1. 10 Oct, 2019 2 commits
  2. 09 Oct, 2019 7 commits
    • Xin Long's avatar
      sctp: add chunks to sk_backlog when the newsk sk_socket is not set · 819be810
      Xin Long authored
      This patch is to fix a NULL-ptr deref in selinux_socket_connect_helper:
      
        [...] kasan: GPF could be caused by NULL-ptr deref or user memory access
        [...] RIP: 0010:selinux_socket_connect_helper+0x94/0x460
        [...] Call Trace:
        [...]  selinux_sctp_bind_connect+0x16a/0x1d0
        [...]  security_sctp_bind_connect+0x58/0x90
        [...]  sctp_process_asconf+0xa52/0xfd0 [sctp]
        [...]  sctp_sf_do_asconf+0x785/0x980 [sctp]
        [...]  sctp_do_sm+0x175/0x5a0 [sctp]
        [...]  sctp_assoc_bh_rcv+0x285/0x5b0 [sctp]
        [...]  sctp_backlog_rcv+0x482/0x910 [sctp]
        [...]  __release_sock+0x11e/0x310
        [...]  release_sock+0x4f/0x180
        [...]  sctp_accept+0x3f9/0x5a0 [sctp]
        [...]  inet_accept+0xe7/0x720
      
      It was caused by that the 'newsk' sk_socket was not set before going to
      security sctp hook when processing asconf chunk with SCTP_PARAM_ADD_IP
      or SCTP_PARAM_SET_PRIMARY:
      
        inet_accept()->
          sctp_accept():
            lock_sock():
                lock listening 'sk'
                                                do_softirq():
                                                  sctp_rcv():  <-- [1]
                                                      asconf chunk arrives and
                                                      enqueued in 'sk' backlog
            sctp_sock_migrate():
                set asoc's sk to 'newsk'
            release_sock():
                sctp_backlog_rcv():
                  lock 'newsk'
                  sctp_process_asconf()  <-- [2]
                  unlock 'newsk'
          sock_graft():
              set sk_socket  <-- [3]
      
      As it shows, at [1] the asconf chunk would be put into the listening 'sk'
      backlog, as accept() was holding its sock lock. Then at [2] asconf would
      get processed with 'newsk' as asoc's sk had been set to 'newsk'. However,
      'newsk' sk_socket is not set until [3], while selinux_sctp_bind_connect()
      would deref it, then kernel crashed.
      
      Here to fix it by adding the chunk to sk_backlog until newsk sk_socket is
      set when .accept() is done.
      
      Note that sk->sk_socket can be NULL when the sock is closed, so SOCK_DEAD
      flag is also needed to check in sctp_newsk_ready().
      
      Thanks to Ondrej for reviewing the code.
      
      Fixes: d452930f ("selinux: Add SCTP support")
      Reported-by: default avatarYing Xu <yinxu@redhat.com>
      Suggested-by: default avatarMarcelo Ricardo Leitner <marcelo.leitner@gmail.com>
      Signed-off-by: default avatarXin Long <lucien.xin@gmail.com>
      Acked-by: default avatarMarcelo Ricardo Leitner <marcelo.leitner@gmail.com>
      Acked-by: default avatarNeil Horman <nhorman@tuxdriver.com>
      Signed-off-by: default avatarJakub Kicinski <jakub.kicinski@netronome.com>
      819be810
    • Eric Dumazet's avatar
      bonding: fix potential NULL deref in bond_update_slave_arr · a7137534
      Eric Dumazet authored
      syzbot got a NULL dereference in bond_update_slave_arr() [1],
      happening after a failure to allocate bond->slave_arr
      
      A workqueue (bond_slave_arr_handler) is supposed to retry
      the allocation later, but if the slave is removed before
      the workqueue had a chance to complete, bond->slave_arr
      can still be NULL.
      
      [1]
      
      Failed to build slave-array.
      kasan: CONFIG_KASAN_INLINE enabled
      kasan: GPF could be caused by NULL-ptr deref or user memory access
      general protection fault: 0000 [#1] SMP KASAN PTI
      Modules linked in:
      Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
      RIP: 0010:bond_update_slave_arr.cold+0xc6/0x198 drivers/net/bonding/bond_main.c:4039
      RSP: 0018:ffff88018fe33678 EFLAGS: 00010246
      RAX: dffffc0000000000 RBX: 0000000000000000 RCX: ffffc9000290b000
      RDX: 0000000000000000 RSI: ffffffff82b63037 RDI: ffff88019745ea20
      RBP: ffff88018fe33760 R08: ffff880170754280 R09: 0000000000000000
      R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000000
      R13: ffff88019745ea00 R14: 0000000000000000 R15: ffff88018fe338b0
      FS:  00007febd837d700(0000) GS:ffff8801dad00000(0000) knlGS:0000000000000000
      CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
      CR2: 00000000004540a0 CR3: 00000001c242e005 CR4: 00000000001626f0
      DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
      DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
      Call Trace:
       [<ffffffff82b5b45e>] __bond_release_one+0x43e/0x500 drivers/net/bonding/bond_main.c:1923
       [<ffffffff82b5b966>] bond_release drivers/net/bonding/bond_main.c:2039 [inline]
       [<ffffffff82b5b966>] bond_do_ioctl+0x416/0x870 drivers/net/bonding/bond_main.c:3562
       [<ffffffff83ae25f4>] dev_ifsioc+0x6f4/0x940 net/core/dev_ioctl.c:328
       [<ffffffff83ae2e58>] dev_ioctl+0x1b8/0xc70 net/core/dev_ioctl.c:495
       [<ffffffff83995ffd>] sock_do_ioctl+0x1bd/0x300 net/socket.c:1088
       [<ffffffff83996a80>] sock_ioctl+0x300/0x5d0 net/socket.c:1196
       [<ffffffff81b124db>] vfs_ioctl fs/ioctl.c:47 [inline]
       [<ffffffff81b124db>] file_ioctl fs/ioctl.c:501 [inline]
       [<ffffffff81b124db>] do_vfs_ioctl+0xacb/0x1300 fs/ioctl.c:688
       [<ffffffff81b12dc6>] SYSC_ioctl fs/ioctl.c:705 [inline]
       [<ffffffff81b12dc6>] SyS_ioctl+0xb6/0xe0 fs/ioctl.c:696
       [<ffffffff8101ccc8>] do_syscall_64+0x528/0x770 arch/x86/entry/common.c:305
       [<ffffffff84400091>] entry_SYSCALL_64_after_hwframe+0x42/0xb7
      
      Fixes: ee637714 ("bonding: Simplify the xmit function for modes that use xmit_hash")
      Signed-off-by: default avatarEric Dumazet <edumazet@google.com>
      Reported-by: default avatarsyzbot <syzkaller@googlegroups.com>
      Cc: Mahesh Bandewar <maheshb@google.com>
      Signed-off-by: default avatarJakub Kicinski <jakub.kicinski@netronome.com>
      a7137534
    • Antonio Borneo's avatar
      net: stmmac: fix disabling flexible PPS output · 520cf600
      Antonio Borneo authored
      Accordingly to Synopsys documentation [1] and [2], when bit PPSEN0
      in register MAC_PPS_CONTROL is set it selects the functionality
      command in the same register, otherwise selects the functionality
      control.
      Command functionality is required to either enable (command 0x2)
      and disable (command 0x5) the flexible PPS output, but the bit
      PPSEN0 is currently set only for enabling.
      
      Set the bit PPSEN0 to properly disable flexible PPS output.
      
      Tested on STM32MP15x, based on dwmac 4.10a.
      
      [1] DWC Ethernet QoS Databook 4.10a October 2014
      [2] DWC Ethernet QoS Databook 5.00a September 2017
      Signed-off-by: default avatarAntonio Borneo <antonio.borneo@st.com>
      Fixes: 9a8a02c9 ("net: stmmac: Add Flexible PPS support")
      Signed-off-by: default avatarJakub Kicinski <jakub.kicinski@netronome.com>
      520cf600
    • Antonio Borneo's avatar
      net: stmmac: fix length of PTP clock's name string · 5da202c8
      Antonio Borneo authored
      The field "name" in struct ptp_clock_info has a fixed size of 16
      chars and is used as zero terminated string by clock_name_show()
      in drivers/ptp/ptp_sysfs.c
      The current initialization value requires 17 chars to fit also the
      null termination, and this causes overflow to the next bytes in
      the struct when the string is read as null terminated:
      	hexdump -C /sys/class/ptp/ptp0/clock_name
      	00000000  73 74 6d 6d 61 63 5f 70  74 70 5f 63 6c 6f 63 6b  |stmmac_ptp_clock|
      	00000010  a0 ac b9 03 0a                                    |.....|
      where the extra 4 bytes (excluding the newline) after the string
      represent the integer 0x03b9aca0 = 62500000 assigned to the field
      "max_adj" that follows "name" in the same struct.
      
      There is no strict requirement for the "name" content and in the
      comment in ptp_clock_kernel.h it's reported it should just be 'A
      short "friendly name" to identify the clock'.
      Replace it with "stmmac ptp".
      Signed-off-by: default avatarAntonio Borneo <antonio.borneo@st.com>
      Fixes: 92ba6888 ("stmmac: add the support for PTP hw clock driver")
      Signed-off-by: default avatarJakub Kicinski <jakub.kicinski@netronome.com>
      5da202c8
    • Haishuang Yan's avatar
      ip6erspan: remove the incorrect mtu limit for ip6erspan · 4123f637
      Haishuang Yan authored
      ip6erspan driver calls ether_setup(), after commit 61e84623
      ("net: centralize net_device min/max MTU checking"), the range
      of mtu is [min_mtu, max_mtu], which is [68, 1500] by default.
      
      It causes the dev mtu of the erspan device to not be greater
      than 1500, this limit value is not correct for ip6erspan tap
      device.
      
      Fixes: 61e84623 ("net: centralize net_device min/max MTU checking")
      Signed-off-by: default avatarHaishuang Yan <yanhaishuang@cmss.chinamobile.com>
      Acked-by: default avatarWilliam Tu <u9012063@gmail.com>
      Signed-off-by: default avatarJakub Kicinski <jakub.kicinski@netronome.com>
      4123f637
    • Jakub Kicinski's avatar
      Merge tag 'mac80211-for-davem-2019-10-08' of... · a17fd2cf
      Jakub Kicinski authored
      Merge tag 'mac80211-for-davem-2019-10-08' of git://git.kernel.org/pub/scm/linux/kernel/git/jberg/mac80211
      
      Johannes Berg says:
      
      ====================
      A number of fixes:
       * allow scanning when operating on radar channels in
         ETSI regdomains
       * accept deauth frames in IBSS - we have code to parse
         and handle them, but were dropping them early
       * fix an allocation failure path in hwsim
       * fix a failure path memory leak in nl80211 FTM code
       * fix RCU handling & locking in multi-BSSID parsing
       * reject malformed SSID in mac80211 (this shouldn't
         really be able to happen, but defense in depth)
       * avoid userspace buffer overrun in ancient wext code
         if SSID was too long
      ====================
      Signed-off-by: default avatarJakub Kicinski <jakub.kicinski@netronome.com>
      a17fd2cf
    • Randy Dunlap's avatar
      Doc: networking/device_drivers/pensando: fix ionic.rst warnings · b82316d2
      Randy Dunlap authored
      Fix documentation build warnings for Pensando ionic:
      
      Documentation/networking/device_drivers/pensando/ionic.rst:39: WARNING: Unexpected indentation.
      Documentation/networking/device_drivers/pensando/ionic.rst:43: WARNING: Unexpected indentation.
      
      Fixes: df69ba43 ("ionic: Add basic framework for IONIC Network device driver")
      Signed-off-by: default avatarRandy Dunlap <rdunlap@infradead.org>
      Acked-by: default avatarShannon Nelson <snelson@pensando.io>
      Signed-off-by: default avatarJakub Kicinski <jakub.kicinski@netronome.com>
      b82316d2
  3. 08 Oct, 2019 9 commits
    • Johan Hovold's avatar
      NFC: pn533: fix use-after-free and memleaks · 6af3aa57
      Johan Hovold authored
      The driver would fail to deregister and its class device and free
      related resources on late probe errors.
      
      Reported-by: syzbot+cb035c75c03dbe34b796@syzkaller.appspotmail.com
      Fixes: 32ecc75d ("NFC: pn533: change order operations in dev registation")
      Signed-off-by: default avatarJohan Hovold <johan@kernel.org>
      Signed-off-by: default avatarJakub Kicinski <jakub.kicinski@netronome.com>
      6af3aa57
    • Cong Wang's avatar
      net_sched: fix backward compatibility for TCA_ACT_KIND · 4b793fec
      Cong Wang authored
      For TCA_ACT_KIND, we have to keep the backward compatibility too,
      and rely on nla_strlcpy() to check and terminate the string with
      a NUL.
      
      Note for TC actions, nla_strcmp() is already used to compare kind
      strings, so we don't need to fix other places.
      
      Fixes: 199ce850 ("net_sched: add policy validation for action attributes")
      Reported-by: default avatarMarcelo Ricardo Leitner <marcelo.leitner@gmail.com>
      Cc: Jamal Hadi Salim <jhs@mojatatu.com>
      Cc: Jiri Pirko <jiri@resnulli.us>
      Signed-off-by: default avatarCong Wang <xiyou.wangcong@gmail.com>
      Reviewed-by: default avatarMarcelo Ricardo Leitner <marcelo.leitner@gmail.com>
      Signed-off-by: default avatarJakub Kicinski <jakub.kicinski@netronome.com>
      4b793fec
    • Cong Wang's avatar
      net_sched: fix backward compatibility for TCA_KIND · 6f96c3c6
      Cong Wang authored
      Marcelo noticed a backward compatibility issue of TCA_KIND
      after we move from NLA_STRING to NLA_NUL_STRING, so it is probably
      too late to change it.
      
      Instead, to make everyone happy, we can just insert a NUL to
      terminate the string with nla_strlcpy() like we do for TC actions.
      
      Fixes: 62794fc4 ("net_sched: add max len check for TCA_KIND")
      Reported-by: default avatarMarcelo Ricardo Leitner <marcelo.leitner@gmail.com>
      Cc: Jamal Hadi Salim <jhs@mojatatu.com>
      Cc: Jiri Pirko <jiri@resnulli.us>
      Signed-off-by: default avatarCong Wang <xiyou.wangcong@gmail.com>
      Reviewed-by: default avatarMarcelo Ricardo Leitner <marcelo.leitner@gmail.com>
      Signed-off-by: default avatarJakub Kicinski <jakub.kicinski@netronome.com>
      6f96c3c6
    • Alex Vesker's avatar
      net/mlx5: DR, Allow insertion of duplicate rules · 00414126
      Alex Vesker authored
      Duplicate rules were not allowed to be configured with SW steering.
      This restriction caused failures with the replace rule logic done by
      upper layers.
      
      This fix allows for multiple rules with the same match values, in
      such case the first inserted rules will match.
      
      Fixes: 41d07074 ("net/mlx5: DR, Expose steering rule functionality")
      Signed-off-by: default avatarAlex Vesker <valex@mellanox.com>
      Signed-off-by: default avatarTariq Toukan <tariqt@mellanox.com>
      Signed-off-by: default avatarJakub Kicinski <jakub.kicinski@netronome.com>
      00414126
    • Jakub Kicinski's avatar
      Merge branch 'llc-fix-sk_buff-refcounting' · 38dc3b5f
      Jakub Kicinski authored
      Eric Biggers says:
      
      ====================
      Patches 1-2 fix the memory leaks that syzbot has reported in net/llc:
      
      	memory leak in llc_ui_create (2)
      	memory leak in llc_ui_sendmsg
      	memory leak in llc_conn_ac_send_sabme_cmd_p_set_x
      
      Patches 3-4 fix related bugs that I noticed while reading this code.
      
      Note: I've tested that this fixes the syzbot bugs, but otherwise I don't
      know of any way to test this code.
      ====================
      Signed-off-by: default avatarJakub Kicinski <jakub.kicinski@netronome.com>
      38dc3b5f
    • Eric Biggers's avatar
      llc: fix sk_buff refcounting in llc_conn_state_process() · 36453c85
      Eric Biggers authored
      If llc_conn_state_process() sees that llc_conn_service() put the skb on
      a list, it will drop one fewer references to it.  This is wrong because
      the current behavior is that llc_conn_service() never consumes a
      reference to the skb.
      
      The code also makes the number of skb references being dropped
      conditional on which of ind_prim and cfm_prim are nonzero, yet neither
      of these affects how many references are *acquired*.  So there is extra
      code that tries to fix this up by sometimes taking another reference.
      
      Remove the unnecessary/broken refcounting logic and instead just add an
      skb_get() before the only two places where an extra reference is
      actually consumed.
      
      Fixes: 1da177e4 ("Linux-2.6.12-rc2")
      Signed-off-by: default avatarEric Biggers <ebiggers@google.com>
      Signed-off-by: default avatarJakub Kicinski <jakub.kicinski@netronome.com>
      36453c85
    • Eric Biggers's avatar
      llc: fix another potential sk_buff leak in llc_ui_sendmsg() · fc8d5db1
      Eric Biggers authored
      All callers of llc_conn_state_process() except llc_build_and_send_pkt()
      (via llc_ui_sendmsg() -> llc_ui_send_data()) assume that it always
      consumes a reference to the skb.  Fix this caller to do the same.
      
      Fixes: 1da177e4 ("Linux-2.6.12-rc2")
      Signed-off-by: default avatarEric Biggers <ebiggers@google.com>
      Signed-off-by: default avatarJakub Kicinski <jakub.kicinski@netronome.com>
      fc8d5db1
    • Eric Biggers's avatar
      llc: fix sk_buff leak in llc_conn_service() · b74555de
      Eric Biggers authored
      syzbot reported:
      
          BUG: memory leak
          unreferenced object 0xffff88811eb3de00 (size 224):
             comm "syz-executor559", pid 7315, jiffies 4294943019 (age 10.300s)
             hex dump (first 32 bytes):
               00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
               00 a0 38 24 81 88 ff ff 00 c0 f2 15 81 88 ff ff  ..8$............
             backtrace:
               [<000000008d1c66a1>] kmemleak_alloc_recursive  include/linux/kmemleak.h:55 [inline]
               [<000000008d1c66a1>] slab_post_alloc_hook mm/slab.h:439 [inline]
               [<000000008d1c66a1>] slab_alloc_node mm/slab.c:3269 [inline]
               [<000000008d1c66a1>] kmem_cache_alloc_node+0x153/0x2a0 mm/slab.c:3579
               [<00000000447d9496>] __alloc_skb+0x6e/0x210 net/core/skbuff.c:198
               [<000000000cdbf82f>] alloc_skb include/linux/skbuff.h:1058 [inline]
               [<000000000cdbf82f>] llc_alloc_frame+0x66/0x110 net/llc/llc_sap.c:54
               [<000000002418b52e>] llc_conn_ac_send_sabme_cmd_p_set_x+0x2f/0x140  net/llc/llc_c_ac.c:777
               [<000000001372ae17>] llc_exec_conn_trans_actions net/llc/llc_conn.c:475  [inline]
               [<000000001372ae17>] llc_conn_service net/llc/llc_conn.c:400 [inline]
               [<000000001372ae17>] llc_conn_state_process+0x1ac/0x640  net/llc/llc_conn.c:75
               [<00000000f27e53c1>] llc_establish_connection+0x110/0x170  net/llc/llc_if.c:109
               [<00000000291b2ca0>] llc_ui_connect+0x10e/0x370 net/llc/af_llc.c:477
               [<000000000f9c740b>] __sys_connect+0x11d/0x170 net/socket.c:1840
               [...]
      
      The bug is that most callers of llc_conn_send_pdu() assume it consumes a
      reference to the skb, when actually due to commit b85ab56c ("llc:
      properly handle dev_queue_xmit() return value") it doesn't.
      
      Revert most of that commit, and instead make the few places that need
      llc_conn_send_pdu() to *not* consume a reference call skb_get() before.
      
      Fixes: b85ab56c ("llc: properly handle dev_queue_xmit() return value")
      Reported-by: syzbot+6b825a6494a04cc0e3f7@syzkaller.appspotmail.com
      Signed-off-by: default avatarEric Biggers <ebiggers@google.com>
      Signed-off-by: default avatarJakub Kicinski <jakub.kicinski@netronome.com>
      b74555de
    • Eric Biggers's avatar
      llc: fix sk_buff leak in llc_sap_state_process() · c6ee11c3
      Eric Biggers authored
      syzbot reported:
      
          BUG: memory leak
          unreferenced object 0xffff888116270800 (size 224):
             comm "syz-executor641", pid 7047, jiffies 4294947360 (age 13.860s)
             hex dump (first 32 bytes):
               00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
               00 20 e1 2a 81 88 ff ff 00 40 3d 2a 81 88 ff ff  . .*.....@=*....
             backtrace:
               [<000000004d41b4cc>] kmemleak_alloc_recursive  include/linux/kmemleak.h:55 [inline]
               [<000000004d41b4cc>] slab_post_alloc_hook mm/slab.h:439 [inline]
               [<000000004d41b4cc>] slab_alloc_node mm/slab.c:3269 [inline]
               [<000000004d41b4cc>] kmem_cache_alloc_node+0x153/0x2a0 mm/slab.c:3579
               [<00000000506a5965>] __alloc_skb+0x6e/0x210 net/core/skbuff.c:198
               [<000000001ba5a161>] alloc_skb include/linux/skbuff.h:1058 [inline]
               [<000000001ba5a161>] alloc_skb_with_frags+0x5f/0x250  net/core/skbuff.c:5327
               [<0000000047d9c78b>] sock_alloc_send_pskb+0x269/0x2a0  net/core/sock.c:2225
               [<000000003828fe54>] sock_alloc_send_skb+0x32/0x40 net/core/sock.c:2242
               [<00000000e34d94f9>] llc_ui_sendmsg+0x10a/0x540 net/llc/af_llc.c:933
               [<00000000de2de3fb>] sock_sendmsg_nosec net/socket.c:652 [inline]
               [<00000000de2de3fb>] sock_sendmsg+0x54/0x70 net/socket.c:671
               [<000000008fe16e7a>] __sys_sendto+0x148/0x1f0 net/socket.c:1964
      	 [...]
      
      The bug is that llc_sap_state_process() always takes an extra reference
      to the skb, but sometimes neither llc_sap_next_state() nor
      llc_sap_state_process() itself drops this reference.
      
      Fix it by changing llc_sap_next_state() to never consume a reference to
      the skb, rather than sometimes do so and sometimes not.  Then remove the
      extra skb_get() and kfree_skb() from llc_sap_state_process().
      
      Reported-by: syzbot+6bf095f9becf5efef645@syzkaller.appspotmail.com
      Reported-by: syzbot+31c16aa4202dace3812e@syzkaller.appspotmail.com
      Fixes: 1da177e4 ("Linux-2.6.12-rc2")
      Signed-off-by: default avatarEric Biggers <ebiggers@google.com>
      Signed-off-by: default avatarJakub Kicinski <jakub.kicinski@netronome.com>
      c6ee11c3
  4. 07 Oct, 2019 13 commits
  5. 06 Oct, 2019 5 commits
  6. 05 Oct, 2019 4 commits
    • Linus Torvalds's avatar
      Merge tag 'kbuild-fixes-v5.4' of... · 2d00aee2
      Linus Torvalds authored
      Merge tag 'kbuild-fixes-v5.4' of git://git.kernel.org/pub/scm/linux/kernel/git/masahiroy/linux-kbuild
      
      Pull Kbuild fixes from Masahiro Yamada:
      
       - remove unneeded ar-option and KBUILD_ARFLAGS
      
       - remove long-deprecated SUBDIRS
      
       - fix modpost to suppress false-positive warnings for UML builds
      
       - fix namespace.pl to handle relative paths to ${objtree}, ${srctree}
      
       - make setlocalversion work for /bin/sh
      
       - make header archive reproducible
      
       - fix some Makefiles and documents
      
      * tag 'kbuild-fixes-v5.4' of git://git.kernel.org/pub/scm/linux/kernel/git/masahiroy/linux-kbuild:
        kheaders: make headers archive reproducible
        kbuild: update compile-test header list for v5.4-rc2
        kbuild: two minor updates for Documentation/kbuild/modules.rst
        scripts/setlocalversion: clear local variable to make it work for sh
        namespace: fix namespace.pl script to support relative paths
        video/logo: do not generate unneeded logo C files
        video/logo: remove unneeded *.o pattern from clean-files
        integrity: remove pointless subdir-$(CONFIG_...)
        integrity: remove unneeded, broken attempt to add -fshort-wchar
        modpost: fix static EXPORT_SYMBOL warnings for UML build
        kbuild: correct formatting of header in kbuild module docs
        kbuild: remove SUBDIRS support
        kbuild: remove ar-option and KBUILD_ARFLAGS
      2d00aee2
    • Linus Torvalds's avatar
      Merge tag 'scsi-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/jejb/scsi · 126195c9
      Linus Torvalds authored
      Pull SCSI fixes from James Bottomley:
       "Twelve patches mostly small but obvious fixes or cosmetic but small
        updates"
      
      * tag 'scsi-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/jejb/scsi:
        scsi: qla2xxx: Fix Nport ID display value
        scsi: qla2xxx: Fix N2N link up fail
        scsi: qla2xxx: Fix N2N link reset
        scsi: qla2xxx: Optimize NPIV tear down process
        scsi: qla2xxx: Fix stale mem access on driver unload
        scsi: qla2xxx: Fix unbound sleep in fcport delete path.
        scsi: qla2xxx: Silence fwdump template message
        scsi: hisi_sas: Make three functions static
        scsi: megaraid: disable device when probe failed after enabled device
        scsi: storvsc: setup 1:1 mapping between hardware queue and CPU queue
        scsi: qedf: Remove always false 'tmp_prio < 0' statement
        scsi: ufs: skip shutdown if hba is not powered
        scsi: bnx2fc: Handle scope bits when array returns BUSY or TSF
      126195c9
    • Linus Torvalds's avatar
      Merge branch 'readdir' (readdir speedup and sanity checking) · 4f11918a
      Linus Torvalds authored
      This makes getdents() and getdents64() do sanity checking on the
      pathname that it gives to user space.  And to mitigate the performance
      impact of that, it first cleans up the way it does the user copying, so
      that the code avoids doing the SMAP/PAN updates between each part of the
      dirent structure write.
      
      I really wanted to do this during the merge window, but didn't have
      time.  The conversion of filldir to unsafe_put_user() is something I've
      had around for years now in a private branch, but the extra pathname
      checking finally made me clean it up to the point where it is mergable.
      
      It's worth noting that the filename validity checking really should be a
      bit smarter: it would be much better to delay the error reporting until
      the end of the readdir, so that non-corrupted filenames are still
      returned.  But that involves bigger changes, so let's see if anybody
      actually hits the corrupt directory entry case before worrying about it
      further.
      
      * branch 'readdir':
        Make filldir[64]() verify the directory entry filename is valid
        Convert filldir[64]() from __put_user() to unsafe_put_user()
      4f11918a
    • Linus Torvalds's avatar
      Make filldir[64]() verify the directory entry filename is valid · 8a23eb80
      Linus Torvalds authored
      This has been discussed several times, and now filesystem people are
      talking about doing it individually at the filesystem layer, so head
      that off at the pass and just do it in getdents{64}().
      
      This is partially based on a patch by Jann Horn, but checks for NUL
      bytes as well, and somewhat simplified.
      
      There's also commentary about how it might be better if invalid names
      due to filesystem corruption don't cause an immediate failure, but only
      an error at the end of the readdir(), so that people can still see the
      filenames that are ok.
      
      There's also been discussion about just how much POSIX strictly speaking
      requires this since it's about filesystem corruption.  It's really more
      "protect user space from bad behavior" as pointed out by Jann.  But
      since Eric Biederman looked up the POSIX wording, here it is for context:
      
       "From readdir:
      
         The readdir() function shall return a pointer to a structure
         representing the directory entry at the current position in the
         directory stream specified by the argument dirp, and position the
         directory stream at the next entry. It shall return a null pointer
         upon reaching the end of the directory stream. The structure dirent
         defined in the <dirent.h> header describes a directory entry.
      
        From definitions:
      
         3.129 Directory Entry (or Link)
      
         An object that associates a filename with a file. Several directory
         entries can associate names with the same file.
      
        ...
      
         3.169 Filename
      
         A name consisting of 1 to {NAME_MAX} bytes used to name a file. The
         characters composing the name may be selected from the set of all
         character values excluding the slash character and the null byte. The
         filenames dot and dot-dot have special meaning. A filename is
         sometimes referred to as a 'pathname component'."
      
      Note that I didn't bother adding the checks to any legacy interfaces
      that nobody uses.
      
      Also note that if this ends up being noticeable as a performance
      regression, we can fix that to do a much more optimized model that
      checks for both NUL and '/' at the same time one word at a time.
      
      We haven't really tended to optimize 'memchr()', and it only checks for
      one pattern at a time anyway, and we really _should_ check for NUL too
      (but see the comment about "soft errors" in the code about why it
      currently only checks for '/')
      
      See the CONFIG_DCACHE_WORD_ACCESS case of hash_name() for how the name
      lookup code looks for pathname terminating characters in parallel.
      
      Link: https://lore.kernel.org/lkml/20190118161440.220134-2-jannh@google.com/
      Cc: Alexander Viro <viro@zeniv.linux.org.uk>
      Cc: Jann Horn <jannh@google.com>
      Cc: Eric W. Biederman <ebiederm@xmission.com>
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      8a23eb80