1. 25 Jul, 2018 18 commits
  2. 22 Jul, 2018 22 commits
    • Greg Kroah-Hartman's avatar
      Linux 4.4.143 · a8ea6276
      Greg Kroah-Hartman authored
      a8ea6276
    • Tetsuo Handa's avatar
      net/nfc: Avoid stalls when nfc_alloc_send_skb() returned NULL. · bb68d6a6
      Tetsuo Handa authored
      commit 3bc53be9 upstream.
      
      syzbot is reporting stalls at nfc_llcp_send_ui_frame() [1]. This is
      because nfc_llcp_send_ui_frame() is retrying the loop without any delay
      when nonblocking nfc_alloc_send_skb() returned NULL.
      
      Since there is no need to use MSG_DONTWAIT if we retry until
      sock_alloc_send_pskb() succeeds, let's use blocking call.
      Also, in case an unexpected error occurred, let's break the loop
      if blocking nfc_alloc_send_skb() failed.
      
      [1] https://syzkaller.appspot.com/bug?id=4a131cc571c3733e0eff6bc673f4e36ae48f19c6Signed-off-by: default avatarTetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
      Reported-by: default avatarsyzbot <syzbot+d29d18215e477cfbfbdd@syzkaller.appspotmail.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      bb68d6a6
    • Santosh Shilimkar's avatar
      rds: avoid unenecessary cong_update in loop transport · cfc501df
      Santosh Shilimkar authored
      commit f1693c63 upstream.
      
      Loop transport which is self loopback, remote port congestion
      update isn't relevant. Infact the xmit path already ignores it.
      Receive path needs to do the same.
      
      Reported-by: syzbot+4c20b3866171ce8441d2@syzkaller.appspotmail.com
      Reviewed-by: default avatarSowmini Varadhan <sowmini.varadhan@oracle.com>
      Signed-off-by: default avatarSantosh Shilimkar <santosh.shilimkar@oracle.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      cfc501df
    • Eric Biggers's avatar
      KEYS: DNS: fix parsing multiple options · 423f8b59
      Eric Biggers authored
      commit c604cb76 upstream.
      
      My recent fix for dns_resolver_preparse() printing very long strings was
      incomplete, as shown by syzbot which still managed to hit the
      WARN_ONCE() in set_precision() by adding a crafted "dns_resolver" key:
      
          precision 50001 too large
          WARNING: CPU: 7 PID: 864 at lib/vsprintf.c:2164 vsnprintf+0x48a/0x5a0
      
      The bug this time isn't just a printing bug, but also a logical error
      when multiple options ("#"-separated strings) are given in the key
      payload.  Specifically, when separating an option string into name and
      value, if there is no value then the name is incorrectly considered to
      end at the end of the key payload, rather than the end of the current
      option.  This bypasses validation of the option length, and also means
      that specifying multiple options is broken -- which presumably has gone
      unnoticed as there is currently only one valid option anyway.
      
      A similar problem also applied to option values, as the kstrtoul() when
      parsing the "dnserror" option will read past the end of the current
      option and into the next option.
      
      Fix these bugs by correctly computing the length of the option name and
      by copying the option value, null-terminated, into a temporary buffer.
      
      Reproducer for the WARN_ONCE() that syzbot hit:
      
          perl -e 'print "#A#", "\0" x 50000' | keyctl padd dns_resolver desc @s
      
      Reproducer for "dnserror" option being parsed incorrectly (expected
      behavior is to fail when seeing the unknown option "foo", actual
      behavior was to read the dnserror value as "1#foo" and fail there):
      
          perl -e 'print "#dnserror=1#foo\0"' | keyctl padd dns_resolver desc @s
      Reported-by: default avatarsyzbot <syzkaller@googlegroups.com>
      Fixes: 4a2d7892 ("DNS: If the DNS server returns an error, allow that to be cached [ver #2]")
      Signed-off-by: default avatarEric Biggers <ebiggers@google.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      423f8b59
    • Florian Westphal's avatar
      netfilter: ebtables: reject non-bridge targets · 88f65567
      Florian Westphal authored
      commit 11ff7288 upstream.
      
      the ebtables evaluation loop expects targets to return
      positive values (jumps), or negative values (absolute verdicts).
      
      This is completely different from what xtables does.
      In xtables, targets are expected to return the standard netfilter
      verdicts, i.e. NF_DROP, NF_ACCEPT, etc.
      
      ebtables will consider these as jumps.
      
      Therefore reject any target found due to unspec fallback.
      v2: also reject watchers.  ebtables ignores their return value, so
      a target that assumes skb ownership (and returns NF_STOLEN) causes
      use-after-free.
      
      The only watchers in the 'ebtables' front-end are log and nflog;
      both have AF_BRIDGE specific wrappers on kernel side.
      
      Reported-by: syzbot+2b43f681169a2a0d306a@syzkaller.appspotmail.com
      Signed-off-by: default avatarFlorian Westphal <fw@strlen.de>
      Signed-off-by: default avatarPablo Neira Ayuso <pablo@netfilter.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      88f65567
    • Paul Burton's avatar
      MIPS: Use async IPIs for arch_trigger_cpumask_backtrace() · 3a7031fd
      Paul Burton authored
      commit b63e132b upstream.
      
      The current MIPS implementation of arch_trigger_cpumask_backtrace() is
      broken because it attempts to use synchronous IPIs despite the fact that
      it may be run with interrupts disabled.
      
      This means that when arch_trigger_cpumask_backtrace() is invoked, for
      example by the RCU CPU stall watchdog, we may:
      
        - Deadlock due to use of synchronous IPIs with interrupts disabled,
          causing the CPU that's attempting to generate the backtrace output
          to hang itself.
      
        - Not succeed in generating the desired output from remote CPUs.
      
        - Produce warnings about this from smp_call_function_many(), for
          example:
      
          [42760.526910] INFO: rcu_sched detected stalls on CPUs/tasks:
          [42760.535755]  0-...!: (1 GPs behind) idle=ade/140000000000000/0 softirq=526944/526945 fqs=0
          [42760.547874]  1-...!: (0 ticks this GP) idle=e4a/140000000000000/0 softirq=547885/547885 fqs=0
          [42760.559869]  (detected by 2, t=2162 jiffies, g=266689, c=266688, q=33)
          [42760.568927] ------------[ cut here ]------------
          [42760.576146] WARNING: CPU: 2 PID: 1216 at kernel/smp.c:416 smp_call_function_many+0x88/0x20c
          [42760.587839] Modules linked in:
          [42760.593152] CPU: 2 PID: 1216 Comm: sh Not tainted 4.15.4-00373-gee058bb4d0c2 #2
          [42760.603767] Stack : 8e09bd20 8e09bd20 8e09bd20 fffffff0 00000007 00000006 00000000 8e09bca8
          [42760.616937]         95b2b379 95b2b379 807a0080 00000007 81944518 0000018a 00000032 00000000
          [42760.630095]         00000000 00000030 80000000 00000000 806eca74 00000009 8017e2b8 000001a0
          [42760.643169]         00000000 00000002 00000000 8e09baa4 00000008 808b8008 86d69080 8e09bca0
          [42760.656282]         8e09ad50 805e20aa 00000000 00000000 00000000 8017e2b8 00000009 801070ca
          [42760.669424]         ...
          [42760.673919] Call Trace:
          [42760.678672] [<27fde568>] show_stack+0x70/0xf0
          [42760.685417] [<84751641>] dump_stack+0xaa/0xd0
          [42760.692188] [<699d671c>] __warn+0x80/0x92
          [42760.698549] [<68915d41>] warn_slowpath_null+0x28/0x36
          [42760.705912] [<f7c76c1c>] smp_call_function_many+0x88/0x20c
          [42760.713696] [<6bbdfc2a>] arch_trigger_cpumask_backtrace+0x30/0x4a
          [42760.722216] [<f845bd33>] rcu_dump_cpu_stacks+0x6a/0x98
          [42760.729580] [<796e7629>] rcu_check_callbacks+0x672/0x6ac
          [42760.737476] [<059b3b43>] update_process_times+0x18/0x34
          [42760.744981] [<6eb94941>] tick_sched_handle.isra.5+0x26/0x38
          [42760.752793] [<478d3d70>] tick_sched_timer+0x1c/0x50
          [42760.759882] [<e56ea39f>] __hrtimer_run_queues+0xc6/0x226
          [42760.767418] [<e88bbcae>] hrtimer_interrupt+0x88/0x19a
          [42760.775031] [<6765a19e>] gic_compare_interrupt+0x2e/0x3a
          [42760.782761] [<0558bf5f>] handle_percpu_devid_irq+0x78/0x168
          [42760.790795] [<90c11ba2>] generic_handle_irq+0x1e/0x2c
          [42760.798117] [<1b6d462c>] gic_handle_local_int+0x38/0x86
          [42760.805545] [<b2ada1c7>] gic_irq_dispatch+0xa/0x14
          [42760.812534] [<90c11ba2>] generic_handle_irq+0x1e/0x2c
          [42760.820086] [<c7521934>] do_IRQ+0x16/0x20
          [42760.826274] [<9aef3ce6>] plat_irq_dispatch+0x62/0x94
          [42760.833458] [<6a94b53c>] except_vec_vi_end+0x70/0x78
          [42760.840655] [<22284043>] smp_call_function_many+0x1ba/0x20c
          [42760.848501] [<54022b58>] smp_call_function+0x1e/0x2c
          [42760.855693] [<ab9fc705>] flush_tlb_mm+0x2a/0x98
          [42760.862730] [<0844cdd0>] tlb_flush_mmu+0x1c/0x44
          [42760.869628] [<cb259b74>] arch_tlb_finish_mmu+0x26/0x3e
          [42760.877021] [<1aeaaf74>] tlb_finish_mmu+0x18/0x66
          [42760.883907] [<b3fce717>] exit_mmap+0x76/0xea
          [42760.890428] [<c4c8a2f6>] mmput+0x80/0x11a
          [42760.896632] [<a41a08f4>] do_exit+0x1f4/0x80c
          [42760.903158] [<ee01cef6>] do_group_exit+0x20/0x7e
          [42760.909990] [<13fa8d54>] __wake_up_parent+0x0/0x1e
          [42760.917045] [<46cf89d0>] smp_call_function_many+0x1a2/0x20c
          [42760.924893] [<8c21a93b>] syscall_common+0x14/0x1c
          [42760.931765] ---[ end trace 02aa09da9dc52a60 ]---
          [42760.938342] ------------[ cut here ]------------
          [42760.945311] WARNING: CPU: 2 PID: 1216 at kernel/smp.c:291 smp_call_function_single+0xee/0xf8
          ...
      
      This patch switches MIPS' arch_trigger_cpumask_backtrace() to use async
      IPIs & smp_call_function_single_async() in order to resolve this
      problem. We ensure use of the pre-allocated call_single_data_t
      structures is serialized by maintaining a cpumask indicating that
      they're busy, and refusing to attempt to send an IPI when a CPU's bit is
      set in this mask. This should only happen if a CPU hasn't responded to a
      previous backtrace IPI - ie. if it's hung - and we print a warning to
      the console in this case.
      
      I've marked this for stable branches as far back as v4.9, to which it
      applies cleanly. Strictly speaking the faulty MIPS implementation can be
      traced further back to commit 856839b7 ("MIPS: Add
      arch_trigger_all_cpu_backtrace() function") in v3.19, but kernel
      versions v3.19 through v4.8 will require further work to backport due to
      the rework performed in commit 9a01c3ed ("nmi_backtrace: add more
      trigger_*_cpu_backtrace() methods").
      Signed-off-by: default avatarPaul Burton <paul.burton@mips.com>
      Patchwork: https://patchwork.linux-mips.org/patch/19597/
      Cc: James Hogan <jhogan@kernel.org>
      Cc: Ralf Baechle <ralf@linux-mips.org>
      Cc: Huacai Chen <chenhc@lemote.com>
      Cc: linux-mips@linux-mips.org
      Cc: stable@vger.kernel.org # v4.9+
      Fixes: 856839b7 ("MIPS: Add arch_trigger_all_cpu_backtrace() function")
      Fixes: 9a01c3ed ("nmi_backtrace: add more trigger_*_cpu_backtrace() methods")
      [ Huacai: backported to 4.4: Restruction since generic NMI solution is unavailable ]
      Signed-off-by: default avatarHuacai Chen <chenhc@lemote.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      3a7031fd
    • Paul Burton's avatar
      MIPS: Call dump_stack() from show_regs() · 5396b1a6
      Paul Burton authored
      commit 5a267832 upstream.
      
      The generic nmi_cpu_backtrace() function calls show_regs() when a struct
      pt_regs is available, and dump_stack() otherwise. If we were to make use
      of the generic nmi_cpu_backtrace() with MIPS' current implementation of
      show_regs() this would mean that we see only register data with no
      accompanying stack information, in contrast with our current
      implementation which calls dump_stack() regardless of whether register
      state is available.
      
      In preparation for making use of the generic nmi_cpu_backtrace() to
      implement arch_trigger_cpumask_backtrace(), have our implementation of
      show_regs() call dump_stack() and drop the explicit dump_stack() call in
      arch_dump_stack() which is invoked by arch_trigger_cpumask_backtrace().
      
      This will allow the output we produce to remain the same after a later
      patch switches to using nmi_cpu_backtrace(). It may mean that we produce
      extra stack output in other uses of show_regs(), but this:
      
        1) Seems harmless.
        2) Is good for consistency between arch_trigger_cpumask_backtrace()
           and other users of show_regs().
        3) Matches the behaviour of the ARM & PowerPC architectures.
      
      Marked for stable back to v4.9 as a prerequisite of the following patch
      "MIPS: Call dump_stack() from show_regs()".
      Signed-off-by: default avatarPaul Burton <paul.burton@mips.com>
      Patchwork: https://patchwork.linux-mips.org/patch/19596/
      Cc: James Hogan <jhogan@kernel.org>
      Cc: Ralf Baechle <ralf@linux-mips.org>
      Cc: Huacai Chen <chenhc@lemote.com>
      Cc: linux-mips@linux-mips.org
      Cc: stable@vger.kernel.org # v4.9+
      Signed-off-by: default avatarHuacai Chen <chenhc@lemote.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      5396b1a6
    • Ping-Ke Shih's avatar
      rtlwifi: rtl8821ae: fix firmware is not ready to run · 99f303b3
      Ping-Ke Shih authored
      commit 9a98302d upstream.
      
      Without this patch, firmware will not run properly on rtl8821ae, and it
      causes bad user experience. For example, bad connection performance with
      low rate, higher power consumption, and so on.
      
      rtl8821ae uses two kinds of firmwares for normal and WoWlan cases, and
      each firmware has firmware data buffer and size individually. Original
      code always overwrite size of normal firmware rtlpriv->rtlhal.fwsize, and
      this mismatch causes firmware checksum error, then firmware can't start.
      
      In this situation, driver gives message "Firmware is not ready to run!".
      
      Fixes: fe89707f ("rtlwifi: rtl8821ae: Simplify loading of WOWLAN firmware")
      Signed-off-by: default avatarPing-Ke Shih <pkshih@realtek.com>
      Cc: Stable <stable@vger.kernel.org> # 4.0+
      Reviewed-by: default avatarLarry Finger <Larry.Finger@lwfinger.net>
      Signed-off-by: default avatarKalle Valo <kvalo@codeaurora.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      99f303b3
    • Gustavo A. R. Silva's avatar
      net: cxgb3_main: fix potential Spectre v1 · f6927277
      Gustavo A. R. Silva authored
      commit 676bcfec upstream.
      
      t.qset_idx can be indirectly controlled by user-space, hence leading to
      a potential exploitation of the Spectre variant 1 vulnerability.
      
      This issue was detected with the help of Smatch:
      
      drivers/net/ethernet/chelsio/cxgb3/cxgb3_main.c:2286 cxgb_extension_ioctl()
      warn: potential spectre issue 'adapter->msix_info'
      
      Fix this by sanitizing t.qset_idx before using it to index
      adapter->msix_info
      
      Notice that given that speculation windows are large, the policy is
      to kill the speculation on the first load and not worry if it can be
      completed with a dependent load/store [1].
      
      [1] https://marc.info/?l=linux-kernel&m=152449131114778&w=2
      
      Cc: stable@vger.kernel.org
      Signed-off-by: default avatarGustavo A. R. Silva <gustavo@embeddedor.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      f6927277
    • Alex Vesker's avatar
      net/mlx5: Fix command interface race in polling mode · be86990b
      Alex Vesker authored
      [ Upstream commit d412c31d ]
      
      The command interface can work in two modes: Events and Polling.
      In the general case, each time we invoke a command, a work is
      queued to handle it.
      
      When working in events, the interrupt handler completes the
      command execution. On the other hand, when working in polling
      mode, the work itself completes it.
      
      Due to a bug in the work handler, a command could have been
      completed by the interrupt handler, while the work handler
      hasn't finished yet, causing the it to complete once again
      if the command interface mode was changed from Events to
      polling after the interrupt handler was called.
      
      mlx5_unload_one()
              mlx5_stop_eqs()
                      // Destroy the EQ before cmd EQ
                      ...cmd_work_handler()
                              write_doorbell()
                              --> EVENT_TYPE_CMD
                                      mlx5_cmd_comp_handler() // First free
                                              free_ent(cmd, ent->idx)
                                              complete(&ent->done)
      
              <-- mlx5_stop_eqs //cmd was complete
                      // move to polling before destroying the last cmd EQ
                      mlx5_cmd_use_polling()
                              cmd->mode = POLL;
      
                      --> cmd_work_handler (continues)
                              if (cmd->mode == POLL)
                                      mlx5_cmd_comp_handler() // Double free
      
      The solution is to store the cmd->mode before writing the doorbell.
      
      Fixes: e126ba97 ("mlx5: Add driver for Mellanox Connect-IB adapters")
      Signed-off-by: default avatarAlex Vesker <valex@mellanox.com>
      Signed-off-by: default avatarSaeed Mahameed <saeedm@mellanox.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      be86990b
    • Konstantin Khlebnikov's avatar
      net_sched: blackhole: tell upper qdisc about dropped packets · be604aa5
      Konstantin Khlebnikov authored
      [ Upstream commit 7e85dc8c ]
      
      When blackhole is used on top of classful qdisc like hfsc it breaks
      qlen and backlog counters because packets are disappear without notice.
      
      In HFSC non-zero qlen while all classes are inactive triggers warning:
      WARNING: ... at net/sched/sch_hfsc.c:1393 hfsc_dequeue+0xba4/0xe90 [sch_hfsc]
      and schedules watchdog work endlessly.
      
      This patch return __NET_XMIT_BYPASS in addition to NET_XMIT_SUCCESS,
      this flag tells upper layer: this packet is gone and isn't queued.
      Signed-off-by: default avatarKonstantin Khlebnikov <khlebnikov@yandex-team.ru>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      be604aa5
    • Jason Wang's avatar
      vhost_net: validate sock before trying to put its fd · 5e6b3946
      Jason Wang authored
      [ Upstream commit b8f1f658 ]
      
      Sock will be NULL if we pass -1 to vhost_net_set_backend(), but when
      we meet errors during ubuf allocation, the code does not check for
      NULL before calling sockfd_put(), this will lead NULL
      dereferencing. Fixing by checking sock pointer before.
      
      Fixes: bab632d6 ("vhost: vhost TX zero-copy support")
      Reported-by: default avatarDan Carpenter <dan.carpenter@oracle.com>
      Signed-off-by: default avatarJason Wang <jasowang@redhat.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      5e6b3946
    • Ilpo Järvinen's avatar
      tcp: prevent bogus FRTO undos with non-SACK flows · 61c66cc5
      Ilpo Järvinen authored
      [ Upstream commit 1236f22f ]
      
      If SACK is not enabled and the first cumulative ACK after the RTO
      retransmission covers more than the retransmitted skb, a spurious
      FRTO undo will trigger (assuming FRTO is enabled for that RTO).
      The reason is that any non-retransmitted segment acknowledged will
      set FLAG_ORIG_SACK_ACKED in tcp_clean_rtx_queue even if there is
      no indication that it would have been delivered for real (the
      scoreboard is not kept with TCPCB_SACKED_ACKED bits in the non-SACK
      case so the check for that bit won't help like it does with SACK).
      Having FLAG_ORIG_SACK_ACKED set results in the spurious FRTO undo
      in tcp_process_loss.
      
      We need to use more strict condition for non-SACK case and check
      that none of the cumulatively ACKed segments were retransmitted
      to prove that progress is due to original transmissions. Only then
      keep FLAG_ORIG_SACK_ACKED set, allowing FRTO undo to proceed in
      non-SACK case.
      
      (FLAG_ORIG_SACK_ACKED is planned to be renamed to FLAG_ORIG_PROGRESS
      to better indicate its purpose but to keep this change minimal, it
      will be done in another patch).
      
      Besides burstiness and congestion control violations, this problem
      can result in RTO loop: When the loss recovery is prematurely
      undoed, only new data will be transmitted (if available) and
      the next retransmission can occur only after a new RTO which in case
      of multiple losses (that are not for consecutive packets) requires
      one RTO per loss to recover.
      Signed-off-by: default avatarIlpo Järvinen <ilpo.jarvinen@helsinki.fi>
      Tested-by: default avatarNeal Cardwell <ncardwell@google.com>
      Acked-by: default avatarNeal Cardwell <ncardwell@google.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      61c66cc5
    • Yuchung Cheng's avatar
      tcp: fix Fast Open key endianness · 84aeeb1a
      Yuchung Cheng authored
      [ Upstream commit c860e997 ]
      
      Fast Open key could be stored in different endian based on the CPU.
      Previously hosts in different endianness in a server farm using
      the same key config (sysctl value) would produce different cookies.
      This patch fixes it by always storing it as little endian to keep
      same API for LE hosts.
      Reported-by: default avatarDaniele Iamartino <danielei@google.com>
      Signed-off-by: default avatarYuchung Cheng <ycheng@google.com>
      Signed-off-by: default avatarEric Dumazet <edumazet@google.com>
      Signed-off-by: default avatarNeal Cardwell <ncardwell@google.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      84aeeb1a
    • Jiri Slaby's avatar
      r8152: napi hangup fix after disconnect · 73852461
      Jiri Slaby authored
      [ Upstream commit 0ee1f473 ]
      
      When unplugging an r8152 adapter while the interface is UP, the NIC
      becomes unusable.  usb->disconnect (aka rtl8152_disconnect) deletes
      napi. Then, rtl8152_disconnect calls unregister_netdev and that invokes
      netdev->ndo_stop (aka rtl8152_close). rtl8152_close tries to
      napi_disable, but the napi is already deleted by disconnect above. So
      the first while loop in napi_disable never finishes. This results in
      complete deadlock of the network layer as there is rtnl_mutex held by
      unregister_netdev.
      
      So avoid the call to napi_disable in rtl8152_close when the device is
      already gone.
      
      The other calls to usb_kill_urb, cancel_delayed_work_sync,
      netif_stop_queue etc. seem to be fine. The urb and netdev is not
      destroyed yet.
      Signed-off-by: default avatarJiri Slaby <jslaby@suse.cz>
      Cc: linux-usb@vger.kernel.org
      Cc: netdev@vger.kernel.org
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      73852461
    • Sudarsana Reddy Kalluru's avatar
      qed: Limit msix vectors in kdump kernel to the minimum required count. · 6f6d1452
      Sudarsana Reddy Kalluru authored
      [ Upstream commit bb7858ba ]
      
      Memory size is limited in the kdump kernel environment. Allocation of more
      msix-vectors (or queues) consumes few tens of MBs of memory, which might
      lead to the kdump kernel failure.
      This patch adds changes to limit the number of MSI-X vectors in kdump
      kernel to minimum required value (i.e., 2 per engine).
      
      Fixes: fe56b9e6 ("qed: Add module with basic common support")
      Signed-off-by: default avatarSudarsana Reddy Kalluru <Sudarsana.Kalluru@cavium.com>
      Signed-off-by: default avatarMichal Kalderon <Michal.Kalderon@cavium.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      6f6d1452
    • Eric Dumazet's avatar
      net: sungem: fix rx checksum support · 6ac40d2d
      Eric Dumazet authored
      [ Upstream commit 12b03558 ]
      
      After commit 88078d98 ("net: pskb_trim_rcsum() and CHECKSUM_COMPLETE
      are friends"), sungem owners reported the infamous "eth0: hw csum failure"
      message.
      
      CHECKSUM_COMPLETE has in fact never worked for this driver, but this
      was masked by the fact that upper stacks had to strip the FCS, and
      therefore skb->ip_summed was set back to CHECKSUM_NONE before
      my recent change.
      
      Driver configures a number of bytes to skip when the chip computes
      the checksum, and for some reason only half of the Ethernet header
      was skipped.
      
      Then a second problem is that we should strip the FCS by default,
      unless the driver is updated to eventually support NETIF_F_RXFCS in
      the future.
      
      Finally, a driver should check if NETIF_F_RXCSUM feature is enabled
      or not, so that the admin can turn off rx checksum if wanted.
      
      Many thanks to Andreas Schwab and Mathieu Malaterre for their
      help in debugging this issue.
      Signed-off-by: default avatarEric Dumazet <edumazet@google.com>
      Reported-by: default avatarMeelis Roos <mroos@linux.ee>
      Reported-by: default avatarMathieu Malaterre <malat@debian.org>
      Reported-by: default avatarAndreas Schwab <schwab@linux-m68k.org>
      Tested-by: default avatarAndreas Schwab <schwab@linux-m68k.org>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      6ac40d2d
    • Alex Vesker's avatar
      net/mlx5: Fix incorrect raw command length parsing · 2f3def9a
      Alex Vesker authored
      [ Upstream commit 603b7bcf ]
      
      The NULL character was not set correctly for the string containing
      the command length, this caused failures reading the output of the
      command due to a random length. The fix is to initialize the output
      length string.
      
      Fixes: e126ba97 ("mlx5: Add driver for Mellanox Connect-IB adapters")
      Signed-off-by: default avatarAlex Vesker <valex@mellanox.com>
      Signed-off-by: default avatarSaeed Mahameed <saeedm@mellanox.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      2f3def9a
    • Eric Dumazet's avatar
      net: dccp: switch rx_tstamp_last_feedback to monotonic clock · 29dbaecd
      Eric Dumazet authored
      [ Upstream commit 0ce4e70f ]
      
      To compute delays, better not use time of the day which can
      be changed by admins or malicious programs.
      
      Also change ccid3_first_li() to use s64 type for delta variable
      to avoid potential overflows.
      Signed-off-by: default avatarEric Dumazet <edumazet@google.com>
      Cc: Gerrit Renker <gerrit@erg.abdn.ac.uk>
      Cc: dccp@vger.kernel.org
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      29dbaecd
    • Eric Dumazet's avatar
      net: dccp: avoid crash in ccid3_hc_rx_send_feedback() · e41074e9
      Eric Dumazet authored
      [ Upstream commit 74174fe5 ]
      
      On fast hosts or malicious bots, we trigger a DCCP_BUG() which
      seems excessive.
      
      syzbot reported :
      
      BUG: delta (-6195) <= 0 at net/dccp/ccids/ccid3.c:628/ccid3_hc_rx_send_feedback()
      CPU: 1 PID: 18 Comm: ksoftirqd/1 Not tainted 4.18.0-rc1+ #112
      Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
      Call Trace:
       __dump_stack lib/dump_stack.c:77 [inline]
       dump_stack+0x1c9/0x2b4 lib/dump_stack.c:113
       ccid3_hc_rx_send_feedback net/dccp/ccids/ccid3.c:628 [inline]
       ccid3_hc_rx_packet_recv.cold.16+0x38/0x71 net/dccp/ccids/ccid3.c:793
       ccid_hc_rx_packet_recv net/dccp/ccid.h:185 [inline]
       dccp_deliver_input_to_ccids+0xf0/0x280 net/dccp/input.c:180
       dccp_rcv_established+0x87/0xb0 net/dccp/input.c:378
       dccp_v4_do_rcv+0x153/0x180 net/dccp/ipv4.c:654
       sk_backlog_rcv include/net/sock.h:914 [inline]
       __sk_receive_skb+0x3ba/0xd80 net/core/sock.c:517
       dccp_v4_rcv+0x10f9/0x1f58 net/dccp/ipv4.c:875
       ip_local_deliver_finish+0x2eb/0xda0 net/ipv4/ip_input.c:215
       NF_HOOK include/linux/netfilter.h:287 [inline]
       ip_local_deliver+0x1e9/0x750 net/ipv4/ip_input.c:256
       dst_input include/net/dst.h:450 [inline]
       ip_rcv_finish+0x823/0x2220 net/ipv4/ip_input.c:396
       NF_HOOK include/linux/netfilter.h:287 [inline]
       ip_rcv+0xa18/0x1284 net/ipv4/ip_input.c:492
       __netif_receive_skb_core+0x2488/0x3680 net/core/dev.c:4628
       __netif_receive_skb+0x2c/0x1e0 net/core/dev.c:4693
       process_backlog+0x219/0x760 net/core/dev.c:5373
       napi_poll net/core/dev.c:5771 [inline]
       net_rx_action+0x7da/0x1980 net/core/dev.c:5837
       __do_softirq+0x2e8/0xb17 kernel/softirq.c:284
       run_ksoftirqd+0x86/0x100 kernel/softirq.c:645
       smpboot_thread_fn+0x417/0x870 kernel/smpboot.c:164
       kthread+0x345/0x410 kernel/kthread.c:240
       ret_from_fork+0x3a/0x50 arch/x86/entry/entry_64.S:412
      Signed-off-by: default avatarEric Dumazet <edumazet@google.com>
      Reported-by: default avatarsyzbot <syzkaller@googlegroups.com>
      Cc: Gerrit Renker <gerrit@erg.abdn.ac.uk>
      Cc: dccp@vger.kernel.org
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      e41074e9
    • Gustavo A. R. Silva's avatar
      atm: zatm: Fix potential Spectre v1 · af4bae09
      Gustavo A. R. Silva authored
      [ Upstream commit ced9e191 ]
      
      pool can be indirectly controlled by user-space, hence leading to
      a potential exploitation of the Spectre variant 1 vulnerability.
      
      This issue was detected with the help of Smatch:
      
      drivers/atm/zatm.c:1491 zatm_ioctl() warn: potential spectre issue
      'zatm_dev->pool_info' (local cap)
      
      Fix this by sanitizing pool before using it to index
      zatm_dev->pool_info
      
      Notice that given that speculation windows are large, the policy is
      to kill the speculation on the first load and not worry if it can be
      completed with a dependent load/store [1].
      
      [1] https://marc.info/?l=linux-kernel&m=152449131114778&w=2Signed-off-by: default avatarGustavo A. R. Silva <gustavo@embeddedor.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      af4bae09
    • Christian Lamparter's avatar
      crypto: crypto4xx - fix crypto4xx_build_pdr, crypto4xx_build_sdr leak · 517340a7
      Christian Lamparter authored
      commit 5d59ad6e upstream.
      
      If one of the later memory allocations in rypto4xx_build_pdr()
      fails: dev->pdr (and/or) dev->pdr_uinfo wouldn't be freed.
      
      crypto4xx_build_sdr() has the same issue with dev->sdr.
      Signed-off-by: default avatarChristian Lamparter <chunkeey@googlemail.com>
      Signed-off-by: default avatarHerbert Xu <herbert@gondor.apana.org.au>
      Signed-off-by: default avatarAmit Pundir <amit.pundir@linaro.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      517340a7