1. 04 Sep, 2017 1 commit
    • David S. Miller's avatar
      Merge git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf-next · b63f6044
      David S. Miller authored
      Pablo Neira Ayuso says:
      
      ====================
      Netfilter updates for net-next
      
      The following patchset contains Netfilter updates for your net-next
      tree. Basically, updates to the conntrack core, enhancements for
      nf_tables, conversion of netfilter hooks from linked list to array to
      improve memory locality and asorted improvements for the Netfilter
      codebase. More specifically, they are:
      
      1) Add expection to hashes after timer initialization to prevent
         access from another CPU that walks on the hashes and calls
         del_timer(), from Florian Westphal.
      
      2) Don't update nf_tables chain counters from hot path, this is only
         used by the x_tables compatibility layer.
      
      3) Get rid of nested rcu_read_lock() calls from netfilter hook path.
         Hooks are always guaranteed to run from rcu read side, so remove
         nested rcu_read_lock() where possible. Patch from Taehee Yoo.
      
      4) nf_tables new ruleset generation notifications include PID and name
         of the process that has updated the ruleset, from Phil Sutter.
      
      5) Use skb_header_pointer() from nft_fib, so we can reuse this code from
         the nf_family netdev family. Patch from Pablo M. Bermudo.
      
      6) Add support for nft_fib in nf_tables netdev family, also from Pablo.
      
      7) Use deferrable workqueue for conntrack garbage collection, to reduce
         power consumption, from Patch from Subash Abhinov Kasiviswanathan.
      
      8) Add nf_ct_expect_iterate_net() helper and use it. From Florian
         Westphal.
      
      9) Call nf_ct_unconfirmed_destroy only from cttimeout, from Florian.
      
      10) Drop references on conntrack removal path when skbuffs has escaped via
          nfqueue, from Florian.
      
      11) Don't queue packets to nfqueue with dying conntrack, from Florian.
      
      12) Constify nf_hook_ops structure, from Florian.
      
      13) Remove neededlessly branch in nf_tables trace code, from Phil Sutter.
      
      14) Add nla_strdup(), from Phil Sutter.
      
      15) Rise nf_tables objects name size up to 255 chars, people want to use
          DNS names, so increase this according to what RFC 1035 specifies.
          Patch series from Phil Sutter.
      
      16) Kill nf_conntrack_default_on, it's broken. Default on conntrack hook
          registration on demand, suggested by Eric Dumazet, patch from Florian.
      
      17) Remove unused variables in compat_copy_entry_from_user both in
          ip_tables and arp_tables code. Patch from Taehee Yoo.
      
      18) Constify struct nf_conntrack_l4proto, from Julia Lawall.
      
      19) Constify nf_loginfo structure, also from Julia.
      
      20) Use a single rb root in connlimit, from Taehee Yoo.
      
      21) Remove unused netfilter_queue_init() prototype, from Taehee Yoo.
      
      22) Use audit_log() instead of open-coding it, from Geliang Tang.
      
      23) Allow to mangle tcp options via nft_exthdr, from Florian.
      
      24) Allow to fetch TCP MSS from nft_rt, from Florian. This includes
          a fix for a miscalculation of the minimal length.
      
      25) Simplify branch logic in h323 helper, from Nick Desaulniers.
      
      26) Calculate netlink attribute size for conntrack tuple at compile
          time, from Florian.
      
      27) Remove protocol name field from nf_conntrack_{l3,l4}proto structure.
          From Florian.
      
      28) Remove holes in nf_conntrack_l4proto structure, so it becomes
          smaller. From Florian.
      
      29) Get rid of print_tuple() indirection for /proc conntrack listing.
          Place all the code in net/netfilter/nf_conntrack_standalone.c.
          Patch from Florian.
      
      30) Do not built in print_conntrack() if CONFIG_NF_CONNTRACK_PROCFS is
          off. From Florian.
      
      31) Constify most nf_conntrack_{l3,l4}proto helper functions, from
          Florian.
      
      32) Fix broken indentation in ebtables extensions, from Colin Ian King.
      
      33) Fix several harmless sparse warning, from Florian.
      
      34) Convert netfilter hook infrastructure to use array for better memory
          locality, joint work done by Florian and Aaron Conole. Moreover, add
          some instrumentation to debug this.
      
      35) Batch nf_unregister_net_hooks() calls, to call synchronize_net once
          per batch, from Florian.
      
      36) Get rid of noisy logging in ICMPv6 conntrack helper, from Florian.
      
      37) Get rid of obsolete NFDEBUG() instrumentation, from Varsha Rao.
      
      38) Remove unused code in the generic protocol tracker, from Davide
          Caratti.
      
      I think I will have material for a second Netfilter batch in my queue if
      time allow to make it fit in this merge window.
      ====================
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      b63f6044
  2. 03 Sep, 2017 2 commits
  3. 02 Sep, 2017 23 commits
  4. 01 Sep, 2017 14 commits
    • Oleg Nesterov's avatar
      epoll: fix race between ep_poll_callback(POLLFREE) and ep_free()/ep_remove() · 138e4ad6
      Oleg Nesterov authored
      The race was introduced by me in commit 971316f0 ("epoll:
      ep_unregister_pollwait() can use the freed pwq->whead").  I did not
      realize that nothing can protect eventpoll after ep_poll_callback() sets
      ->whead = NULL, only whead->lock can save us from the race with
      ep_free() or ep_remove().
      
      Move ->whead = NULL to the end of ep_poll_callback() and add the
      necessary barriers.
      
      TODO: cleanup the ewake/EPOLLEXCLUSIVE logic, it was confusing even
      before this patch.
      
      Hopefully this explains use-after-free reported by syzcaller:
      
      	BUG: KASAN: use-after-free in debug_spin_lock_before
      	...
      	 _raw_spin_lock_irqsave+0x4a/0x60 kernel/locking/spinlock.c:159
      	 ep_poll_callback+0x29f/0xff0 fs/eventpoll.c:1148
      
      this is spin_lock(eventpoll->lock),
      
      	...
      	Freed by task 17774:
      	...
      	 kfree+0xe8/0x2c0 mm/slub.c:3883
      	 ep_free+0x22c/0x2a0 fs/eventpoll.c:865
      
      Fixes: 971316f0 ("epoll: ep_unregister_pollwait() can use the freed pwq->whead")
      Reported-by: default avatar范龙飞 <long7573@126.com>
      Cc: stable@vger.kernel.org
      Signed-off-by: default avatarOleg Nesterov <oleg@redhat.com>
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      138e4ad6
    • Linus Torvalds's avatar
      Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net · 8cf9f2a2
      Linus Torvalds authored
      Pull networking fixes from David Miller:
      
       1) Fix handling of pinned BPF map nodes in hash of maps, from Daniel
          Borkmann.
      
       2) IPSEC ESP error paths leak memory, from Steffen Klassert.
      
       3) We need an RCU grace period before freeing fib6_node objects, from
          Wei Wang.
      
       4) Must check skb_put_padto() return value in HSR driver, from FLorian
          Fainelli.
      
       5) Fix oops on PHY probe failure in ftgmac100 driver, from Andrew
          Jeffery.
      
       6) Fix infinite loop in UDP queue when using SO_PEEK_OFF, from Eric
          Dumazet.
      
       7) Use after free when tcf_chain_destroy() called multiple times, from
          Jiri Pirko.
      
       8) Fix KSZ DSA tag layer multiple free of SKBS, from Florian Fainelli.
      
       9) Fix leak of uninitialized memory in sctp_get_sctp_info(),
          inet_diag_msg_sctpladdrs_fill() and inet_diag_msg_sctpaddrs_fill().
          From Stefano Brivio.
      
      10) L2TP tunnel refcount fixes from Guillaume Nault.
      
      11) Don't leak UDP secpath in udp_set_dev_scratch(), from Yossi
          Kauperman.
      
      12) Revert a PHY layer change wrt. handling of PHY_HALTED state in
          phy_stop_machine(), it causes regressions for multiple people. From
          Florian Fainelli.
      
      13) When packets are sent out of br0 we have to clear the
          offload_fwdq_mark value.
      
      14) Several NULL pointer deref fixes in packet schedulers when their
          ->init() routine fails. From Nikolay Aleksandrov.
      
      15) Aquantium devices cannot checksum offload correctly when the packet
          is <= 60 bytes. From Pavel Belous.
      
      16) Fix vnet header access past end of buffer in AF_PACKET, from
          Benjamin Poirier.
      
      17) Double free in probe error paths of nfp driver, from Dan Carpenter.
      
      18) QOS capability not checked properly in DCB init paths of mlx5
          driver, from Huy Nguyen.
      
      19) Fix conflicts between firmware load failure and health_care timer in
          mlx5, also from Huy Nguyen.
      
      20) Fix dangling page pointer when DMA mapping errors occur in mlx5,
          from Eran Ben ELisha.
      
      21) ->ndo_setup_tc() in bnxt_en driver doesn't count rings properly,
          from Michael Chan.
      
      22) Missing MSIX vector free in bnxt_en, also from Michael Chan.
      
      23) Refcount leak in xfrm layer when using sk_policy, from Lorenzo
          Colitti.
      
      24) Fix copy of uninitialized data in qlge driver, from Arnd Bergmann.
      
      25) bpf_setsockopts() erroneously always returns -EINVAL even on
          success. Fix from Yuchung Cheng.
      
      26) tipc_rcv() needs to linearize the SKB before parsing the inner
          headers, from Parthasarathy Bhuvaragan.
      
      27) Fix deadlock between link status updates and link removal in netvsc
          driver, from Stephen Hemminger.
      
      28) Missed locking of page fragment handling in ESP output, from Steffen
          Klassert.
      
      29) Fix refcnt leak in ebpf congestion control code, from Sabrina
          Dubroca.
      
      30) sxgbe_probe_config_dt() doesn't check devm_kzalloc()'s return value,
          from Christophe Jaillet.
      
      31) Fix missing ipv6 rx_dst_cookie update when rx_dst is updated during
          early demux, from Paolo Abeni.
      
      32) Several info leaks in xfrm_user layer, from Mathias Krause.
      
      33) Fix out of bounds read in cxgb4 driver, from Stefano Brivio.
      
      34) Properly propagate obsolete state of route upwards in ipv6 so that
          upper holders like xfrm can see it. From Xin Long.
      
      * git://git.kernel.org/pub/scm/linux/kernel/git/davem/net: (118 commits)
        udp: fix secpath leak
        bridge: switchdev: Clear forward mark when transmitting packet
        mlxsw: spectrum: Forbid linking to devices that have uppers
        wl1251: add a missing spin_lock_init()
        Revert "net: phy: Correctly process PHY_HALTED in phy_stop_machine()"
        net: dsa: bcm_sf2: Fix number of CFP entries for BCM7278
        kcm: do not attach PF_KCM sockets to avoid deadlock
        sch_tbf: fix two null pointer dereferences on init failure
        sch_sfq: fix null pointer dereference on init failure
        sch_netem: avoid null pointer deref on init failure
        sch_fq_codel: avoid double free on init failure
        sch_cbq: fix null pointer dereferences on init failure
        sch_hfsc: fix null pointer deref and double free on init failure
        sch_hhf: fix null pointer dereference on init failure
        sch_multiq: fix double free on init failure
        sch_htb: fix crash on init failure
        net/mlx5e: Fix CQ moderation mode not set properly
        net/mlx5e: Fix inline header size for small packets
        net/mlx5: E-Switch, Unload the representors in the correct order
        net/mlx5e: Properly resolve TC offloaded ipv6 vxlan tunnel source address
        ...
      8cf9f2a2
    • Linus Torvalds's avatar
      Merge tag 'ceph-for-4.13-rc8' of git://github.com/ceph/ceph-client · b8a78bb4
      Linus Torvalds authored
      Pull ceph fix from Ilya Dryomov:
       "ceph fscache page locking fix from Zheng, marked for stable"
      
      * tag 'ceph-for-4.13-rc8' of git://github.com/ceph/ceph-client:
        ceph: fix readpage from fscache
      b8a78bb4
    • Linus Torvalds's avatar
      Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/dtor/input · 3e1d79c8
      Linus Torvalds authored
      Pull input fixes from Dmitry Torokhov:
       "Just a couple drivers fixes (Synaptics PS/2, Xpad)"
      
      * 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/dtor/input:
        Input: xpad - fix PowerA init quirk for some gamepad models
        Input: synaptics - fix device info appearing different on reconnect
      3e1d79c8
    • Willem de Bruijn's avatar
      selftests: correct define in msg_zerocopy.c · bbd9644e
      Willem de Bruijn authored
      The msg_zerocopy test defines SO_ZEROCOPY if necessary, but its value
      is inconsistent with the one in asm-generic.h. Correct that.
      
      Also convert one error to a warning. When the test is complete, report
      throughput and close cleanly even if the process did not wait for all
      completions.
      Reported-by: default avatarDan Melnic <dmm@fb.com>
      Signed-off-by: default avatarWillem de Bruijn <willemb@google.com>
      Acked-by: default avatarAlexei Starovoitov <ast@kernel.org>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      bbd9644e
    • Linus Torvalds's avatar
      Merge tag 'mmc-v4.13-rc7' of git://git.kernel.org/pub/scm/linux/kernel/git/ulfh/mmc · d7e44b86
      Linus Torvalds authored
      Pull two more MMC fixes from Ulf Hansson:
       "MMC core:
         - Fix block status codes
      
        MMC host:
         - sdhci-xenon: Fix SD bus voltage select"
      
      * tag 'mmc-v4.13-rc7' of git://git.kernel.org/pub/scm/linux/kernel/git/ulfh/mmc:
        mmc: sdhci-xenon: add set_power callback
        mmc: block: Fix block status codes
      d7e44b86
    • Willem de Bruijn's avatar
      doc: document MSG_ZEROCOPY · cc8889ae
      Willem de Bruijn authored
      Documentation for this feature was missing from the patchset.
      Copied a lot from the netdev 2.1 paper, addressing some small
      interface changes since then.
      
      Changes
        v1 -> v2
          - change email discussion URL format
          - clarify that u32 counter is per-syscall, unsigned and
            wraps after UINT_MAX calls
          - describe errno on send failure specific to MSG_ZEROCOPY
          - a few very minor rewordings
      Signed-off-by: default avatarWillem de Bruijn <willemb@google.com>
      Acked-by: default avatarAlexei Starovoitov <ast@kernel.org>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      cc8889ae
    • Linus Torvalds's avatar
      Merge tag 'sound-4.13-rc8' of git://git.kernel.org/pub/scm/linux/kernel/git/tiwai/sound · 381cce59
      Linus Torvalds authored
      Pull sound fixes from Takashi Iwai:
       "Three regression fixes that should be addressed before the final
        release: a missing mutex call in OSS PCM emulation ioctl, ASoC rt5670
        headset detection breakage, and a regression in simple-card parser
        code"
      
      * tag 'sound-4.13-rc8' of git://git.kernel.org/pub/scm/linux/kernel/git/tiwai/sound:
        ASoC: simple_card_utils: fix fallback when "label" property isn't present
        ALSA: pcm: Fix power lock unbalance via OSS emulation
        ASoC: rt5670: Fix GPIO headset detection regression
      381cce59
    • David Ahern's avatar
      bpf: Collapse offset checks in sock_filter_is_valid_access · 9df59055
      David Ahern authored
      Make sock_filter_is_valid_access consistent with other is_valid_access
      helpers.
      Requested-by: default avatarDaniel Borkmann <daniel@iogearbox.net>
      Signed-off-by: default avatarDavid Ahern <dsahern@gmail.com>
      Acked-by: default avatarDaniel Borkmann <daniel@iogearbox.net>
      Acked-by: default avatarAlexei Starovoitov <ast@kernel.org>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      9df59055
    • Andrew Pilloud's avatar
      mvneta: Driver and hardware supports IPv6 offload, so enable it · c54a5048
      Andrew Pilloud authored
      The mvneta driver and hardware supports IPv6 offload, however it
      isn't enabled. Set the NETIF_F_IPV6_CSUM feature to inform the
      network layer that this driver can offload IPV6 TCP and UDP
      checksums. This change has been tested on an Armada 370 and the
      feature support confirmed with several device datasheets
      including the Armada XP and Armada 3700.
      Signed-off-by: default avatarAndrew Pilloud <andrewpilloud@igneoussystems.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      c54a5048
    • Linus Torvalds's avatar
      Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/s390/linux · bba2a5b8
      Linus Torvalds authored
      Pull s390 fixes from Martin Schwidefsky:
       "Three more bug fixes for v4.13.
      
        The two memory management related fixes are quite new, they fix kernel
        crashes that can be triggered by user space.
      
        The third commit fixes a bug in the vfio ccw translation code"
      
      * 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/s390/linux:
        s390/mm: fix BUG_ON in crst_table_upgrade
        s390/mm: fork vs. 5 level page tabel
        vfio: ccw: fix bad ptr math for TIC cda translation
      bba2a5b8
    • David S. Miller's avatar
      Merge tag 'wireless-drivers-next-for-davem-2017-09-01' of... · 5dd6fc7a
      David S. Miller authored
      Merge tag 'wireless-drivers-next-for-davem-2017-09-01' of git://git.kernel.org/pub/scm/linux/kernel/git/kvalo/wireless-drivers-next
      
      Kalle Valo says:
      
      ====================
      wireless-drivers-next patches for 4.14
      
      Few last patches for 4.14, nothing really major here.
      
      Major changes:
      
      wil6210
      
      * support FW RSSI reporting (by mistake this was accidentally
        mentioned already in the previous pull request, but now it's really
        included)
      
      * make debugfs optional, adds new Kconfig option CONFIG_WIL6210_DEBUGFS
      
      qtnfmac
      
      * implement 64-bit DMA support
      ====================
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      5dd6fc7a
    • Colin Ian King's avatar
      qlcnic: remove redundant zero check on retries counter · f6849d01
      Colin Ian King authored
      At the end of the do while loop the integer counter retries will
      always be zero and so the subsequent check to see if it is zero
      is always true and therefore redundant.  Remove the redundant check
      and always return -EIO on this return path.  Also unbreak the literal
      string in dev_err message to clean up a checkpatch warning.
      
      Detected by CoverityScan, CID#744279 ("Logically dead code")
      Signed-off-by: default avatarColin Ian King <colin.king@canonical.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      f6849d01
    • Linus Torvalds's avatar
      Merge branch 'linus' of git://git.kernel.org/pub/scm/linux/kernel/git/herbert/crypto-2.6 · a1c516a6
      Linus Torvalds authored
      Pull crypto fixes from Herbert Xu:
       "This fixes the following issues:
      
         - Regression in chacha20 handling of chunked input
      
         - Crash in algif_skcipher when used with async io
      
         - Potential bogus pointer dereference in lib/mpi"
      
      * 'linus' of git://git.kernel.org/pub/scm/linux/kernel/git/herbert/crypto-2.6:
        crypto: algif_skcipher - only call put_page on referenced and used pages
        crypto: testmgr - add chunked test cases for chacha20
        crypto: chacha20 - fix handling of chunked input
        lib/mpi: kunmap after finishing accessing buffer
      a1c516a6