1. 14 May, 2018 8 commits
    • Eric Biggers's avatar
      net/smc: check for missing nlattrs in SMC_PNETID messages · d49baa7e
      Eric Biggers authored
      It's possible to crash the kernel in several different ways by sending
      messages to the SMC_PNETID generic netlink family that are missing the
      expected attributes:
      
      - Missing SMC_PNETID_NAME => null pointer dereference when comparing
        names.
      - Missing SMC_PNETID_ETHNAME => null pointer dereference accessing
        smc_pnetentry::ndev.
      - Missing SMC_PNETID_IBNAME => null pointer dereference accessing
        smc_pnetentry::smcibdev.
      - Missing SMC_PNETID_IBPORT => out of bounds array access to
        smc_ib_device::pattr[-1].
      
      Fix it by validating that all expected attributes are present and that
      SMC_PNETID_IBPORT is nonzero.
      
      Reported-by: syzbot+5cd61039dc9b8bfa6e47@syzkaller.appspotmail.com
      Fixes: 6812baab ("smc: establish pnet table management")
      Cc: <stable@vger.kernel.org> # v4.11+
      Signed-off-by: default avatarEric Biggers <ebiggers@google.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      d49baa7e
    • Tarick Bedeir's avatar
      net/mlx4_core: Fix error handling in mlx4_init_port_info. · 57f6f99f
      Tarick Bedeir authored
      Avoid exiting the function with a lingering sysfs file (if the first
      call to device_create_file() fails while the second succeeds), and avoid
      calling devlink_port_unregister() twice.
      
      In other words, either mlx4_init_port_info() succeeds and returns zero, or
      it fails, returns non-zero, and requires no cleanup.
      
      Fixes: 096335b3 ("mlx4_core: Allow dynamic MTU configuration for IB ports")
      Signed-off-by: default avatarTarick Bedeir <tarick@google.com>
      Reviewed-by: default avatarLeon Romanovsky <leonro@mellanox.com>
      Reviewed-by: default avatarTariq Toukan <tariqt@mellanox.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      57f6f99f
    • Jason Wang's avatar
      tun: fix use after free for ptr_ring · b196d88a
      Jason Wang authored
      We used to initialize ptr_ring during TUNSETIFF, this is because its
      size depends on the tx_queue_len of netdevice. And we try to clean it
      up when socket were detached from netdevice. A race were spotted when
      trying to do uninit during a read which will lead a use after free for
      pointer ring. Solving this by always initialize a zero size ptr_ring
      in open() and do resizing during TUNSETIFF, and then we can safely do
      cleanup during close(). With this, there's no need for the workaround
      that was introduced by commit 4df0bfc7 ("tun: fix a memory leak
      for tfile->tx_array").
      
      Reported-by: syzbot+e8b902c3c3fadf0a9dba@syzkaller.appspotmail.com
      Cc: Eric Dumazet <eric.dumazet@gmail.com>
      Cc: Cong Wang <xiyou.wangcong@gmail.com>
      Cc: Michael S. Tsirkin <mst@redhat.com>
      Fixes: 1576d986 ("tun: switch to use skb array for tx")
      Signed-off-by: default avatarJason Wang <jasowang@redhat.com>
      Acked-by: default avatarMichael S. Tsirkin <mst@redhat.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      b196d88a
    • David S. Miller's avatar
      Merge git://git.kernel.org/pub/scm/linux/kernel/git/bpf/bpf · 9d6b4bfb
      David S. Miller authored
      Daniel Borkmann says:
      
      ====================
      pull-request: bpf 2018-05-14
      
      The following pull-request contains BPF updates for your *net* tree.
      
      The main changes are:
      
      1) Fix nfp to allow zero-length BPF capabilities, meaning the nfp
         capability parsing loop will otherwise exit early if the last
         capability is zero length and therefore driver will fail to probe
         with an error such as:
      
           nfp: BPF capabilities left after parsing, parsed:92 total length:100
           nfp: invalid BPF capabilities at offset:92
      
         Fix from Jakub.
      
      2) libbpf's bpf_object__open() may return IS_ERR_OR_NULL() and not
         just an error. Fix libbpf's bpf_prog_load_xattr() to handle that
         case as well, also from Jakub.
      ====================
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      9d6b4bfb
    • David S. Miller's avatar
      Merge git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf · 4f6b15c3
      David S. Miller authored
      Pablo Neira Ayuso says:
      
      ====================
      Netfilter/IPVS fixes for net
      
      The following patchset contains Netfilter/IPVS fixes for your net tree,
      they are:
      
      1) Fix handling of simultaneous open TCP connection in conntrack,
         from Jozsef Kadlecsik.
      
      2) Insufficient sanitify check of xtables extension names, from
         Florian Westphal.
      
      3) Skip unnecessary synchronize_rcu() call when transaction log
         is already empty, from Florian Westphal.
      
      4) Incorrect destination mac validation in ebt_stp, from Stephen
         Hemminger.
      
      5) xtables module reference counter leak in nft_compat, from
         Florian Westphal.
      
      6) Incorrect connection reference counting logic in IPVS
         one-packet scheduler, from Julian Anastasov.
      
      7) Wrong stats for 32-bits CPU in IPVS, also from Julian.
      
      8) Calm down sparse error in netfilter core, also from Florian.
      
      9) Use nla_strlcpy to fix compilation warning in nfnetlink_acct
         and nfnetlink_cthelper, again from Florian.
      
      10) Missing module alias in icmp and icmp6 xtables extensions,
          from Florian Westphal.
      
      11) Base chain statistics in nf_tables may be unset/null, from Florian.
      
      12) Fix handling of large matchinfo size in nft_compat, this includes
          one preparation for before this fix. From Florian.
      
      13) Fix bogus EBUSY error when deleting chains due to incorrect reference
          counting from the preparation phase of the two-phase commit protocol.
      ====================
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      4f6b15c3
    • Michal Kalderon's avatar
      qede: Fix ref-cnt usage count · 91dfd02b
      Michal Kalderon authored
      Rebooting while qedr is loaded with a VLAN interface present
      results in unregister_netdevice waiting for the usage count
      to become free.
      The fix is that rdma devices should be removed before unregistering
      the netdevice, to assure all references to ndev are decreased.
      
      Fixes: cee9fbd8 ("qede: Add qedr framework")
      Signed-off-by: default avatarAriel Elior <ariel.elior@cavium.com>
      Signed-off-by: default avatarMichal Kalderon <michal.kalderon@cavium.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      91dfd02b
    • Christoph Hellwig's avatar
      3c59x: convert to generic DMA API · 55c82617
      Christoph Hellwig authored
      This driver supports EISA devices in addition to PCI devices, and relied
      on the legacy behavior of the pci_dma* shims to pass on a NULL pointer
      to the DMA API, and the DMA API being able to handle that.  When the
      NULL forwarding broke the EISA support got broken.  Fix this by converting
      to the DMA API instead of the legacy PCI shims.
      
      Fixes: 4167b2ad ("PCI: Remove NULL device handling from PCI DMA API")
      Reported-by: default avatartedheadster <tedheadster@gmail.com>
      Tested-by: default avatartedheadster <tedheadster@gmail.com>
      Signed-off-by: default avatarChristoph Hellwig <hch@lst.de>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      55c82617
    • Willem de Bruijn's avatar
      packet: in packet_snd start writing at link layer allocation · b84bbaf7
      Willem de Bruijn authored
      Packet sockets allow construction of packets shorter than
      dev->hard_header_len to accommodate protocols with variable length
      link layer headers. These packets are padded to dev->hard_header_len,
      because some device drivers interpret that as a minimum packet size.
      
      packet_snd reserves dev->hard_header_len bytes on allocation.
      SOCK_DGRAM sockets call skb_push in dev_hard_header() to ensure that
      link layer headers are stored in the reserved range. SOCK_RAW sockets
      do the same in tpacket_snd, but not in packet_snd.
      
      Syzbot was able to send a zero byte packet to a device with massive
      116B link layer header, causing padding to cross over into skb_shinfo.
      Fix this by writing from the start of the llheader reserved range also
      in the case of packet_snd/SOCK_RAW.
      
      Update skb_set_network_header to the new offset. This also corrects
      it for SOCK_DGRAM, where it incorrectly double counted reserve due to
      the skb_push in dev_hard_header.
      
      Fixes: 9ed988cd ("packet: validate variable length ll headers")
      Reported-by: syzbot+71d74a5406d02057d559@syzkaller.appspotmail.com
      Signed-off-by: default avatarWillem de Bruijn <willemb@google.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      b84bbaf7
  2. 13 May, 2018 1 commit
  3. 11 May, 2018 31 commits
    • Linus Torvalds's avatar
      Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net · 4bc87198
      Linus Torvalds authored
      Pull networking fixes from David Miller:
      
       1) Verify lengths of keys provided by the user is AF_KEY, from Kevin
          Easton.
      
       2) Add device ID for BCM89610 PHY. Thanks to Bhadram Varka.
      
       3) Add Spectre guards to some ATM code, courtesy of Gustavo A. R.
          Silva.
      
       4) Fix infinite loop in NSH protocol code. To Eric Dumazet we are most
          grateful for this fix.
      
       5) Line up /proc/net/netlink headers properly. This fix from YU Bo, we
          do appreciate.
      
       6) Use after free in TLS code. Once again we are blessed by the
          honorable Eric Dumazet with this fix.
      
       7) Fix regression in TLS code causing stalls on partial TLS records.
          This fix is bestowed upon us by Andrew Tomt.
      
       8) Deal with too small MTUs properly in LLC code, another great gift
          from Eric Dumazet.
      
       9) Handle cached route flushing properly wrt. MTU locking in ipv4, to
          Hangbin Liu we give thanks for this.
      
      10) Fix regression in SO_BINDTODEVIC handling wrt. UDP socket demux.
          Paolo Abeni, he gave us this.
      
      11) Range check coalescing parameters in mlx4 driver, thank you Moshe
          Shemesh.
      
      12) Some ipv6 ICMP error handling fixes in rxrpc, from our good brother
          David Howells.
      
      13) Fix kexec on mlx5 by freeing IRQs in shutdown path. Daniel Juergens,
          you're the best!
      
      14) Don't send bonding RLB updates to invalid MAC addresses. Debabrata
          Benerjee saved us!
      
      15) Uh oh, we were leaking in udp_sendmsg and ping_v4_sendmsg. The ship
          is now water tight, thanks to Andrey Ignatov.
      
      16) IPSEC memory leak in ixgbe from Colin Ian King, man we've got holes
          everywhere!
      
      17) Fix error path in tcf_proto_create, Jiri Pirko what would we do
          without you!
      
      * git://git.kernel.org/pub/scm/linux/kernel/git/davem/net: (92 commits)
        net sched actions: fix refcnt leak in skbmod
        net: sched: fix error path in tcf_proto_create() when modules are not configured
        net sched actions: fix invalid pointer dereferencing if skbedit flags missing
        ixgbe: fix memory leak on ipsec allocation
        ixgbevf: fix ixgbevf_xmit_frame()'s return type
        ixgbe: return error on unsupported SFP module when resetting
        ice: Set rq_last_status when cleaning rq
        ipv4: fix memory leaks in udp_sendmsg, ping_v4_sendmsg
        mlxsw: core: Fix an error handling path in 'mlxsw_core_bus_device_register()'
        bonding: send learning packets for vlans on slave
        bonding: do not allow rlb updates to invalid mac
        net/mlx5e: Err if asked to offload TC match on frag being first
        net/mlx5: E-Switch, Include VF RDMA stats in vport statistics
        net/mlx5: Free IRQs in shutdown path
        rxrpc: Trace UDP transmission failure
        rxrpc: Add a tracepoint to log ICMP/ICMP6 and error messages
        rxrpc: Fix the min security level for kernel calls
        rxrpc: Fix error reception on AF_INET6 sockets
        rxrpc: Fix missing start of call timeout
        qed: fix spelling mistake: "taskelt" -> "tasklet"
        ...
      4bc87198
    • Linus Torvalds's avatar
      Merge tag 'nfs-for-4.17-2' of git://git.linux-nfs.org/projects/anna/linux-nfs · a1f45efb
      Linus Torvalds authored
      Pull NFS client fixes from Anna Schumaker:
       "These patches fix both a possible corruption during NFSoRDMA MR
        recovery, and a sunrpc tracepoint crash.
      
        Additionally, Trond has a new email address to put in the MAINTAINERS
        file"
      
      * tag 'nfs-for-4.17-2' of git://git.linux-nfs.org/projects/anna/linux-nfs:
        Change Trond's email address in MAINTAINERS
        sunrpc: Fix latency trace point crashes
        xprtrdma: Fix list corruption / DMAR errors during MR recovery
      a1f45efb
    • Roman Mashak's avatar
      net sched actions: fix refcnt leak in skbmod · a52956df
      Roman Mashak authored
      When application fails to pass flags in netlink TLV when replacing
      existing skbmod action, the kernel will leak refcnt:
      
      $ tc actions get action skbmod index 1
      total acts 0
      
              action order 0: skbmod pipe set smac 00:11:22:33:44:55
               index 1 ref 1 bind 0
      
      For example, at this point a buggy application replaces the action with
      index 1 with new smac 00:aa:22:33:44:55, it fails because of zero flags,
      however refcnt gets bumped:
      
      $ tc actions get actions skbmod index 1
      total acts 0
      
              action order 0: skbmod pipe set smac 00:11:22:33:44:55
               index 1 ref 2 bind 0
      $
      
      Tha patch fixes this by calling tcf_idr_release() on existing actions.
      
      Fixes: 86da71b5 ("net_sched: Introduce skbmod action")
      Signed-off-by: default avatarRoman Mashak <mrv@mojatatu.com>
      Acked-by: default avatarCong Wang <xiyou.wangcong@gmail.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      a52956df
    • Linus Torvalds's avatar
      Merge tag 'ceph-for-4.17-rc5' of git://github.com/ceph/ceph-client · ac428036
      Linus Torvalds authored
      Pull ceph fixes from Ilya Dryomov:
       "These patches fix two long-standing bugs in the DIO code path, one of
        which is a crash trivially triggerable with splice()"
      
      * tag 'ceph-for-4.17-rc5' of git://github.com/ceph/ceph-client:
        ceph: fix iov_iter issues in ceph_direct_read_write()
        libceph: add osd_req_op_extent_osd_data_bvecs()
        ceph: fix rsize/wsize capping in ceph_direct_read_write()
      ac428036
    • Jiri Pirko's avatar
      net: sched: fix error path in tcf_proto_create() when modules are not configured · d68d75fd
      Jiri Pirko authored
      In case modules are not configured, error out when tp->ops is null
      and prevent later null pointer dereference.
      
      Fixes: 33a48927 ("sched: push TC filter protocol creation into a separate function")
      Signed-off-by: default avatarJiri Pirko <jiri@mellanox.com>
      Acked-by: default avatarCong Wang <xiyou.wangcong@gmail.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      d68d75fd
    • Linus Torvalds's avatar
      Merge tag 'sh-for-4.17-fixes' of git://git.libc.org/linux-sh · 3f5f8596
      Linus Torvalds authored
      Pull arch/sh fixes from Rich Felker:
       "Fixes for critical regressions and a build failure.
      
        The regressions were introduced in 4.15 and 4.17-rc1 and prevented
        booting on affected systems"
      
      * tag 'sh-for-4.17-fixes' of git://git.libc.org/linux-sh:
        sh: switch to NO_BOOTMEM
        sh: mm: Fix unprotected access to struct device
        sh: fix build failure for J2 cpu with SMP disabled
      3f5f8596
    • Linus Torvalds's avatar
      Merge tag 'arm64-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/arm64/linux · 7404bc27
      Linus Torvalds authored
      Pull arm64 fixes from Will Deacon:
       "There's a small memblock accounting problem when freeing the initrd
        and a Spectre-v2 mitigation for NVIDIA Denver CPUs which just requires
        a match on the CPU ID register.
      
        Summary:
      
         - Mitigate Spectre-v2 for NVIDIA Denver CPUs
      
         - Free memblocks corresponding to freed initrd area"
      
      * tag 'arm64-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/arm64/linux:
        arm64: capabilities: Add NVIDIA Denver CPU to bp_harden list
        arm64: Add MIDR encoding for NVIDIA CPUs
        arm64: To remove initrd reserved area entry from memblock
      7404bc27
    • Linus Torvalds's avatar
      Merge tag 'powerpc-4.17-5' of git://git.kernel.org/pub/scm/linux/kernel/git/powerpc/linux · 5c6b5460
      Linus Torvalds authored
      Pull powerpc fixes from Michael Ellerman:
       "One fix for an actual regression, the change to the SYSCALL_DEFINE
        wrapper broke FTRACE_SYSCALLS for us due to a name mismatch. There's
        also another commit to the same code to make sure we match all our
        syscalls with various prefixes.
      
        And then just one minor build fix, and the removal of an unused
        variable that was removed and then snuck back in due to some rebasing.
      
        Thanks to: Naveen N. Rao"
      
      * tag 'powerpc-4.17-5' of git://git.kernel.org/pub/scm/linux/kernel/git/powerpc/linux:
        powerpc/pseries: Fix CONFIG_NUMA=n build
        powerpc/trace/syscalls: Update syscall name matching logic to account for ppc_ prefix
        powerpc/trace/syscalls: Update syscall name matching logic
        powerpc/64: Remove unused paca->soft_enabled
      5c6b5460
    • Linus Torvalds's avatar
      Merge tag 'trace-v4.17-rc4' of git://git.kernel.org/pub/scm/linux/kernel/git/rostedt/linux-trace · c110a8b7
      Linus Torvalds authored
      Pull tracing fix from Steven Rostedt:
       "Working on some new updates to trace filtering, I noticed that the
        regex_match_front() test was updated to be limited to the size of the
        pattern instead of the full test string.
      
        But as the test string is not guaranteed to be nul terminated, it
        still needs to consider the size of the test string"
      
      * tag 'trace-v4.17-rc4' of git://git.kernel.org/pub/scm/linux/kernel/git/rostedt/linux-trace:
        tracing: Fix regex_match_front() to not over compare the test string
      c110a8b7
    • David S. Miller's avatar
      Merge branch '10GbE' of git://git.kernel.org/pub/scm/linux/kernel/git/jkirsher/net-queue · f4d641a2
      David S. Miller authored
      Jeff Kirsher says:
      
      ====================
      Intel Wired LAN Driver Updates 2018-05-11
      
      This series contains fixes to the ice, ixgbe and ixgbevf drivers.
      
      Jeff Shaw provides a fix to ensure rq_last_status gets set, whether or
      not the hardware responds with an error in the ice driver.
      
      Emil adds a check for unsupported module during the reset routine for
      ixgbe.
      
      Luc Van Oostenryck fixes ixgbevf_xmit_frame() where it was not using the
      correct return value (int).
      
      Colin Ian King fixes a potential resource leak in ixgbe, where we were
      not freeing ipsec in our cleanup path.
      ====================
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      f4d641a2
    • David S. Miller's avatar
      Merge tag 'rxrpc-fixes-20180510' of git://git.kernel.org/pub/scm/linux/kernel/git/dhowells/linux-fs · f0100891
      David S. Miller authored
      David Howells says:
      
      ====================
      rxrpc: Fixes
      
      Here are three fixes for AF_RXRPC and two tracepoints that were useful for
      finding them:
      
       (1) Fix missing start of expect-Rx-by timeout on initial packet
           transmission so that calls will time out if the peer doesn't respond.
      
       (2) Fix error reception on AF_INET6 sockets by using the correct family of
           sockopts on the UDP transport socket.
      
       (3) Fix setting the minimum security level on kernel calls so that they
           can be encrypted.
      
       (4) Add a tracepoint to log ICMP/ICMP6 and other error reports from the
           transport socket.
      
       (5) Add a tracepoint to log UDP sendmsg failure so that we can find out if
           transmission failure occurred on the UDP socket.
      ====================
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      f0100891
    • Roman Mashak's avatar
      net sched actions: fix invalid pointer dereferencing if skbedit flags missing · af5d0184
      Roman Mashak authored
      When application fails to pass flags in netlink TLV for a new skbedit action,
      the kernel results in the following oops:
      
      [    8.307732] BUG: unable to handle kernel paging request at 0000000000021130
      [    8.309167] PGD 80000000193d1067 P4D 80000000193d1067 PUD 180e0067 PMD 0
      [    8.310595] Oops: 0000 [#1] SMP PTI
      [    8.311334] Modules linked in: kvm_intel kvm irqbypass crct10dif_pclmul crc32_pclmul ghash_clmulni_intel pcbc aesni_intel aes_x86_64 crypto_simd cryptd glue_helper serio_raw
      [    8.314190] CPU: 1 PID: 397 Comm: tc Not tainted 4.17.0-rc3+ #357
      [    8.315252] RIP: 0010:__tcf_idr_release+0x33/0x140
      [    8.316203] RSP: 0018:ffffa0718038f840 EFLAGS: 00010246
      [    8.317123] RAX: 0000000000000001 RBX: 0000000000021100 RCX: 0000000000000000
      [    8.319831] RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000021100
      [    8.321181] RBP: 0000000000000000 R08: 000000000004adf8 R09: 0000000000000122
      [    8.322645] R10: 0000000000000000 R11: ffffffff9e5b01ed R12: 0000000000000000
      [    8.324157] R13: ffffffff9e0d3cc0 R14: 0000000000000000 R15: 0000000000000000
      [    8.325590] FS:  00007f591292e700(0000) GS:ffff8fcf5bc40000(0000) knlGS:0000000000000000
      [    8.327001] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
      [    8.327987] CR2: 0000000000021130 CR3: 00000000180e6004 CR4: 00000000001606a0
      [    8.329289] Call Trace:
      [    8.329735]  tcf_skbedit_init+0xa7/0xb0
      [    8.330423]  tcf_action_init_1+0x362/0x410
      [    8.331139]  ? try_to_wake_up+0x44/0x430
      [    8.331817]  tcf_action_init+0x103/0x190
      [    8.332511]  tc_ctl_action+0x11a/0x220
      [    8.333174]  rtnetlink_rcv_msg+0x23d/0x2e0
      [    8.333902]  ? _cond_resched+0x16/0x40
      [    8.334569]  ? __kmalloc_node_track_caller+0x5b/0x2c0
      [    8.335440]  ? rtnl_calcit.isra.31+0xf0/0xf0
      [    8.336178]  netlink_rcv_skb+0xdb/0x110
      [    8.336855]  netlink_unicast+0x167/0x220
      [    8.337550]  netlink_sendmsg+0x2a7/0x390
      [    8.338258]  sock_sendmsg+0x30/0x40
      [    8.338865]  ___sys_sendmsg+0x2c5/0x2e0
      [    8.339531]  ? pagecache_get_page+0x27/0x210
      [    8.340271]  ? filemap_fault+0xa2/0x630
      [    8.340943]  ? page_add_file_rmap+0x108/0x200
      [    8.341732]  ? alloc_set_pte+0x2aa/0x530
      [    8.342573]  ? finish_fault+0x4e/0x70
      [    8.343332]  ? __handle_mm_fault+0xbc1/0x10d0
      [    8.344337]  ? __sys_sendmsg+0x53/0x80
      [    8.345040]  __sys_sendmsg+0x53/0x80
      [    8.345678]  do_syscall_64+0x4f/0x100
      [    8.346339]  entry_SYSCALL_64_after_hwframe+0x44/0xa9
      [    8.347206] RIP: 0033:0x7f591191da67
      [    8.347831] RSP: 002b:00007fff745abd48 EFLAGS: 00000246 ORIG_RAX: 000000000000002e
      [    8.349179] RAX: ffffffffffffffda RBX: 00007fff745abe70 RCX: 00007f591191da67
      [    8.350431] RDX: 0000000000000000 RSI: 00007fff745abdc0 RDI: 0000000000000003
      [    8.351659] RBP: 000000005af35251 R08: 0000000000000001 R09: 0000000000000000
      [    8.352922] R10: 00000000000005f1 R11: 0000000000000246 R12: 0000000000000000
      [    8.354183] R13: 00007fff745afed0 R14: 0000000000000001 R15: 00000000006767c0
      [    8.355400] Code: 41 89 d4 53 89 f5 48 89 fb e8 aa 20 fd ff 85 c0 0f 84 ed 00
      00 00 48 85 db 0f 84 cf 00 00 00 40 84 ed 0f 85 cd 00 00 00 45 84 e4 <8b> 53 30
      74 0d 85 d2 b8 ff ff ff ff 0f 8f b3 00 00 00 8b 43 2c
      [    8.358699] RIP: __tcf_idr_release+0x33/0x140 RSP: ffffa0718038f840
      [    8.359770] CR2: 0000000000021130
      [    8.360438] ---[ end trace 60c66be45dfc14f0 ]---
      
      The caller calls action's ->init() and passes pointer to "struct tc_action *a",
      which later may be initialized to point at the existing action, otherwise
      "struct tc_action *a" is still invalid, and therefore dereferencing it is an
      error as happens in tcf_idr_release, where refcnt is decremented.
      
      So in case of missing flags tcf_idr_release must be called only for
      existing actions.
      
      v2:
          - prepare patch for net tree
      
      Fixes: 5e1567ae ("net sched: skbedit action fix late binding")
      Signed-off-by: default avatarRoman Mashak <mrv@mojatatu.com>
      Acked-by: default avatarCong Wang <xiyou.wangcong@gmail.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      af5d0184
    • Linus Torvalds's avatar
      Merge tag 'for-linus-4.17-rc5-tag' of git://git.kernel.org/pub/scm/linux/kernel/git/xen/tip · 84c3a097
      Linus Torvalds authored
      Pull xen fix from Juergen Gross:
       "One fix for the kernel running as a fully virtualized guest using PV
        drivers on old Xen hypervisor versions"
      
      * tag 'for-linus-4.17-rc5-tag' of git://git.kernel.org/pub/scm/linux/kernel/git/xen/tip:
        x86/xen: Reset VCPU0 info pointer after shared_info remap
      84c3a097
    • Colin Ian King's avatar
      ixgbe: fix memory leak on ipsec allocation · c89ebb96
      Colin Ian King authored
      The error clean up path kfree's adapter->ipsec and should be
      instead kfree'ing ipsec. Fix this.  Also, the err1 error exit path
      does not need to kfree ipsec because this failure path was for
      the failed allocation of ipsec.
      
      Detected by CoverityScan, CID#146424 ("Resource Leak")
      
      Fixes: 63a67fe2 ("ixgbe: add ipsec offload add and remove SA")
      Signed-off-by: default avatarColin Ian King <colin.king@canonical.com>
      Acked-by: default avatarShannon Nelson <shannon.nelson@oracle.com>
      Tested-by: default avatarAndrew Bowers <andrewx.bowers@intel.com>
      Signed-off-by: default avatarJeff Kirsher <jeffrey.t.kirsher@intel.com>
      c89ebb96
    • Luc Van Oostenryck's avatar
      ixgbevf: fix ixgbevf_xmit_frame()'s return type · cf12aab6
      Luc Van Oostenryck authored
      The method ndo_start_xmit() is defined as returning an 'netdev_tx_t',
      which is a typedef for an enum type, but the implementation in this
      driver returns an 'int'.
      
      Fix this by returning 'netdev_tx_t' in this driver too.
      Signed-off-by: default avatarLuc Van Oostenryck <luc.vanoostenryck@gmail.com>
      Tested-by: default avatarAndrew Bowers <andrewx.bowers@intel.com>
      Signed-off-by: default avatarJeff Kirsher <jeffrey.t.kirsher@intel.com>
      cf12aab6
    • Emil Tantilov's avatar
      ixgbe: return error on unsupported SFP module when resetting · bbb27076
      Emil Tantilov authored
      Add check for unsupported module and return the error code.
      This fixes a Coverity hit due to unused return status from setup_sfp.
      Signed-off-by: default avatarEmil Tantilov <emil.s.tantilov@intel.com>
      Tested-by: default avatarAndrew Bowers <andrewx.bowers@intel.com>
      Signed-off-by: default avatarJeff Kirsher <jeffrey.t.kirsher@intel.com>
      bbb27076
    • Jeff Shaw's avatar
      ice: Set rq_last_status when cleaning rq · ea3beca4
      Jeff Shaw authored
      Prior to this commit, the rq_last_status was only set when hardware
      responded with an error. This leads to rq_last_status being invalid
      in the future when hardware eventually responds without error. This
      commit resolves the issue by unconditionally setting rq_last_status
      with the value returned in the descriptor.
      
      Fixes: 940b61af ("ice: Initialize PF and setup miscellaneous
      interrupt")
      Signed-off-by: default avatarJeff Shaw <jeffrey.b.shaw@intel.com>
      Signed-off-by: default avatarAnirudh Venkataramanan <anirudh.venkataramanan@intel.com>
      Tested-by: default avatarTony Brelinski <tonyx.brelinski@intel.com>
      Signed-off-by: default avatarJeff Kirsher <jeffrey.t.kirsher@intel.com>
      ea3beca4
    • Trond Myklebust's avatar
    • Rob Herring's avatar
      sh: switch to NO_BOOTMEM · ac21fc2d
      Rob Herring authored
      Commit 0fa1c579 ("of/fdt: use memblock_virt_alloc for early alloc")
      inadvertently switched the DT unflattening allocations from memblock to
      bootmem which doesn't work because the unflattening happens before
      bootmem is initialized. Swapping the order of bootmem init and
      unflattening could also fix this, but removing bootmem is desired. So
      enable NO_BOOTMEM on SH like other architectures have done.
      
      Fixes: 0fa1c579 ("of/fdt: use memblock_virt_alloc for early alloc")
      Reported-by: default avatarRich Felker <dalias@libc.org>
      Cc: Yoshinori Sato <ysato@users.sourceforge.jp>
      Signed-off-by: default avatarRob Herring <robh@kernel.org>
      Signed-off-by: default avatarRich Felker <dalias@libc.org>
      ac21fc2d
    • Linus Torvalds's avatar
      mmap: introduce sane default mmap limits · be83bbf8
      Linus Torvalds authored
      The internal VM "mmap()" interfaces are based on the mmap target doing
      everything using page indexes rather than byte offsets, because
      traditionally (ie 32-bit) we had the situation that the byte offset
      didn't fit in a register.  So while the mmap virtual address was limited
      by the word size of the architecture, the backing store was not.
      
      So we're basically passing "pgoff" around as a page index, in order to
      be able to describe backing store locations that are much bigger than
      the word size (think files larger than 4GB etc).
      
      But while this all makes a ton of sense conceptually, we've been dogged
      by various drivers that don't really understand this, and internally
      work with byte offsets, and then try to work with the page index by
      turning it into a byte offset with "pgoff << PAGE_SHIFT".
      
      Which obviously can overflow.
      
      Adding the size of the mapping to it to get the byte offset of the end
      of the backing store just exacerbates the problem, and if you then use
      this overflow-prone value to check various limits of your device driver
      mmap capability, you're just setting yourself up for problems.
      
      The correct thing for drivers to do is to do their limit math in page
      indices, the way the interface is designed.  Because the generic mmap
      code _does_ test that the index doesn't overflow, since that's what the
      mmap code really cares about.
      
      HOWEVER.
      
      Finding and fixing various random drivers is a sisyphean task, so let's
      just see if we can just make the core mmap() code do the limiting for
      us.  Realistically, the only "big" backing stores we need to care about
      are regular files and block devices, both of which are known to do this
      properly, and which have nice well-defined limits for how much data they
      can access.
      
      So let's special-case just those two known cases, and then limit other
      random mmap users to a backing store that still fits in "unsigned long".
      Realistically, that's not much of a limit at all on 64-bit, and on
      32-bit architectures the only worry might be the GPU drivers, which can
      have big physical address spaces.
      
      To make it possible for drivers like that to say that they are 64-bit
      clean, this patch does repurpose the "FMODE_UNSIGNED_OFFSET" bit in the
      file flags to allow drivers to mark their file descriptors as safe in
      the full 64-bit mmap address space.
      
      [ The timing for doing this is less than optimal, and this should really
        go in a merge window. But realistically, this needs wide testing more
        than it needs anything else, and being main-line is the only way to do
        that.
      
        So the earlier the better, even if it's outside the proper development
        cycle        - Linus ]
      
      Cc: Kees Cook <keescook@chromium.org>
      Cc: Dan Carpenter <dan.carpenter@oracle.com>
      Cc: Al Viro <viro@zeniv.linux.org.uk>
      Cc: Willy Tarreau <w@1wt.eu>
      Cc: Dave Airlie <airlied@redhat.com>
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      be83bbf8
    • Linus Torvalds's avatar
      Merge tag 'pm-4.17-rc5' of git://git.kernel.org/pub/scm/linux/kernel/git/rafael/linux-pm · 41e3e108
      Linus Torvalds authored
      Pull power management fixes from Rafael Wysocki:
       "These fix two PCI power management regressions from the 4.13 cycle and
        one cpufreq schedutil governor bug introduced during the 4.12 cycle,
        drop a stale comment from the schedutil code and fix two mistakes in
        docs.
      
        Specifics:
      
         - Restore device_may_wakeup() check in pci_enable_wake() removed
           inadvertently during the 4.13 cycle to prevent systems from drawing
           excessive power when suspended or off, among other things (Rafael
           Wysocki).
      
         - Fix pci_dev_run_wake() to properly handle devices that only can
           signal PME# when in the D3cold power state (Kai Heng Feng).
      
         - Fix the schedutil cpufreq governor to avoid using UINT_MAX as the
           new CPU frequency in some cases due to a missing check (Rafael
           Wysocki).
      
         - Remove a stale comment regarding worker kthreads from the schedutil
           cpufreq governor (Juri Lelli).
      
         - Fix a copy-paste mistake in the intel_pstate driver documentation
           (Juri Lelli).
      
         - Fix a typo in the system sleep states documentation (Jonathan
           Neuschäfer)"
      
      * tag 'pm-4.17-rc5' of git://git.kernel.org/pub/scm/linux/kernel/git/rafael/linux-pm:
        PCI / PM: Check device_may_wakeup() in pci_enable_wake()
        PCI / PM: Always check PME wakeup capability for runtime wakeup support
        cpufreq: schedutil: Avoid using invalid next_freq
        cpufreq: schedutil: remove stale comment
        PM: docs: intel_pstate: fix Active Mode w/o HWP paragraph
        PM: docs: sleep-states: Fix a typo ("includig")
      41e3e108
    • Linus Torvalds's avatar
      Merge tag 'mtd/fixes-for-4.17-rc5' of git://git.infradead.org/linux-mtd · e03dc5d3
      Linus Torvalds authored
      Pull mtd fixes from Boris Brezillon:
      
       - make nand_soft_waitrdy() wait tWB before polling the status REG
      
       - fix BCH write in the the Marvell NAND controller driver
      
       - fix wrong picosec to msec conversion in the Marvell NAND controller
         driver
      
       - fix DMA handling in the TI OneNAND controllre driver
      
      * tag 'mtd/fixes-for-4.17-rc5' of git://git.infradead.org/linux-mtd:
        mtd: rawnand: Make sure we wait tWB before polling the STATUS reg
        mtd: rawnand: marvell: fix command xtype in BCH write hook
        mtd: rawnand: marvell: pass ms delay to wait_op
        mtd: onenand: omap2: Disable DMA for HIGHMEM buffers
      e03dc5d3
    • David S. Miller's avatar
      Merge tag 'mlx5-fixes-2018-05-10' of git://git.kernel.org/pub/scm/linux/kernel/git/saeed/linux · 5ae4bbf7
      David S. Miller authored
      Saeed Mahameed says:
      
      ====================
      Mellanox, mlx5 fixes 2018-05-10
      
      the following series includes some fixes for mlx5 core driver.
      Please pull and let me know if there's any problem.
      
      For -stable v4.5
      ("net/mlx5: E-Switch, Include VF RDMA stats in vport statistics")
      
      For -stable v4.10
      ("net/mlx5e: Err if asked to offload TC match on frag being first")
      ====================
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      5ae4bbf7
    • Linus Torvalds's avatar
      Merge tag 'drm-fixes-for-v4.17-rc5' of git://people.freedesktop.org/~airlied/linux · ca30093d
      Linus Torvalds authored
      Pull drm fixes from Dave Airlie:
       "nouveau, amdgpu, i915, vc4, omap, exynos and atomic fixes.
      
        As last week seemed a bit slow, we got a few more fixes this week.
      
        The main stuff is two weeks of fixes for amdgpu, some missing bits of
        vega12 atom firmware support were added, and some power management
        fixes.
      
        Nouveau got two regression fixes for an DP MST deadlock and a random
        oops fix.
      
        i915 got an LVDS panel timeout fix 2 WARN fixes.
      
        exynos fixed a pagefault issue in the mixer driver.
      
        vc4 has an oops fix.
      
        omap had a bunch of uninit var and error-checking fixes. Two atomic
        modesetting state fixes.
      
        One minor agp cleanup patch"
      
      * tag 'drm-fixes-for-v4.17-rc5' of git://people.freedesktop.org/~airlied/linux: (30 commits)
        drm/amd/pp: Fix performance drop on Fiji
        drm/nouveau: Fix deadlock in nv50_mstm_register_connector()
        drm/nouveau/ttm: don't dereference nvbo::cli, it can outlive client
        agp: uninorth: make two functions static
        drm/amd/pp: Refine the output of pp_power_profile_mode on VI
        drm/amdgpu: Switch to interruptable wait to recover from ring hang.
        drm/ttm: Use GFP_TRANSHUGE_LIGHT for allocating huge pages
        drm/amd/display: Use kvzalloc for potentially large allocations
        drm/amd/display: Don't return ddc result and read_bytes in same return value
        drm/amd/display: Add get_firmware_info_v3_2 for VG12
        drm/amd: Add BIOS smu_info v3_3 required struct def.
        drm/amd/display: Add VG12 ASIC IDs
        drm/vc4: Fix scaling of uni-planar formats
        drm/exynos: hdmi: avoid duplicating drm_bridge_attach
        drm/i915: Fix drm:intel_enable_lvds ERROR message in kernel log
        drm/i915: Correctly populate user mode h/vdisplay with pipe src size during readout
        drm/i915: Adjust eDP's logical vco in a reliable place.
        drm/bridge/sii8620: add Kconfig dependency on extcon
        drm/omap: handle alloc failures in omap_connector
        drm/omap: add missing linefeeds to prints
        ...
      ca30093d
    • Andrey Ignatov's avatar
      ipv4: fix memory leaks in udp_sendmsg, ping_v4_sendmsg · 1b97013b
      Andrey Ignatov authored
      Fix more memory leaks in ip_cmsg_send() callers. Part of them were fixed
      earlier in 91948309.
      
      * udp_sendmsg one was there since the beginning when linux sources were
        first added to git;
      * ping_v4_sendmsg one was copy/pasted in c319b4d7.
      
      Whenever return happens in udp_sendmsg() or ping_v4_sendmsg() IP options
      have to be freed if they were allocated previously.
      
      Add label so that future callers (if any) can use it instead of kfree()
      before return that is easy to forget.
      
      Fixes: c319b4d7 (net: ipv4: add IPPROTO_ICMP socket kind)
      Signed-off-by: default avatarAndrey Ignatov <rdna@fb.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      1b97013b
    • Christophe JAILLET's avatar
      mlxsw: core: Fix an error handling path in 'mlxsw_core_bus_device_register()' · 8ccc1131
      Christophe JAILLET authored
      Resources are not freed in the reverse order of the allocation.
      Labels are also mixed-up.
      
      Fix it and reorder code and labels in the error handling path of
      'mlxsw_core_bus_device_register()'
      
      Fixes: ef3116e5 ("mlxsw: spectrum: Register KVD resources with devlink")
      Signed-off-by: default avatarChristophe JAILLET <christophe.jaillet@wanadoo.fr>
      Reviewed-by: default avatarIdo Schimmel <idosch@mellanox.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      8ccc1131
    • David S. Miller's avatar
      Merge branch 'bonding-bug-fixes-and-regressions' · 89dd2e75
      David S. Miller authored
      Debabrata Banerjee says:
      
      ====================
      bonding: bug fixes and regressions
      
      Fixes to bonding driver for balance-alb mode, suitable for stable.
      ====================
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      89dd2e75
    • Debabrata Banerjee's avatar
      bonding: send learning packets for vlans on slave · 21706ee8
      Debabrata Banerjee authored
      There was a regression at some point from the intended functionality of
      commit f60c3704 ("bonding: Fix alb mode to only use first level
      vlans.")
      
      Given the return value vlan_get_encap_level() we need to store the nest
      level of the bond device, and then compare the vlan's encap level to
      this. Without this, this check always fails and learning packets are
      never sent.
      
      In addition, this same commit caused a regression in the behavior of
      balance_alb, which requires learning packets be sent for all interfaces
      using the slave's mac in order to load balance properly. For vlan's
      that have not set a user mac, we can send after checking one bit.
      Otherwise we need send the set mac, albeit defeating rx load balancing
      for that vlan.
      Signed-off-by: default avatarDebabrata Banerjee <dbanerje@akamai.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      21706ee8
    • Debabrata Banerjee's avatar
      bonding: do not allow rlb updates to invalid mac · 4fa8667c
      Debabrata Banerjee authored
      Make sure multicast, broadcast, and zero mac's cannot be the output of rlb
      updates, which should all be directed arps. Receive load balancing will be
      collapsed if any of these happen, as the switch will broadcast.
      Signed-off-by: default avatarDebabrata Banerjee <dbanerje@akamai.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      4fa8667c
    • Steven Rostedt (VMware)'s avatar
      tracing: Fix regex_match_front() to not over compare the test string · dc432c3d
      Steven Rostedt (VMware) authored
      The regex match function regex_match_front() in the tracing filter logic,
      was fixed to test just the pattern length from testing the entire test
      string. That is, it went from strncmp(str, r->pattern, len) to
      strcmp(str, r->pattern, r->len).
      
      The issue is that str is not guaranteed to be nul terminated, and if r->len
      is greater than the length of str, it can access more memory than is
      allocated.
      
      The solution is to add a simple test if (len < r->len) return 0.
      
      Cc: stable@vger.kernel.org
      Fixes: 285caad4 ("tracing/filters: Fix MATCH_FRONT_ONLY filter matching")
      Signed-off-by: default avatarSteven Rostedt (VMware) <rostedt@goodmis.org>
      dc432c3d
    • Rafael J. Wysocki's avatar
      Merge branches 'pm-pci' and 'pm-docs' · ef050374
      Rafael J. Wysocki authored
      * pm-pci:
        PCI / PM: Check device_may_wakeup() in pci_enable_wake()
        PCI / PM: Always check PME wakeup capability for runtime wakeup support
      
      * pm-docs:
        PM: docs: intel_pstate: fix Active Mode w/o HWP paragraph
        PM: docs: sleep-states: Fix a typo ("includig")
      ef050374