prevent that
      race but doesn't.
      
      Reproducer:
      
          ip l2tp add tunnel tunnel_id 3000 peer_tunnel_id 4000 local 192.168.0.2 remote 192.168.0.1 encap udp udp_sport 5000 udp_dport 6000
          ip l2tp add session name l2tp1 tunnel_id 3000 session_id 1000 peer_session_id 2000
          ip link set l2tp1 up
          ip l2tp del tunnel tunnel_id 3000
          ip l2tp del tunnel tunnel_id 3000
      
      Fixes: f8ccac0e ("l2tp: put tunnel socket release on a workqueue")
      Reported-by: default avatarJianlin Shi <jishi@redhat.com>
      Signed-off-by: default avatarSabrina Dubroca <sd@queasysnail.net>
      Acked-by: default avatarGuillaume Nault <g.nault@alphalink.fr>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      62b982ee
    • Alexey Kodanev's avatar
      vti: fix use after free in vti_tunnel_xmit/vti6_tnl_xmit · 36f6ee22
      Alexey Kodanev authored
      When running LTP IPsec tests, KASan might report:
      
      BUG: KASAN: use-after-free in vti_tunnel_xmit+0xeee/0xff0 [ip_vti]
      Read of size 4 at addr ffff880dc6ad1980 by task swapper/0/0
      ...
      Call Trace:
        <IRQ>
        dump_stack+0x63/0x89
        print_address_description+0x7c/0x290
        kasan_report+0x28d/0x370
        ? vti_tunnel_xmit+0xeee/0xff0 [ip_vti]
        __asan_report_load4_noabort+0x19/0x20
        vti_tunnel_xmit+0xeee/0xff0 [ip_vti]
        ? vti_init_net+0x190/0x190 [ip_vti]
        ? save_stack_trace+0x1b/0x20
        ? save_stack+0x46/0xd0
        dev_hard_start_xmit+0x147/0x510
        ? icmp_echo.part.24+0x1f0/0x210
        __dev_queue_xmit+0x1394/0x1c60
      ...
      Freed by task 0:
        save_stack_trace+0x1b/0x20
        save_stack+0x46/0xd0
        kasan_slab_free+0x70/0xc0
        kmem_cache_free+0x81/0x1e0
        kfree_skbmem+0xb1/0xe0
        kfree_skb+0x75/0x170
        kfree_skb_list+0x3e/0x60
        __dev_queue_xmit+0x1298/0x1c60
        dev_queue_xmit+0x10/0x20
        neigh_resolve_output+0x3a8/0x740
        ip_finish_output2+0x5c0/0xe70
        ip_finish_output+0x4ba/0x680
        ip_output+0x1c1/0x3a0
        xfrm_output_resume+0xc65/0x13d0
        xfrm_output+0x1e4/0x380
        xfrm4_output_finish+0x5c/0x70
      
      Can be fixed if we get skb->len before dst_output().
      
      Fixes: b9959fd3 ("vti: switch to new ip tunnel code")
      Fixes: 22e1b23d ("vti6: Support inter address family tunneling.")
      Signed-off-by: default avatarAlexey Kodanev <alexey.kodanev@oracle.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      36f6ee22
    • Arnd Bergmann's avatar
      netlink: fix nla_put_{u8,u16,u32} for KASAN · b4391db4
      Arnd Bergmann authored
      When CONFIG_KASAN is enabled, the "--param asan-stack=1" causes rather large
      stack frames in some functions. This goes unnoticed normally because
      CONFIG_FRAME_WARN is disabled with CONFIG_KASAN by default as of commit
      3f181b4d ("lib/Kconfig.debug: disable -Wframe-larger-than warnings with
      KASAN=y").
      
      The kernelci.org build bot however has the warning enabled and that led
      me to investigate it a little further, as every build produces these warnings:
      
      net/wireless/nl80211.c:4389:1: warning: the frame size of 2240 bytes is larger than 2048 bytes [-Wframe-larger-than=]
      net/wireless/nl80211.c:1895:1: warning: the frame size of 3776 bytes is larger than 2048 bytes [-Wframe-larger-than=]
      net/wireless/nl80211.c:1410:1: warning: the frame size of 2208 bytes is larger than 2048 bytes [-Wframe-larger-than=]
      net/bridge/br_netlink.c:1282:1: warning: the frame size of 2544 bytes is larger than 2048 bytes [-Wframe-larger-than=]
      
      Most of this problem is now solved in gcc-8, which can consolidate
      the stack slots for the inline function arguments. On older compilers
      we can add a workaround by declaring a local variable in each function
      to pass the inline function argument.
      
      Cc: stable@vger.kernel.org
      Link: https://gcc.gnu.org/bugzilla/show_bug.cgi?id=81715Signed-off-by: default avatarArnd Bergmann <arnd@arndb.de>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      b4391db4
    • Arnd Bergmann's avatar
      rocker: fix rocker_tlv_put_* functions for KASAN · 6098d7dd
      Arnd Bergmann authored
      Inlining these functions creates lots of stack variables that each take
      64 bytes when KASAN is enabled, leading to this warning about potential
      stack overflow:
      
      drivers/net/ethernet/rocker/rocker_ofdpa.c: In function 'ofdpa_cmd_flow_tbl_add':
      drivers/net/ethernet/rocker/rocker_ofdpa.c:621:1: error: the frame size of 2752 bytes is larger than 1536 bytes [-Werror=frame-larger-than=]
      
      gcc-8 can now consolidate the stack slots itself, but on older versions
      we get the same behavior by using a temporary variable that holds a
      copy of the inline function argument.
      
      Cc: stable@vger.kernel.org
      Link: https://gcc.gnu.org/bugzilla/show_bug.cgi?id=81715Signed-off-by: default avatarArnd Bergmann <arnd@arndb.de>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      6098d7dd
  4. 25 Sep, 2017 5 commits
    • Timur Tabi's avatar
      net: qcom/emac: specify the correct size when mapping a DMA buffer · a93ad944
      Timur Tabi authored
      When mapping the RX DMA buffers, the driver was accidentally specifying
      zero for the buffer length.  Under normal circumstances, SWIOTLB does not
      need to allocate a bounce buffer, so the address is just mapped without
      checking the size field.  This is why the error was not detected earlier.
      
      Fixes: b9b17deb ("net: emac: emac gigabit ethernet controller driver")
      Cc: stable@vger.kernel.org
      Signed-off-by: default avatarTimur Tabi <timur@codeaurora.org>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      a93ad944
    • David S. Miller's avatar
      Merge branch 'l2tp-fix-some-races-in-session-deletion' · 016576d5
      David S. Miller authored
      Guillaume Nault says:
      
      ====================
      l2tp: fix some races in session deletion
      
      L2TP provides several interfaces for deleting sessions. Using two of
      them concurrently can lead to use-after-free bugs.
      
      Patch #2 uses a flag to prevent double removal of L2TP sessions.
      Patch #1 fixes a bug found in the way. Fixing this bug is also
      necessary for patch #2 to handle all cases.
      
      This issue is similar to the tunnel deletion bug being worked on by
      Sabrina: https://patchwork.ozlabs.org/patch/814173/
      ====================
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      016576d5
    • Guillaume Nault's avatar
      l2tp: fix race between l2tp_session_delete() and l2tp_tunnel_closeall() · b228a940
      Guillaume Nault authored
      There are several ways to remove L2TP sessions:
      
        * deleting a session explicitly using the netlink interface (with
          L2TP_CMD_SESSION_DELETE),
        * deleting the session's parent tunnel (either by closing the
          tunnel's file descriptor or using the netlink interface),
        * closing the PPPOL2TP file descriptor of a PPP pseudo-wire.
      
      In some cases, when these methods are used concurrently on the same
      session, the session can be removed twice, leading to use-after-free
      bugs.
      
      This patch adds a 'dead' flag, used by l2tp_session_delete() and
      l2tp_tunnel_closeall() to prevent them from stepping on each other's
      toes.
      
      The session deletion path used when closing a PPPOL2TP file descriptor
      doesn't need to be adapted. It already has to ensure that a session
      remains valid for the lifetime of its PPPOL2TP file descriptor.
      So it takes an extra reference on the session in the ->session_close()
      callback (pppol2tp_session_close()), which is eventually dropped
      in the ->sk_destruct() callback of the PPPOL2TP socket
      (pppol2tp_session_destruct()).
      Still, __l2tp_session_unhash() and l2tp_session_queue_purge() can be
      called twice and even concurrently for a given session, but thanks to
      proper locking and re-initialisation of list fields, this is not an
      issue.
      Signed-off-by: default avatarGuillaume Nault <g.nault@alphalink.fr>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      b228a940
    • Guillaume Nault's avatar
      l2tp: ensure sessions are freed after their PPPOL2TP socket · cdd10c96
      Guillaume Nault authored
      If l2tp_tunnel_delete() or l2tp_tunnel_closeall() deletes a session
      right after pppol2tp_release() orphaned its socket, then the 'sock'
      variable of the pppol2tp_session_close() callback is NULL. Yet the
      session is still used by pppol2tp_release().
      
      Therefore we need to take an extra reference in any case, to prevent
      l2tp_tunnel_delete() or l2tp_tunnel_closeall() from freeing the session.
      
      Since the pppol2tp_session_close() callback is only set if the session
      is associated to a PPPOL2TP socket and that both l2tp_tunnel_delete()
      and l2tp_tunnel_closeall() hold the PPPOL2TP socket before calling
      pppol2tp_session_close(), we're sure that pppol2tp_session_close() and
      pppol2tp_session_destruct() are paired and called in the right order.
      So the reference taken by the former will be released by the later.
      Signed-off-by: default avatarGuillaume Nault <g.nault@alphalink.fr>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      cdd10c96
    • Kalle Valo's avatar
      Merge ath-current from ath.git · 3e747fa1
      Kalle Valo authored
      ath.git fixes for 4.14. Major changes:
      
      ath10k
      
      * fix a PCI PM related gcc warning
      3e747fa1
  5. 24 Sep, 2017 2 commits
    • Subash Abhinov Kasiviswanathan's avatar
      net: qualcomm: rmnet: Fix rcu splat in rmnet_is_real_dev_registered · 5c346525
      Subash Abhinov Kasiviswanathan authored
      Xiaolong reported a suspicious rcu_dereference_check in the device
      unregister notifier callback. Since we do not dereference the
      rx_handler_data, it's ok to just check for the value of the pointer.
      Note that this section is already protected by rtnl_lock.
      
      [  101.364846] WARNING: suspicious RCU usage
      [  101.365654] 4.13.0-rc6-01701-gceed73a2 #1 Not tainted
      [  101.370873] -----------------------------
      [  101.372472] drivers/net/ethernet/qualcomm/rmnet/rmnet_config.c:57 suspicious rcu_dereference_check() usage!
      [  101.374427]
      [  101.374427] other info that might help us debug this:
      [  101.374427]
      [  101.387491]
      [  101.387491] rcu_scheduler_active = 2, debug_locks = 1
      [  101.389368] 1 lock held by trinity-main/2809:
      [  101.390736]  #0:  (rtnl_mutex){+.+.+.}, at: [<8146085b>] rtnl_lock+0xf/0x11
      [  101.395482]
      [  101.395482] stack backtrace:
      [  101.396948] CPU: 0 PID: 2809 Comm: trinity-main Not tainted 4.13.0-rc6-01701-gceed73a2 #1
      [  101.398857] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.9.3-20161025_171302-gandalf 04/01/2014
      [  101.401079] Call Trace:
      [  101.401656]  dump_stack+0xa1/0xeb
      [  101.402871]  lockdep_rcu_suspicious+0xc7/0xd0
      [  101.403665]  rmnet_is_real_dev_registered+0x40/0x4e
      [  101.405199]  rmnet_config_notify_cb+0x2c/0x142
      [  101.406344]  ? wireless_nlevent_flush+0x47/0x71
      [  101.407385]  notifier_call_chain+0x2d/0x47
      [  101.408645]  raw_notifier_call_chain+0xc/0xe
      [  101.409882]  call_netdevice_notifiers_info+0x41/0x49
      [  101.411402]  call_netdevice_notifiers+0xc/0xe
      [  101.412713]  rollback_registered_many+0x268/0x36e
      [  101.413702]  rollback_registered+0x39/0x56
      [  101.414965]  unregister_netdevice_queue+0x79/0x88
      [  101.415908]  unregister_netdev+0x16/0x1d
      
      Fixes: ceed73a2 ("drivers: net: ethernet: qualcomm: rmnet: Initial implementation")
      Signed-off-by: default avatarSubash Abhinov Kasiviswanathan <subashab@codeaurora.org>
      Reported-by: default avatarkernel test robot <xiaolong.ye@intel.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      5c346525
    • Christophe JAILLET's avatar
      cnic: Fix an error handling path in 'cnic_alloc_bnx2x_resc()' · 05cf97e7
      Christophe JAILLET authored
      All the error handling paths 'goto error', except this one.
      We should also go to error in this case, or some resources will be
      leaking.
      Signed-off-by: default avatarChristophe JAILLET <christophe.jaillet@wanadoo.fr>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      05cf97e7
  6. 23 Sep, 2017 17 commits
    • Linus Torvalds's avatar
      Merge branch 'parisc-4.14-2' of git://git.kernel.org/pub/scm/linux/kernel/git/deller/parisc-linux · cd4175b1
      Linus Torvalds authored
      Pull parisc fixes from Helge Deller:
      
       - Unbreak parisc bootloader by avoiding a gcc-7 optimization to convert
         multiple byte-accesses into one word-access.
      
       - Add missing HWPOISON page fault handler code. I completely missed
         that when I added HWPOISON support during this merge window and it
         only showed up now with the madvise07 LTP test case.
      
       - Fix backtrace unwinding to stop when stack start has been reached.
      
       - Issue warning if initrd has been loaded into memory regions with
         broken RAM modules.
      
       - Fix HPMC handler (parisc hardware fault handler) to comply with
         architecture specification.
      
       - Avoid compiler warnings about too large frame sizes.
      
       - Minor init-section fixes.
      
      * 'parisc-4.14-2' of git://git.kernel.org/pub/scm/linux/kernel/git/deller/parisc-linux:
        parisc: Unbreak bootloader due to gcc-7 optimizations
        parisc: Reintroduce option to gzip-compress the kernel
        parisc: Add HWPOISON page fault handler code
        parisc: Move init_per_cpu() into init section
        parisc: Check if initrd was loaded into broken RAM
        parisc: Add PDCE_CHECK instruction to HPMC handler
        parisc: Add wrapper for pdc_instr() firmware function
        parisc: Move start_parisc() into init section
        parisc: Stop unwinding at start of stack
        parisc: Fix too large frame size warnings
      cd4175b1
    • Linus Torvalds's avatar
      Merge tag 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/dledford/rdma · ded85032
      Linus Torvalds authored
      Pull rdma fixes from Doug Ledford:
      
       - Smattering of miscellanous fixes
      
       - A five patch series for i40iw that had a patch (5/5) that was larger
         than I would like, but I took it because it's needed for large scale
         users
      
       - An 8 patch series for bnxt_re that landed right as I was leaving on
         PTO and so had to wait until now...they are all appropriate fixes for
         -rc IMO
      
      * tag 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/dledford/rdma: (22 commits)
        bnxt_re: Don't issue cmd to delete GID for QP1 GID entry before the QP is destroyed
        bnxt_re: Fix memory leak in FRMR path
        bnxt_re: Remove RTNL lock dependency in bnxt_re_query_port
        bnxt_re: Fix race between the netdev register and unregister events
        bnxt_re: Free up devices in module_exit path
        bnxt_re: Fix compare and swap atomic operands
        bnxt_re: Stop issuing further cmds to FW once a cmd times out
        bnxt_re: Fix update of qplib_qp.mtu when modified
        i40iw: Add support for port reuse on active side connections
        i40iw: Add missing VLAN priority
        i40iw: Call i40iw_cm_disconn on modify QP to disconnect
        i40iw: Prevent multiple netdev event notifier registrations
        i40iw: Fail open if there are no available MSI-X vectors
        RDMA/vmw_pvrdma: Fix reporting correct opcodes for completion
        IB/bnxt_re: Fix frame stack compilation warning
        IB/mlx5: fix debugfs cleanup
        IB/ocrdma: fix incorrect fall-through on switch statement
        IB/ipoib: Suppress the retry related completion errors
        iw_cxgb4: remove the stid on listen create failure
        iw_cxgb4: drop listen destroy replies if no ep found
        ...
      ded85032
    • Linus Torvalds's avatar
      Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net · 71aa60f6
      Linus Torvalds authored
      Pull networking fixes from David Miller:
      
       1) Fix NAPI poll list corruption in enic driver, from Christian
          Lamparter.
      
       2) Fix route use after free, from Eric Dumazet.
      
       3) Fix regression in reuseaddr handling, from Josef Bacik.
      
       4) Assert the size of control messages in compat handling since we copy
          it in from userspace twice. From Meng Xu.
      
       5) SMC layer bug fixes (missing RCU locking, bad refcounting, etc.)
          from Ursula Braun.
      
       6) Fix races in AF_PACKET fanout handling, from Willem de Bruijn.
      
       7) Don't use ARRAY_SIZE on spinlock array which might have zero
          entries, from Geert Uytterhoeven.
      
       8) Fix miscomputation of checksum in ipv6 udp code, from Subash Abhinov
          Kasiviswanathan.
      
       9) Push the ipv6 header properly in ipv6 GRE tunnel driver, from Xin
          Long.
      
      * git://git.kernel.org/pub/scm/linux/kernel/git/davem/net: (75 commits)
        inet: fix improper empty comparison
        net: use inet6_rcv_saddr to compare sockets
        net: set tb->fast_sk_family
        net: orphan frags on stand-alone ptype in dev_queue_xmit_nit
        MAINTAINERS: update git tree locations for ieee802154 subsystem
        net: prevent dst uses after free
        net: phy: Fix truncation of large IRQ numbers in phy_attached_print()
        net/smc: no close wait in case of process shut down
        net/smc: introduce a delay
        net/smc: terminate link group if out-of-sync is received
        net/smc: longer delay for client link group removal
        net/smc: adapt send request completion notification
        net/smc: adjust net_device refcount
        net/smc: take RCU read lock for routing cache lookup
        net/smc: add receive timeout check
        net/smc: add missing dev_put
        net: stmmac: Cocci spatch "of_table"
        lan78xx: Use default values loaded from EEPROM/OTP after reset
        lan78xx: Allow EEPROM write for less than MAX_EEPROM_SIZE
        lan78xx: Fix for eeprom read/write when device auto suspend
        ...
      71aa60f6
    • Linus Torvalds's avatar
      Merge tag 'apparmor-pr-2017-09-22' of... · 79444df4
      Linus Torvalds authored
      Merge tag 'apparmor-pr-2017-09-22' of git://git.kernel.org/pub/scm/linux/kernel/git/jj/linux-apparmor
      
      Pull apparmor updates from John Johansen:
       "This is the apparmor pull request, similar to SELinux and seccomp.
      
        It's the same series that I was sent to James' security tree + one
        regression fix that was found after the series was sent to James and
        would have been sent for v4.14-rc2.
      
        Features:
        - in preparation for secid mapping add support for absolute root view
          based labels
        - add base infastructure for socket mediation
        - add mount mediation
        - add signal mediation
      
        minor cleanups and changes:
        - be defensive, ensure unconfined profiles have dfas initialized
        - add more debug asserts to apparmorfs
        - enable policy unpacking to audit different reasons for failure
        - cleanup conditional check for label in label_print
        - Redundant condition: prev_ns. in [label.c:1498]
      
        Bug Fixes:
        - fix regression in apparmorfs DAC access permissions
        - fix build failure on sparc caused by undeclared signals
        - fix sparse report of incorrect type assignment when freeing label proxies
        - fix race condition in null profile creation
        - Fix an error code in aafs_create()
        - Fix logical error in verify_header()
        - Fix shadowed local variable in unpack_trans_table()"
      
      * tag 'apparmor-pr-2017-09-22' of git://git.kernel.org/pub/scm/linux/kernel/git/jj/linux-apparmor:
        apparmor: fix apparmorfs DAC access permissions
        apparmor: fix build failure on sparc caused by undeclared signals
        apparmor: fix incorrect type assignment when freeing proxies
        apparmor: ensure unconfined profiles have dfas initialized
        apparmor: fix race condition in null profile creation
        apparmor: move new_null_profile to after profile lookup fns()
        apparmor: add base infastructure for socket mediation
        apparmor: add more debug asserts to apparmorfs
        apparmor: make policy_unpack able to audit different info messages
        apparmor: add support for absolute root view based labels
        apparmor: cleanup conditional check for label in label_print
        apparmor: add mount mediation
        apparmor: add the ability to mediate signals
        apparmor: Redundant condition: prev_ns. in [label.c:1498]
        apparmor: Fix an error code in aafs_create()
        apparmor: Fix logical error in verify_header()
        apparmor: Fix shadowed local variable in unpack_trans_table()
      79444df4
    • Linus Torvalds's avatar
      Merge tag 'acpi-4.14-rc2' of git://git.kernel.org/pub/scm/linux/kernel/git/rafael/linux-pm · c65da8e2
      Linus Torvalds authored
      Pull ACPI fixes from Rafael Wysocki:
       "These fix the initialization of resources in the ACPI WDAT watchdog
        driver, a recent regression in the ACPI device properties handling, a
        recent change in behavior causing the ACPI_HANDLE() macro to only work
        for GPL code and create a MAINTAINERS entry for ACPI PMIC drivers in
        order to specify the official reviewers for that code.
      
        Specifics:
      
         - Fix the initialization of resources in the ACPI WDAT watchdog
           driver that uses unititialized memory which causes compiler
           warnings to be triggered (Arnd Bergmann).
      
         - Fix a recent regression in the ACPI device properties handling that
           causes some device properties data to be skipped during enumeration
           (Sakari Ailus).
      
         - Fix a recent change in behavior that caused the ACPI_HANDLE() macro
           to stop working for non-GPL code which is a problem for the NVidia
           binary graphics driver, for example (John Hubbard).
      
         - Add a MAINTAINERS entry for the ACPI PMIC drivers to specify the
           official reviewers for that code (Rafael Wysocki)"
      
      * tag 'acpi-4.14-rc2' of git://git.kernel.org/pub/scm/linux/kernel/git/rafael/linux-pm:
        ACPI: properties: Return _DSD hierarchical extension (data) sub-nodes correctly
        ACPI / bus: Make ACPI_HANDLE() work for non-GPL code again
        ACPI / watchdog: properly initialize resources
        ACPI / PMIC: Add code reviewers to MAINTAINERS
      c65da8e2
    • David S. Miller's avatar
      Merge branch 'net-fix-reuseaddr-regression' · 4e683f49
      David S. Miller authored
      Josef Bacik says:
      
      ====================
      net: fix reuseaddr regression
      
      I introduced a regression when reworking the fastreuse port stuff that allows
      bind conflicts to occur once a reuseaddr successfully opens on an existing tb.
      The root cause is I reversed an if statement which caused us to set the tb as if
      there were no owners on the socket if there were, which obviously is not
      correct.
      
      Dave could you please queue these changes up for -stable, I've run them through
      the net tests and added another test to check for this problem specifically.
      ====================
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      4e683f49
    • Josef Bacik's avatar
      inet: fix improper empty comparison · fbed24bc
      Josef Bacik authored
      When doing my reuseport rework I screwed up and changed a
      
      if (hlist_empty(&tb->owners))
      
      to
      
      if (!hlist_empty(&tb->owners))
      
      This is obviously bad as all of the reuseport/reuse logic was reversed,
      which caused weird problems like allowing an ipv4 bind conflict if we
      opened an ipv4 only socket on a port followed by an ipv6 only socket on
      the same port.
      
      Fixes: b9470c27 ("inet: kill smallest_size and smallest_port")
      Reported-by: default avatarCole Robinson <crobinso@redhat.com>
      Signed-off-by: default avatarJosef Bacik <jbacik@fb.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      fbed24bc
    • Josef Bacik's avatar
      net: use inet6_rcv_saddr to compare sockets · 7a56673b
      Josef Bacik authored
      In ipv6_rcv_saddr_equal() we need to use inet6_rcv_saddr(sk) for the
      ipv6 compare with the fast socket information to make sure we're doing
      the proper comparisons.
      
      Fixes: 637bc8bb ("inet: reset tb->fastreuseport when adding a reuseport sk")
      Reported-and-tested-by: default avatarCole Robinson <crobinso@redhat.com>
      Signed-off-by: default avatarJosef Bacik <jbacik@fb.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      7a56673b
    • Josef Bacik's avatar
      net: set tb->fast_sk_family · cbb2fb5c
      Josef Bacik authored
      We need to set the tb->fast_sk_family properly so we can use the proper
      comparison function for all subsequent reuseport bind requests.
      
      Fixes: 637bc8bb ("inet: reset tb->fastreuseport when adding a reuseport sk")
      Reported-and-tested-by: default avatarCole Robinson <crobinso@redhat.com>
      Signed-off-by: default avatarJosef Bacik <jbacik@fb.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      cbb2fb5c
    • Willem de Bruijn's avatar
      net: orphan frags on stand-alone ptype in dev_queue_xmit_nit · 581fe0ea
      Willem de Bruijn authored
      Zerocopy skbs frags are copied when the skb is looped to a local sock.
      Commit 1080e512 ("net: orphan frags on receive") introduced calls
      to skb_orphan_frags to deliver_skb and __netif_receive_skb for this.
      
      With msg_zerocopy, these skbs can also exist in the tx path and thus
      loop from dev_queue_xmit_nit. This already calls deliver_skb in its
      loop. But it does not orphan before a separate pt_prev->func().
      
      Add the missing skb_orphan_frags_rx.
      
      Changes
        v1->v2: handle skb_orphan_frags_rx failure
      
      Fixes: 1f8b977a ("sock: enable MSG_ZEROCOPY")
      Signed-off-by: default avatarWillem de Bruijn <willemb@google.com>
      Reviewed-by: default avatarEric Dumazet <edumazet@google.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      581fe0ea
    • Linus Torvalds's avatar
      Merge tag 'pm-4.14-rc2' of git://git.kernel.org/pub/scm/linux/kernel/git/rafael/linux-pm · 6876eb37
      Linus Torvalds authored
      Pull power management fixes from Rafael Wysocki:
       "These fix a cpufreq regression introduced by recent changes related to
        the generic DT driver, an initialization time memory leak in cpuidle
        on ARM, a PM core bug that may cause system suspend/resume to fail on
        some systems, a request type validation issue in the PM QoS framework
        and two documentation-related issues.
      
        Specifics:
      
         - Fix a regression in cpufreq on systems using DT as the source of
           CPU configuration information where two different code paths
           attempt to create the cpufreq-dt device object (there can be only
           one) and fix up the "compatible" matching for some TI platforms on
           top of that (Viresh Kumar, Dave Gerlach).
      
         - Fix an initialization time memory leak in cpuidle on ARM which
           occurs if the cpuidle driver initialization fails (Stefan Wahren).
      
         - Fix a PM core function that checks whether or not there are any
           system suspend/resume callbacks for a device, but forgets to check
           legacy callbacks which then may be skipped incorrectly and the
           system may crash and/or the device may become unusable after a
           suspend-resume cycle (Rafael Wysocki).
      
         - Fix request type validation for latency tolerance PM QoS requests
           which may lead to unexpected behavior (Jan Schönherr).
      
         - Fix a broken link to PM documentation from a header file and a typo
           in a PM document (Geert Uytterhoeven, Rafael Wysocki)"
      
      * tag 'pm-4.14-rc2' of git://git.kernel.org/pub/scm/linux/kernel/git/rafael/linux-pm:
        cpufreq: ti-cpufreq: Support additional am43xx platforms
        ARM: cpuidle: Avoid memleak if init fail
        cpufreq: dt-platdev: Add some missing platforms to the blacklist
        PM: core: Fix device_pm_check_callbacks()
        PM: docs: Drop an excess character from devices.rst
        PM / QoS: Use the correct variable to check the QoS request type
        driver core: Fix link to device power management documentation
      6876eb37
    • Linus Torvalds's avatar
      Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/dtor/input · d32e5f44
      Linus Torvalds authored
      Pull input fixes from Dmitry Torokhov:
      
       - fixes for two long standing issues (lock up and a crash) in force
         feedback handling in uinput driver
      
       - tweak to firmware update timing in Elan I2C touchpad driver.
      
      * 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/dtor/input:
        Input: elan_i2c - extend Flash-Write delay
        Input: uinput - avoid crash when sending FF request to device going away
        Input: uinput - avoid FF flush when destroying device
      d32e5f44
    • Linus Torvalds's avatar
      Merge tag 'seccomp-v4.14-rc2' of git://git.kernel.org/pub/scm/linux/kernel/git/kees/linux · c0a3a64e
      Linus Torvalds authored
      Pull seccomp updates from Kees Cook:
       "Major additions:
      
         - sysctl and seccomp operation to discover available actions
           (tyhicks)
      
         - new per-filter configurable logging infrastructure and sysctl
           (tyhicks)
      
         - SECCOMP_RET_LOG to log allowed syscalls (tyhicks)
      
         - SECCOMP_RET_KILL_PROCESS as the new strictest possible action
      
         - self-tests for new behaviors"
      
      [ This is the seccomp part of the security pull request during the merge
        window that was nixed due to unrelated problems   - Linus ]
      
      * tag 'seccomp-v4.14-rc2' of git://git.kernel.org/pub/scm/linux/kernel/git/kees/linux:
        samples: Unrename SECCOMP_RET_KILL
        selftests/seccomp: Test thread vs process killing
        seccomp: Implement SECCOMP_RET_KILL_PROCESS action
        seccomp: Introduce SECCOMP_RET_KILL_PROCESS
        seccomp: Rename SECCOMP_RET_KILL to SECCOMP_RET_KILL_THREAD
        seccomp: Action to log before allowing
        seccomp: Filter flag to log all actions except SECCOMP_RET_ALLOW
        seccomp: Selftest for detection of filter flag support
        seccomp: Sysctl to configure actions that are allowed to be logged
        seccomp: Operation for checking if an action is available
        seccomp: Sysctl to display available actions
        seccomp: Provide matching filter for introspection
        selftests/seccomp: Refactor RET_ERRNO tests
        selftests/seccomp: Add simple seccomp overhead benchmark
        selftests/seccomp: Add tests for basic ptrace actions
      c0a3a64e
    • Linus Torvalds's avatar
      Merge tag '4.14-smb3-fixes-from-recent-test-events-for-stable' of... · 69c902f5
      Linus Torvalds authored
      Merge tag '4.14-smb3-fixes-from-recent-test-events-for-stable' of git://git.samba.org/sfrench/cifs-2.6
      
      Pull cifs fixes from Steve French:
       "Various SMB3 fixes for stable and security improvements from the
        recently completed SMB3/Samba test events
      
      * tag '4.14-smb3-fixes-from-recent-test-events-for-stable' of git://git.samba.org/sfrench/cifs-2.6:
        SMB3: Don't ignore O_SYNC/O_DSYNC and O_DIRECT flags
        SMB3: handle new statx fields
        SMB: Validate negotiate (to protect against downgrade) even if signing off
        cifs: release auth_key.response for reconnect.
        cifs: release cifs root_cred after exit_cifs
        CIFS: make arrays static const, reduces object code size
        [SMB3] Update session and share information displayed for debugging SMB2/SMB3
        cifs: show 'soft' in the mount options for hard mounts
        SMB3: Warn user if trying to sign connection that authenticated as guest
        SMB3: Fix endian warning
        Fix SMB3.1.1 guest authentication to Samba
      69c902f5
    • Linus Torvalds's avatar
      Merge tag 'ceph-for-4.14-rc2' of git://github.com/ceph/ceph-client · b03fcfae
      Linus Torvalds authored
      Pull ceph fixes from Ilya Dryomov:
       "Two small but important fixes: RADOS semantic change in upcoming v12.2.1
        release and a rare NULL dereference in create_session_open_msg()"
      
      * tag 'ceph-for-4.14-rc2' of git://github.com/ceph/ceph-client:
        ceph: avoid panic in create_session_open_msg() if utsname() returns NULL
        libceph: don't allow bidirectional swap of pg-upmap-items
      b03fcfae
    • Stefan Schmidt's avatar
      MAINTAINERS: update git tree locations for ieee802154 subsystem · b9b95da9
      Stefan Schmidt authored
      Patches for ieee802154 will go through my new trees towards netdev from
      now on. The 6LoWPAN subsystem will stay as is (shared between ieee802154
      and bluetooth) and go through the bluetooth tree as usual.
      Signed-off-by: default avatarStefan Schmidt <stefan@osg.samsung.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      b9b95da9
    • Steve French's avatar
      SMB3: Don't ignore O_SYNC/O_DSYNC and O_DIRECT flags · 1013e760
      Steve French authored
      Signed-off-by: default avatarSteve French <smfrench@gmail.com>
      CC: Stable <stable@vger.kernel.org>
      Reviewed-by: default avatarRonnie Sahlberg <lsahlber@redhat.com>
      Reviewed-by: default avatarPavel Shilovsky <pshilov@microsoft.com>
      1013e760
  7. 22 Sep, 2017 3 commits