1. 29 May, 2018 7 commits
    • Suresh Reddy's avatar
      be2net: Fix error detection logic for BE3 · d2c2725c
      Suresh Reddy authored
      Check for 0xE00 (RECOVERABLE_ERR) along with ARMFW UE (0x0)
      in be_detect_error() to know whether the error is valid error or not
      
      Fixes: 673c96e5 ("be2net: Fix UE detection logic for BE3")
      Signed-off-by: default avatarSuresh Reddy <suresh.reddy@broadcom.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      d2c2725c
    • Josh Hill's avatar
      net: qmi_wwan: Add Netgear Aircard 779S · 2415f3bd
      Josh Hill authored
      Add support for Netgear Aircard 779S
      Signed-off-by: default avatarJosh Hill <josh@joshuajhill.com>
      Acked-by: default avatarBjørn Mork <bjorn@mork.no>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      2415f3bd
    • Petr Machata's avatar
      mlxsw: spectrum: Forbid creation of VLAN 1 over port/LAG · 47bf9df2
      Petr Machata authored
      VLAN 1 is internally used for untagged traffic. Prevent creation of
      explicit netdevice for that VLAN, because that currently isn't supported
      and leads to the NULL pointer dereference cited below.
      
      Fix by preventing creation of VLAN devices with VID of 1 over mlxsw
      devices or LAG devices that involve mlxsw devices.
      
      [  327.175816] ================================================================================
      [  327.184544] UBSAN: Undefined behaviour in drivers/net/ethernet/mellanox/mlxsw/spectrum_fid.c:200:12
      [  327.193667] member access within null pointer of type 'const struct mlxsw_sp_fid'
      [  327.201226] CPU: 0 PID: 8983 Comm: ip Not tainted 4.17.0-rc4-petrm_net_ip6gre_headroom-custom-140 #11
      [  327.210496] Hardware name: Mellanox Technologies Ltd. "MSN2410-CB2F"/"SA000874", BIOS 4.6.5 03/08/2016
      [  327.219872] Call Trace:
      [  327.222384]  dump_stack+0xc3/0x12b
      [  327.234007]  ubsan_epilogue+0x9/0x49
      [  327.237638]  ubsan_type_mismatch_common+0x1f9/0x2d0
      [  327.255769]  __ubsan_handle_type_mismatch+0x90/0xa7
      [  327.264716]  mlxsw_sp_fid_type+0x35/0x50 [mlxsw_spectrum]
      [  327.270255]  mlxsw_sp_port_vlan_router_leave+0x46/0xc0 [mlxsw_spectrum]
      [  327.277019]  mlxsw_sp_inetaddr_port_vlan_event+0xe1/0x340 [mlxsw_spectrum]
      [  327.315031]  mlxsw_sp_netdevice_vrf_event+0xa8/0x100 [mlxsw_spectrum]
      [  327.321626]  mlxsw_sp_netdevice_event+0x276/0x430 [mlxsw_spectrum]
      [  327.367863]  notifier_call_chain+0x4c/0x150
      [  327.372128]  __netdev_upper_dev_link+0x1b3/0x260
      [  327.399450]  vrf_add_slave+0xce/0x170 [vrf]
      [  327.403703]  do_setlink+0x658/0x1d70
      [  327.508998]  rtnl_newlink+0x908/0xf20
      [  327.559128]  rtnetlink_rcv_msg+0x50c/0x720
      [  327.571720]  netlink_rcv_skb+0x16a/0x1f0
      [  327.583450]  netlink_unicast+0x2ca/0x3e0
      [  327.599305]  netlink_sendmsg+0x3e2/0x7f0
      [  327.616655]  sock_sendmsg+0x76/0xc0
      [  327.620207]  ___sys_sendmsg+0x494/0x5d0
      [  327.666117]  __sys_sendmsg+0xc2/0x130
      [  327.690953]  do_syscall_64+0x66/0x370
      [  327.694677]  entry_SYSCALL_64_after_hwframe+0x49/0xbe
      [  327.699782] RIP: 0033:0x7f4c2f3f8037
      [  327.703393] RSP: 002b:00007ffe8c389708 EFLAGS: 00000246 ORIG_RAX: 000000000000002e
      [  327.711035] RAX: ffffffffffffffda RBX: 000000005b03f53e RCX: 00007f4c2f3f8037
      [  327.718229] RDX: 0000000000000000 RSI: 00007ffe8c389760 RDI: 0000000000000003
      [  327.725431] RBP: 00007ffe8c389760 R08: 0000000000000000 R09: 00007f4c2f443630
      [  327.732632] R10: 00000000000005eb R11: 0000000000000246 R12: 0000000000000000
      [  327.739833] R13: 00000000006774e0 R14: 00007ffe8c3897e8 R15: 0000000000000000
      [  327.747096] ================================================================================
      
      Fixes: 9589a7b5 ("mlxsw: spectrum: Handle VLAN devices linking / unlinking")
      Suggested-by: default avatarIdo Schimmel <idosch@mellanox.com>
      Signed-off-by: default avatarPetr Machata <petrm@mellanox.com>
      Signed-off-by: default avatarIdo Schimmel <idosch@mellanox.com>
      Acked-by: default avatarJiri Pirko <jiri@mellanox.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      47bf9df2
    • Ivan Bornyakov's avatar
      atm: zatm: fix memcmp casting · f9c6442a
      Ivan Bornyakov authored
      memcmp() returns int, but eprom_try_esi() cast it to unsigned char. One
      can lose significant bits and get 0 from non-0 value returned by the
      memcmp().
      Signed-off-by: default avatarIvan Bornyakov <brnkv.i1@gmail.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      f9c6442a
    • Ard Biesheuvel's avatar
      net: netsec: reduce DMA mask to 40 bits · 31256426
      Ard Biesheuvel authored
      The netsec network controller IP can drive 64 address bits for DMA, and
      the DMA mask is set accordingly in the driver. However, the SynQuacer
      SoC, which is the only silicon incorporating this IP at the moment,
      integrates this IP in a manner that leaves address bits [63:40]
      unconnected.
      
      Up until now, this has not resulted in any problems, given that the DDR
      controller doesn't decode those bits to begin with. However, recent
      firmware updates for platforms incorporating this SoC allow the IOMMU
      to be enabled, which does decode address bits [47:40], and allocates
      top down from the IOVA space, producing DMA addresses that have bits
      set that have been left unconnected.
      
      Both the DT and ACPI (IORT) descriptions of the platform take this into
      account, and only describe a DMA address space of 40 bits (using either
      dma-ranges DT properties, or DMA address limits in IORT named component
      nodes). However, even though our IOMMU and bus layers may take such
      limitations into account by setting a narrower DMA mask when creating
      the platform device, the netsec probe() entrypoint follows the common
      practice of setting the DMA mask uncondionally, according to the
      capabilities of the IP block itself rather than to its integration into
      the chip.
      
      It is currently unclear what the correct fix is here. We could hack around
      it by only setting the DMA mask if it deviates from its default value of
      DMA_BIT_MASK(32). However, this makes it impossible for the bus layer to
      use DMA_BIT_MASK(32) as the bus limit, and so it appears that a more
      comprehensive approach is required to take DMA limits imposed by the
      SoC as a whole into account.
      
      In the mean time, let's limit the DMA mask to 40 bits. Given that there
      is currently only one SoC that incorporates this IP, this is a reasonable
      approach that can be backported to -stable and buys us some time to come
      up with a proper fix going forward.
      
      Fixes: 533dd11a ("net: socionext: Add Synquacer NetSec driver")
      Cc: Robin Murphy <robin.murphy@arm.com>
      Cc: Jassi Brar <jaswinder.singh@linaro.org>
      Cc: Masahisa Kojima <masahisa.kojima@linaro.org>
      Cc: Ilias Apalodimas <ilias.apalodimas@linaro.org>
      Signed-off-by: default avatarArd Biesheuvel <ard.biesheuvel@linaro.org>
      Reviewed-by: default avatarRobin Murphy <robin.murphy@arm.com>
      Acked-by: default avatarJassi Brar <jaswinder.singh@linaro.org>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      31256426
    • Mathieu Xhonneux's avatar
      ipv6: sr: fix memory OOB access in seg6_do_srh_encap/inline · bbb40a0b
      Mathieu Xhonneux authored
      seg6_do_srh_encap and seg6_do_srh_inline can possibly do an
      out-of-bounds access when adding the SRH to the packet. This no longer
      happen when expanding the skb not only by the size of the SRH (+
      outer IPv6 header), but also by skb->mac_len.
      
      [   53.793056] BUG: KASAN: use-after-free in seg6_do_srh_encap+0x284/0x620
      [   53.794564] Write of size 14 at addr ffff88011975ecfa by task ping/674
      
      [   53.796665] CPU: 0 PID: 674 Comm: ping Not tainted 4.17.0-rc3-ARCH+ #90
      [   53.796670] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996),
      BIOS 1.11.0-20171110_100015-anatol 04/01/2014
      [   53.796673] Call Trace:
      [   53.796679]  <IRQ>
      [   53.796689]  dump_stack+0x71/0xab
      [   53.796700]  print_address_description+0x6a/0x270
      [   53.796707]  kasan_report+0x258/0x380
      [   53.796715]  ? seg6_do_srh_encap+0x284/0x620
      [   53.796722]  memmove+0x34/0x50
      [   53.796730]  seg6_do_srh_encap+0x284/0x620
      [   53.796741]  ? seg6_do_srh+0x29b/0x360
      [   53.796747]  seg6_do_srh+0x29b/0x360
      [   53.796756]  seg6_input+0x2e/0x2e0
      [   53.796765]  lwtunnel_input+0x93/0xd0
      [   53.796774]  ipv6_rcv+0x690/0x920
      [   53.796783]  ? ip6_input+0x170/0x170
      [   53.796791]  ? eth_gro_receive+0x2d0/0x2d0
      [   53.796800]  ? ip6_input+0x170/0x170
      [   53.796809]  __netif_receive_skb_core+0xcc0/0x13f0
      [   53.796820]  ? netdev_info+0x110/0x110
      [   53.796827]  ? napi_complete_done+0xb6/0x170
      [   53.796834]  ? e1000_clean+0x6da/0xf70
      [   53.796845]  ? process_backlog+0x129/0x2a0
      [   53.796853]  process_backlog+0x129/0x2a0
      [   53.796862]  net_rx_action+0x211/0x5c0
      [   53.796870]  ? napi_complete_done+0x170/0x170
      [   53.796887]  ? run_rebalance_domains+0x11f/0x150
      [   53.796891]  __do_softirq+0x10e/0x39e
      [   53.796894]  do_softirq_own_stack+0x2a/0x40
      [   53.796895]  </IRQ>
      [   53.796898]  do_softirq.part.16+0x54/0x60
      [   53.796900]  __local_bh_enable_ip+0x5b/0x60
      [   53.796903]  ip6_finish_output2+0x416/0x9f0
      [   53.796906]  ? ip6_dst_lookup_flow+0x110/0x110
      [   53.796909]  ? ip6_sk_dst_lookup_flow+0x390/0x390
      [   53.796911]  ? __rcu_read_unlock+0x66/0x80
      [   53.796913]  ? ip6_mtu+0x44/0xf0
      [   53.796916]  ? ip6_output+0xfc/0x220
      [   53.796918]  ip6_output+0xfc/0x220
      [   53.796921]  ? ip6_finish_output+0x2b0/0x2b0
      [   53.796923]  ? memcpy+0x34/0x50
      [   53.796926]  ip6_send_skb+0x43/0xc0
      [   53.796929]  rawv6_sendmsg+0x1216/0x1530
      [   53.796932]  ? __orc_find+0x6b/0xc0
      [   53.796934]  ? rawv6_rcv_skb+0x160/0x160
      [   53.796937]  ? __rcu_read_unlock+0x66/0x80
      [   53.796939]  ? __rcu_read_unlock+0x66/0x80
      [   53.796942]  ? is_bpf_text_address+0x1e/0x30
      [   53.796944]  ? kernel_text_address+0xec/0x100
      [   53.796946]  ? __kernel_text_address+0xe/0x30
      [   53.796948]  ? unwind_get_return_address+0x2f/0x50
      [   53.796950]  ? __save_stack_trace+0x92/0x100
      [   53.796954]  ? save_stack+0x89/0xb0
      [   53.796956]  ? kasan_kmalloc+0xa0/0xd0
      [   53.796958]  ? kmem_cache_alloc+0xd2/0x1f0
      [   53.796961]  ? prepare_creds+0x23/0x160
      [   53.796963]  ? __x64_sys_capset+0x252/0x3e0
      [   53.796966]  ? do_syscall_64+0x69/0x160
      [   53.796968]  ? entry_SYSCALL_64_after_hwframe+0x44/0xa9
      [   53.796971]  ? __alloc_pages_nodemask+0x170/0x380
      [   53.796973]  ? __alloc_pages_slowpath+0x12c0/0x12c0
      [   53.796977]  ? tty_vhangup+0x20/0x20
      [   53.796979]  ? policy_nodemask+0x1a/0x90
      [   53.796982]  ? __mod_node_page_state+0x8d/0xa0
      [   53.796986]  ? __check_object_size+0xe7/0x240
      [   53.796989]  ? __sys_sendto+0x229/0x290
      [   53.796991]  ? rawv6_rcv_skb+0x160/0x160
      [   53.796993]  __sys_sendto+0x229/0x290
      [   53.796996]  ? __ia32_sys_getpeername+0x50/0x50
      [   53.796999]  ? commit_creds+0x2de/0x520
      [   53.797002]  ? security_capset+0x57/0x70
      [   53.797004]  ? __x64_sys_capset+0x29f/0x3e0
      [   53.797007]  ? __x64_sys_rt_sigsuspend+0xe0/0xe0
      [   53.797011]  ? __do_page_fault+0x664/0x770
      [   53.797014]  __x64_sys_sendto+0x74/0x90
      [   53.797017]  do_syscall_64+0x69/0x160
      [   53.797019]  entry_SYSCALL_64_after_hwframe+0x44/0xa9
      [   53.797022] RIP: 0033:0x7f43b7a6714a
      [   53.797023] RSP: 002b:00007ffd891bd368 EFLAGS: 00000246 ORIG_RAX:
      000000000000002c
      [   53.797026] RAX: ffffffffffffffda RBX: 00000000006129c0 RCX: 00007f43b7a6714a
      [   53.797028] RDX: 0000000000000040 RSI: 00000000006129c0 RDI: 0000000000000004
      [   53.797029] RBP: 00007ffd891be640 R08: 0000000000610940 R09: 000000000000001c
      [   53.797030] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000040
      [   53.797032] R13: 000000000060e6a0 R14: 0000000000008004 R15: 000000000040b661
      
      [   53.797171] Allocated by task 642:
      [   53.797460]  kasan_kmalloc+0xa0/0xd0
      [   53.797463]  kmem_cache_alloc+0xd2/0x1f0
      [   53.797465]  getname_flags+0x40/0x210
      [   53.797467]  user_path_at_empty+0x1d/0x40
      [   53.797469]  do_faccessat+0x12a/0x320
      [   53.797471]  do_syscall_64+0x69/0x160
      [   53.797473]  entry_SYSCALL_64_after_hwframe+0x44/0xa9
      
      [   53.797607] Freed by task 642:
      [   53.797869]  __kasan_slab_free+0x130/0x180
      [   53.797871]  kmem_cache_free+0xa8/0x230
      [   53.797872]  filename_lookup+0x15b/0x230
      [   53.797874]  do_faccessat+0x12a/0x320
      [   53.797876]  do_syscall_64+0x69/0x160
      [   53.797878]  entry_SYSCALL_64_after_hwframe+0x44/0xa9
      
      [   53.798014] The buggy address belongs to the object at ffff88011975e600
                      which belongs to the cache names_cache of size 4096
      [   53.799043] The buggy address is located 1786 bytes inside of
                      4096-byte region [ffff88011975e600, ffff88011975f600)
      [   53.800013] The buggy address belongs to the page:
      [   53.800414] page:ffffea000465d600 count:1 mapcount:0
      mapping:0000000000000000 index:0x0 compound_mapcount: 0
      [   53.801259] flags: 0x17fff0000008100(slab|head)
      [   53.801640] raw: 017fff0000008100 0000000000000000 0000000000000000
      0000000100070007
      [   53.803147] raw: dead000000000100 dead000000000200 ffff88011b185a40
      0000000000000000
      [   53.803787] page dumped because: kasan: bad access detected
      
      [   53.804384] Memory state around the buggy address:
      [   53.804788]  ffff88011975eb80: fb fb fb fb fb fb fb fb fb fb fb fb
      fb fb fb fb
      [   53.805384]  ffff88011975ec00: fb fb fb fb fb fb fb fb fb fb fb fb
      fb fb fb fb
      [   53.805979] >ffff88011975ec80: fb fb fb fb fb fb fb fb fb fb fb fb
      fb fb fb fb
      [   53.806577]                                                                 ^
      [   53.807165]  ffff88011975ed00: fb fb fb fb fb fb fb fb fb fb fb fb
      fb fb fb fb
      [   53.807762]  ffff88011975ed80: fb fb fb fb fb fb fb fb fb fb fb fb
      fb fb fb fb
      [   53.808356] ==================================================================
      [   53.808949] Disabling lock debugging due to kernel taint
      
      Fixes: 6c8702c6 ("ipv6: sr: add support for SRH encapsulation and injection with lwtunnels")
      Signed-off-by: default avatarDavid Lebrun <dlebrun@google.com>
      Signed-off-by: default avatarMathieu Xhonneux <m.xhonneux@gmail.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      bbb40a0b
    • David S. Miller's avatar
      Merge git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf · 513acc5b
      David S. Miller authored
      Pablo Neira Ayuso says:
      
      ====================
      Netfilter/IPVS fixes for net
      
      The following patchset contains Netfilter/IPVS fixes for your net tree:
      
      1) Null pointer dereference when dumping conntrack helper configuration,
         from Taehee Yoo.
      
      2) Missing sanitization in ebtables extension name through compat,
         from Paolo Abeni.
      
      3) Broken fetch of tracing value, from Taehee Yoo.
      
      4) Incorrect arithmetics in packet ratelimiting.
      
      5) Buffer overflow in IPVS sync daemon, from Julian Anastasov.
      
      6) Wrong argument to nla_strlcpy() in nfnetlink_{acct,cthelper},
         from Eric Dumazet.
      
      7) Fix splat in nft_update_chain_stats().
      
      8) Null pointer dereference from object netlink dump path, from
         Taehee Yoo.
      
      9) Missing static_branch_inc() when enabling counters in existing
         chain, from Taehee Yoo.
      ====================
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      513acc5b
  2. 28 May, 2018 3 commits
    • Taehee Yoo's avatar
      netfilter: nf_tables: increase nft_counters_enabled in nft_chain_stats_replace() · bbb8c61f
      Taehee Yoo authored
      When a chain is updated, a counter can be attached. if so,
      the nft_counters_enabled should be increased.
      
      test commands:
      
         %nft add table ip filter
         %nft add chain ip filter input { type filter hook input priority 4\; }
         %iptables-compat -Z input
         %nft delete chain ip filter input
      
      we can see below messages.
      
      [  286.443720] jump label: negative count!
      [  286.448278] WARNING: CPU: 0 PID: 1459 at kernel/jump_label.c:197 __static_key_slow_dec_cpuslocked+0x6f/0xf0
      [  286.449144] Modules linked in: nf_tables nfnetlink ip_tables x_tables
      [  286.449144] CPU: 0 PID: 1459 Comm: nft Tainted: G        W         4.17.0-rc2+ #12
      [  286.449144] RIP: 0010:__static_key_slow_dec_cpuslocked+0x6f/0xf0
      [  286.449144] RSP: 0018:ffff88010e5176f0 EFLAGS: 00010286
      [  286.449144] RAX: 000000000000001b RBX: ffffffffc0179500 RCX: ffffffffb8a82522
      [  286.449144] RDX: 0000000000000001 RSI: 0000000000000008 RDI: ffff88011b7e5eac
      [  286.449144] RBP: 0000000000000000 R08: ffffed00236fce5c R09: ffffed00236fce5b
      [  286.449144] R10: ffffffffc0179503 R11: ffffed00236fce5c R12: 0000000000000000
      [  286.449144] R13: ffff88011a28e448 R14: ffff88011a28e470 R15: dffffc0000000000
      [  286.449144] FS:  00007f0384328700(0000) GS:ffff88011b600000(0000) knlGS:0000000000000000
      [  286.449144] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
      [  286.449144] CR2: 00007f038394bf10 CR3: 0000000104a86000 CR4: 00000000001006f0
      [  286.449144] Call Trace:
      [  286.449144]  static_key_slow_dec+0x6a/0x70
      [  286.449144]  nf_tables_chain_destroy+0x19d/0x210 [nf_tables]
      [  286.449144]  nf_tables_commit+0x1891/0x1c50 [nf_tables]
      [  286.449144]  nfnetlink_rcv+0x1148/0x13d0 [nfnetlink]
      [ ... ]
      Signed-off-by: default avatarTaehee Yoo <ap420073@gmail.com>
      Signed-off-by: default avatarPablo Neira Ayuso <pablo@netfilter.org>
      bbb8c61f
    • Taehee Yoo's avatar
      netfilter: nf_tables: fix NULL-ptr in nf_tables_dump_obj() · 360cc79d
      Taehee Yoo authored
      The table field in nft_obj_filter is not an array. In order to check
      tablename, we should check if the pointer is set.
      
      Test commands:
      
         %nft add table ip filter
         %nft add counter ip filter ct1
         %nft reset counters
      
      Splat looks like:
      
      [  306.510504] kasan: CONFIG_KASAN_INLINE enabled
      [  306.516184] kasan: GPF could be caused by NULL-ptr deref or user memory access
      [  306.524775] general protection fault: 0000 [#1] SMP DEBUG_PAGEALLOC KASAN PTI
      [  306.528284] Modules linked in: nft_objref nft_counter nf_tables nfnetlink ip_tables x_tables
      [  306.528284] CPU: 0 PID: 1488 Comm: nft Not tainted 4.17.0-rc4+ #17
      [  306.528284] Hardware name: To be filled by O.E.M. To be filled by O.E.M./Aptio CRB, BIOS 5.6.5 07/08/2015
      [  306.528284] RIP: 0010:nf_tables_dump_obj+0x52c/0xa70 [nf_tables]
      [  306.528284] RSP: 0018:ffff8800b6cb7520 EFLAGS: 00010246
      [  306.528284] RAX: 0000000000000000 RBX: ffff8800b6c49820 RCX: 0000000000000000
      [  306.528284] RDX: 0000000000000000 RSI: dffffc0000000000 RDI: ffffed0016d96e9a
      [  306.528284] RBP: ffff8800b6cb75c0 R08: ffffed00236fce7c R09: ffffed00236fce7b
      [  306.528284] R10: ffffffff9f6241e8 R11: ffffed00236fce7c R12: ffff880111365108
      [  306.528284] R13: 0000000000000000 R14: ffff8800b6c49860 R15: ffff8800b6c49860
      [  306.528284] FS:  00007f838b007700(0000) GS:ffff88011b600000(0000) knlGS:0000000000000000
      [  306.528284] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
      [  306.528284] CR2: 00007ffeafabcf78 CR3: 00000000b6cbe000 CR4: 00000000001006f0
      [  306.528284] Call Trace:
      [  306.528284]  netlink_dump+0x470/0xa20
      [  306.528284]  __netlink_dump_start+0x5ae/0x690
      [  306.528284]  ? nf_tables_getobj+0x1b3/0x740 [nf_tables]
      [  306.528284]  nf_tables_getobj+0x2f5/0x740 [nf_tables]
      [  306.528284]  ? nft_obj_notify+0x100/0x100 [nf_tables]
      [  306.528284]  ? nf_tables_getobj+0x740/0x740 [nf_tables]
      [  306.528284]  ? nf_tables_dump_flowtable_done+0x70/0x70 [nf_tables]
      [  306.528284]  ? nft_obj_notify+0x100/0x100 [nf_tables]
      [  306.528284]  nfnetlink_rcv_msg+0x8ff/0x932 [nfnetlink]
      [  306.528284]  ? nfnetlink_rcv_msg+0x216/0x932 [nfnetlink]
      [  306.528284]  netlink_rcv_skb+0x1c9/0x2f0
      [  306.528284]  ? nfnetlink_bind+0x1d0/0x1d0 [nfnetlink]
      [  306.528284]  ? debug_check_no_locks_freed+0x270/0x270
      [  306.528284]  ? netlink_ack+0x7a0/0x7a0
      [  306.528284]  ? ns_capable_common+0x6e/0x110
      [ ... ]
      
      Fixes: e46abbcc ("netfilter: nf_tables: Allow table names of up to 255 chars")
      Signed-off-by: default avatarTaehee Yoo <ap420073@gmail.com>
      Acked-by: default avatarFlorian Westphal <fw@strlen.de>
      Signed-off-by: default avatarPablo Neira Ayuso <pablo@netfilter.org>
      360cc79d
    • Pablo Neira Ayuso's avatar
      netfilter: nf_tables: disable preemption in nft_update_chain_stats() · ad9d9e85
      Pablo Neira Ayuso authored
      This patch fixes the following splat.
      
      [118709.054937] BUG: using smp_processor_id() in preemptible [00000000] code: test/1571
      [118709.054970] caller is nft_update_chain_stats.isra.4+0x53/0x97 [nf_tables]
      [118709.054980] CPU: 2 PID: 1571 Comm: test Not tainted 4.17.0-rc6+ #335
      [...]
      [118709.054992] Call Trace:
      [118709.055011]  dump_stack+0x5f/0x86
      [118709.055026]  check_preemption_disabled+0xd4/0xe4
      Signed-off-by: default avatarPablo Neira Ayuso <pablo@netfilter.org>
      ad9d9e85
  3. 26 May, 2018 18 commits
    • Linus Torvalds's avatar
      Merge branch 'akpm' (patches from Andrew) · bc2dbc54
      Linus Torvalds authored
      Merge misc fixes from Andrew Morton:
       "16 fixes"
      
      * emailed patches from Andrew Morton <akpm@linux-foundation.org>:
        kasan: fix memory hotplug during boot
        kasan: free allocated shadow memory on MEM_CANCEL_ONLINE
        checkpatch: fix macro argument precedence test
        init/main.c: include <linux/mem_encrypt.h>
        kernel/sys.c: fix potential Spectre v1 issue
        mm/memory_hotplug: fix leftover use of struct page during hotplug
        proc: fix smaps and meminfo alignment
        mm: do not warn on offline nodes unless the specific node is explicitly requested
        mm, memory_hotplug: make has_unmovable_pages more robust
        mm/kasan: don't vfree() nonexistent vm_area
        MAINTAINERS: change hugetlbfs maintainer and update files
        ipc/shm: fix shmat() nil address after round-down when remapping
        Revert "ipc/shm: Fix shmat mmap nil-page protection"
        idr: fix invalid ptr dereference on item delete
        ocfs2: revert "ocfs2/o2hb: check len for bio_add_page() to avoid getting incorrect bio"
        mm: fix nr_rotate_swap leak in swapon() error case
      bc2dbc54
    • Linus Torvalds's avatar
      Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net · 03250e10
      Linus Torvalds authored
      Pull networking fixes from David Miller:
       "Let's begin the holiday weekend with some networking fixes:
      
         1) Whoops need to restrict cfg80211 wiphy names even more to 64
            bytes. From Eric Biggers.
      
         2) Fix flags being ignored when using kernel_connect() with SCTP,
            from Xin Long.
      
         3) Use after free in DCCP, from Alexey Kodanev.
      
         4) Need to check rhltable_init() return value in ipmr code, from Eric
            Dumazet.
      
         5) XDP handling fixes in virtio_net from Jason Wang.
      
         6) Missing RTA_TABLE in rtm_ipv4_policy[], from Roopa Prabhu.
      
         7) Need to use IRQ disabling spinlocks in mlx4_qp_lookup(), from Jack
            Morgenstein.
      
         8) Prevent out-of-bounds speculation using indexes in BPF, from
            Daniel Borkmann.
      
         9) Fix regression added by AF_PACKET link layer cure, from Willem de
            Bruijn.
      
        10) Correct ENIC dma mask, from Govindarajulu Varadarajan.
      
        11) Missing config options for PMTU tests, from Stefano Brivio"
      
      * git://git.kernel.org/pub/scm/linux/kernel/git/davem/net: (48 commits)
        ibmvnic: Fix partial success login retries
        selftests/net: Add missing config options for PMTU tests
        mlx4_core: allocate ICM memory in page size chunks
        enic: set DMA mask to 47 bit
        ppp: remove the PPPIOCDETACH ioctl
        ipv4: remove warning in ip_recv_error
        net : sched: cls_api: deal with egdev path only if needed
        vhost: synchronize IOTLB message with dev cleanup
        packet: fix reserve calculation
        net/mlx5: IPSec, Fix a race between concurrent sandbox QP commands
        net/mlx5e: When RXFCS is set, add FCS data into checksum calculation
        bpf: properly enforce index mask to prevent out-of-bounds speculation
        net/mlx4: Fix irq-unsafe spinlock usage
        net: phy: broadcom: Fix bcm_write_exp()
        net: phy: broadcom: Fix auxiliary control register reads
        net: ipv4: add missing RTA_TABLE to rtm_ipv4_policy
        net/mlx4: fix spelling mistake: "Inrerface" -> "Interface" and rephrase message
        ibmvnic: Only do H_EOI for mobility events
        tuntap: correctly set SOCKWQ_ASYNC_NOSPACE
        virtio-net: fix leaking page for gso packet during mergeable XDP
        ...
      03250e10
    • David Hildenbrand's avatar
      kasan: fix memory hotplug during boot · 3f195972
      David Hildenbrand authored
      Using module_init() is wrong.  E.g.  ACPI adds and onlines memory before
      our memory notifier gets registered.
      
      This makes sure that ACPI memory detected during boot up will not result
      in a kernel crash.
      
      Easily reproducible with QEMU, just specify a DIMM when starting up.
      
      Link: http://lkml.kernel.org/r/20180522100756.18478-3-david@redhat.com
      Fixes: 786a8959 ("kasan: disable memory hotplug")
      Signed-off-by: default avatarDavid Hildenbrand <david@redhat.com>
      Acked-by: default avatarAndrey Ryabinin <aryabinin@virtuozzo.com>
      Cc: Alexander Potapenko <glider@google.com>
      Cc: Dmitry Vyukov <dvyukov@google.com>
      Cc: <stable@vger.kernel.org>
      Signed-off-by: default avatarAndrew Morton <akpm@linux-foundation.org>
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      3f195972
    • David Hildenbrand's avatar
      kasan: free allocated shadow memory on MEM_CANCEL_ONLINE · ed1596f9
      David Hildenbrand authored
      We have to free memory again when we cancel onlining, otherwise a later
      onlining attempt will fail.
      
      Link: http://lkml.kernel.org/r/20180522100756.18478-2-david@redhat.com
      Fixes: fa69b598 ("mm/kasan: add support for memory hotplug")
      Signed-off-by: default avatarDavid Hildenbrand <david@redhat.com>
      Acked-by: default avatarAndrey Ryabinin <aryabinin@virtuozzo.com>
      Cc: Alexander Potapenko <glider@google.com>
      Cc: Dmitry Vyukov <dvyukov@google.com>
      Cc: <stable@vger.kernel.org>
      Signed-off-by: default avatarAndrew Morton <akpm@linux-foundation.org>
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      ed1596f9
    • Joe Perches's avatar
      checkpatch: fix macro argument precedence test · d41362ed
      Joe Perches authored
      checkpatch's macro argument precedence test is broken so fix it.
      
      Link: http://lkml.kernel.org/r/5dd900e9197febc1995604bb33c23c136d8b33ce.camel@perches.comSigned-off-by: default avatarJoe Perches <joe@perches.com>
      Signed-off-by: default avatarAndrew Morton <akpm@linux-foundation.org>
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      d41362ed
    • Mathieu Malaterre's avatar
      init/main.c: include <linux/mem_encrypt.h> · ae67d58d
      Mathieu Malaterre authored
      In commit c7753208 ("x86, swiotlb: Add memory encryption support") a
      call to function `mem_encrypt_init' was added.  Include prototype
      defined in header <linux/mem_encrypt.h> to prevent a warning reported
      during compilation with W=1:
      
        init/main.c:494:20: warning: no previous prototype for `mem_encrypt_init' [-Wmissing-prototypes]
      
      Link: http://lkml.kernel.org/r/20180522195533.31415-1-malat@debian.orgSigned-off-by: default avatarMathieu Malaterre <malat@debian.org>
      Reviewed-by: default avatarAndrew Morton <akpm@linux-foundation.org>
      Acked-by: default avatarSteven Rostedt (VMware) <rostedt@goodmis.org>
      Cc: Tom Lendacky <thomas.lendacky@amd.com>
      Cc: Ingo Molnar <mingo@kernel.org>
      Cc: Thomas Gleixner <tglx@linutronix.de>
      Cc: Kees Cook <keescook@chromium.org>
      Cc: Laura Abbott <lauraa@codeaurora.org>
      Cc: Dominik Brodowski <linux@dominikbrodowski.net>
      Cc: Gargi Sharma <gs051095@gmail.com>
      Cc: Josh Poimboeuf <jpoimboe@redhat.com>
      Signed-off-by: default avatarAndrew Morton <akpm@linux-foundation.org>
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      ae67d58d
    • Gustavo A. R. Silva's avatar
      kernel/sys.c: fix potential Spectre v1 issue · 23d6aef7
      Gustavo A. R. Silva authored
      `resource' can be controlled by user-space, hence leading to a potential
      exploitation of the Spectre variant 1 vulnerability.
      
      This issue was detected with the help of Smatch:
      
        kernel/sys.c:1474 __do_compat_sys_old_getrlimit() warn: potential spectre issue 'get_current()->signal->rlim' (local cap)
        kernel/sys.c:1455 __do_sys_old_getrlimit() warn: potential spectre issue 'get_current()->signal->rlim' (local cap)
      
      Fix this by sanitizing *resource* before using it to index
      current->signal->rlim
      
      Notice that given that speculation windows are large, the policy is to
      kill the speculation on the first load and not worry if it can be
      completed with a dependent load/store [1].
      
      [1] https://marc.info/?l=linux-kernel&m=152449131114778&w=2
      
      Link: http://lkml.kernel.org/r/20180515030038.GA11822@embeddedor.comSigned-off-by: default avatarGustavo A. R. Silva <gustavo@embeddedor.com>
      Reviewed-by: default avatarAndrew Morton <akpm@linux-foundation.org>
      Cc: Alexei Starovoitov <ast@kernel.org>
      Cc: Dan Williams <dan.j.williams@intel.com>
      Cc: Thomas Gleixner <tglx@linutronix.de>
      Cc: Peter Zijlstra <peterz@infradead.org>
      Cc: <stable@vger.kernel.org>
      Signed-off-by: default avatarAndrew Morton <akpm@linux-foundation.org>
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      23d6aef7
    • Jonathan Cameron's avatar
      mm/memory_hotplug: fix leftover use of struct page during hotplug · a2155861
      Jonathan Cameron authored
      The case of a new numa node got missed in avoiding using the node info
      from page_struct during hotplug.  In this path we have a call to
      register_mem_sect_under_node (which allows us to specify it is hotplug
      so don't change the node), via link_mem_sections which unfortunately
      does not.
      
      Fix is to pass check_nid through link_mem_sections as well and disable
      it in the new numa node path.
      
      Note the bug only 'sometimes' manifests depending on what happens to be
      in the struct page structures - there are lots of them and it only needs
      to match one of them.
      
      The result of the bug is that (with a new memory only node) we never
      successfully call register_mem_sect_under_node so don't get the memory
      associated with the node in sysfs and meminfo for the node doesn't
      report it.
      
      It came up whilst testing some arm64 hotplug patches, but appears to be
      universal.  Whilst I'm triggering it by removing then reinserting memory
      to a node with no other elements (thus making the node disappear then
      appear again), it appears it would happen on hotplugging memory where
      there was none before and it doesn't seem to be related the arm64
      patches.
      
      These patches call __add_pages (where most of the issue was fixed by
      Pavel's patch).  If there is a node at the time of the __add_pages call
      then all is well as it calls register_mem_sect_under_node from there
      with check_nid set to false.  Without a node that function returns
      having not done the sysfs related stuff as there is no node to use.
      This is expected but it is the resulting path that fails...
      
      Exact path to the problem is as follows:
      
       mm/memory_hotplug.c: add_memory_resource()
      
         The node is not online so we enter the 'if (new_node)' twice, on the
         second such block there is a call to link_mem_sections which calls
         into
      
        drivers/node.c: link_mem_sections() which calls
      
        drivers/node.c: register_mem_sect_under_node() which calls
           get_nid_for_pfn and keeps trying until the output of that matches
           the expected node (passed all the way down from
           add_memory_resource)
      
      It is effectively the same fix as the one referred to in the fixes tag
      just in the code path for a new node where the comments point out we
      have to rerun the link creation because it will have failed in
      register_new_memory (as there was no node at the time).  (actually that
      comment is wrong now as we don't have register_new_memory any more it
      got renamed to hotplug_memory_register in Pavel's patch).
      
      Link: http://lkml.kernel.org/r/20180504085311.1240-1-Jonathan.Cameron@huawei.com
      Fixes: fc44f7f9 ("mm/memory_hotplug: don't read nid from struct page during hotplug")
      Signed-off-by: default avatarJonathan Cameron <Jonathan.Cameron@huawei.com>
      Reviewed-by: default avatarPavel Tatashin <pasha.tatashin@oracle.com>
      Acked-by: default avatarMichal Hocko <mhocko@suse.com>
      Signed-off-by: default avatarAndrew Morton <akpm@linux-foundation.org>
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      a2155861
    • Hugh Dickins's avatar
      proc: fix smaps and meminfo alignment · 6c04ab0e
      Hugh Dickins authored
      The 4.17-rc /proc/meminfo and /proc/<pid>/smaps look ugly: single-digit
      numbers (commonly 0) are misaligned.
      
      Remove seq_put_decimal_ull_width()'s leftover optimization for single
      digits: it's wrong now that num_to_str() takes care of the width.
      
      Link: http://lkml.kernel.org/r/alpine.LSU.2.11.1805241554210.1326@eggly.anvils
      Fixes: d1be35cb ("proc: add seq_put_decimal_ull_width to speed up /proc/pid/smaps")
      Signed-off-by: default avatarHugh Dickins <hughd@google.com>
      Cc: Andrei Vagin <avagin@openvz.org>
      Cc: Alexey Dobriyan <adobriyan@gmail.com>
      Signed-off-by: default avatarAndrew Morton <akpm@linux-foundation.org>
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      6c04ab0e
    • Michal Hocko's avatar
      mm: do not warn on offline nodes unless the specific node is explicitly requested · 8addc2d0
      Michal Hocko authored
      Oscar has noticed that we splat
      
         WARNING: CPU: 0 PID: 64 at ./include/linux/gfp.h:467 vmemmap_alloc_block+0x4e/0xc9
         [...]
         CPU: 0 PID: 64 Comm: kworker/u4:1 Tainted: G        W   E     4.17.0-rc5-next-20180517-1-default+ #66
         Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.0.0-prebuilt.qemu-project.org 04/01/2014
         Workqueue: kacpi_hotplug acpi_hotplug_work_fn
         Call Trace:
          vmemmap_populate+0xf2/0x2ae
          sparse_mem_map_populate+0x28/0x35
          sparse_add_one_section+0x4c/0x187
          __add_pages+0xe7/0x1a0
          add_pages+0x16/0x70
          add_memory_resource+0xa3/0x1d0
          add_memory+0xe4/0x110
          acpi_memory_device_add+0x134/0x2e0
          acpi_bus_attach+0xd9/0x190
          acpi_bus_scan+0x37/0x70
          acpi_device_hotplug+0x389/0x4e0
          acpi_hotplug_work_fn+0x1a/0x30
          process_one_work+0x146/0x340
          worker_thread+0x47/0x3e0
          kthread+0xf5/0x130
          ret_from_fork+0x35/0x40
      
      when adding memory to a node that is currently offline.
      
      The VM_WARN_ON is just too loud without a good reason.  In this
      particular case we are doing
      
      	alloc_pages_node(node, GFP_KERNEL|__GFP_RETRY_MAYFAIL|__GFP_NOWARN, order)
      
      so we do not insist on allocating from the given node (it is more a
      hint) so we can fall back to any other populated node and moreover we
      explicitly ask to not warn for the allocation failure.
      
      Soften the warning only to cases when somebody asks for the given node
      explicitly by __GFP_THISNODE.
      
      Link: http://lkml.kernel.org/r/20180523125555.30039-3-mhocko@kernel.orgSigned-off-by: default avatarMichal Hocko <mhocko@suse.com>
      Reported-by: default avatarOscar Salvador <osalvador@techadventures.net>
      Tested-by: default avatarOscar Salvador <osalvador@techadventures.net>
      Reviewed-by: default avatarPavel Tatashin <pasha.tatashin@oracle.com>
      Cc: Vlastimil Babka <vbabka@suse.cz>
      Cc: Reza Arbab <arbab@linux.vnet.ibm.com>
      Cc: Igor Mammedov <imammedo@redhat.com>
      Cc: Vitaly Kuznetsov <vkuznets@redhat.com>
      Cc: Anshuman Khandual <khandual@linux.vnet.ibm.com>
      Signed-off-by: default avatarAndrew Morton <akpm@linux-foundation.org>
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      8addc2d0
    • Michal Hocko's avatar
      mm, memory_hotplug: make has_unmovable_pages more robust · 15c30bc0
      Michal Hocko authored
      Oscar has reported:
      : Due to an unfortunate setting with movablecore, memblocks containing bootmem
      : memory (pages marked by get_page_bootmem()) ended up marked in zone_movable.
      : So while trying to remove that memory, the system failed in do_migrate_range
      : and __offline_pages never returned.
      :
      : This can be reproduced by running
      : qemu-system-x86_64 -m 6G,slots=8,maxmem=8G -numa node,mem=4096M -numa node,mem=2048M
      : and movablecore=4G kernel command line
      :
      : linux kernel: BIOS-provided physical RAM map:
      : linux kernel: BIOS-e820: [mem 0x0000000000000000-0x000000000009fbff] usable
      : linux kernel: BIOS-e820: [mem 0x000000000009fc00-0x000000000009ffff] reserved
      : linux kernel: BIOS-e820: [mem 0x00000000000f0000-0x00000000000fffff] reserved
      : linux kernel: BIOS-e820: [mem 0x0000000000100000-0x00000000bffdffff] usable
      : linux kernel: BIOS-e820: [mem 0x00000000bffe0000-0x00000000bfffffff] reserved
      : linux kernel: BIOS-e820: [mem 0x00000000feffc000-0x00000000feffffff] reserved
      : linux kernel: BIOS-e820: [mem 0x00000000fffc0000-0x00000000ffffffff] reserved
      : linux kernel: BIOS-e820: [mem 0x0000000100000000-0x00000001bfffffff] usable
      : linux kernel: NX (Execute Disable) protection: active
      : linux kernel: SMBIOS 2.8 present.
      : linux kernel: DMI: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.0.0-prebuilt.qemu-project.org
      : linux kernel: Hypervisor detected: KVM
      : linux kernel: e820: update [mem 0x00000000-0x00000fff] usable ==> reserved
      : linux kernel: e820: remove [mem 0x000a0000-0x000fffff] usable
      : linux kernel: last_pfn = 0x1c0000 max_arch_pfn = 0x400000000
      :
      : linux kernel: SRAT: PXM 0 -> APIC 0x00 -> Node 0
      : linux kernel: SRAT: PXM 1 -> APIC 0x01 -> Node 1
      : linux kernel: ACPI: SRAT: Node 0 PXM 0 [mem 0x00000000-0x0009ffff]
      : linux kernel: ACPI: SRAT: Node 0 PXM 0 [mem 0x00100000-0xbfffffff]
      : linux kernel: ACPI: SRAT: Node 0 PXM 0 [mem 0x100000000-0x13fffffff]
      : linux kernel: ACPI: SRAT: Node 1 PXM 1 [mem 0x140000000-0x1bfffffff]
      : linux kernel: ACPI: SRAT: Node 0 PXM 0 [mem 0x1c0000000-0x43fffffff] hotplug
      : linux kernel: NUMA: Node 0 [mem 0x00000000-0x0009ffff] + [mem 0x00100000-0xbfffffff] -> [mem 0x0
      : linux kernel: NUMA: Node 0 [mem 0x00000000-0xbfffffff] + [mem 0x100000000-0x13fffffff] -> [mem 0
      : linux kernel: NODE_DATA(0) allocated [mem 0x13ffd6000-0x13fffffff]
      : linux kernel: NODE_DATA(1) allocated [mem 0x1bffd3000-0x1bfffcfff]
      :
      : zoneinfo shows that the zone movable is placed into both numa nodes:
      : Node 0, zone  Movable
      :   pages free     160140
      :         min      1823
      :         low      2278
      :         high     2733
      :         spanned  262144
      :         present  262144
      :         managed  245670
      : Node 1, zone  Movable
      :   pages free     448427
      :         min      3827
      :         low      4783
      :         high     5739
      :         spanned  524288
      :         present  524288
      :         managed  515766
      
      Note how only Node 0 has a hutplugable memory region which would rule it
      out from the early memblock allocations (most likely memmap).  Node1
      will surely contain memmaps on the same node and those would prevent
      offlining to succeed.  So this is arguably a configuration issue.
      Although one could argue that we should be more clever and rule early
      allocations from the zone movable.  This would be correct but probably
      not worth the effort considering what a hack movablecore is.
      
      Anyway, We could do better for those cases though.  We rely on
      start_isolate_page_range resp.  has_unmovable_pages to do their job.
      The first one isolates the whole range to be offlined so that we do not
      allocate from it anymore and the later makes sure we are not stumbling
      over non-migrateable pages.
      
      has_unmovable_pages is overly optimistic, however.  It doesn't check all
      the pages if we are withing zone_movable because we rely that those
      pages will be always migrateable.  As it turns out we are still not
      perfect there.  While bootmem pages in zonemovable sound like a clear
      bug which should be fixed let's remove the optimization for now and warn
      if we encounter unmovable pages in zone_movable in the meantime.  That
      should help for now at least.
      
      Btw.  this wasn't a real problem until commit 72b39cfc ("mm,
      memory_hotplug: do not fail offlining too early") because we used to
      have a small number of retries and then failed.  This turned out to be
      too fragile though.
      
      Link: http://lkml.kernel.org/r/20180523125555.30039-2-mhocko@kernel.orgSigned-off-by: default avatarMichal Hocko <mhocko@suse.com>
      Reported-by: default avatarOscar Salvador <osalvador@techadventures.net>
      Tested-by: default avatarOscar Salvador <osalvador@techadventures.net>
      Reviewed-by: default avatarPavel Tatashin <pasha.tatashin@oracle.com>
      Cc: Vlastimil Babka <vbabka@suse.cz>
      Cc: Reza Arbab <arbab@linux.vnet.ibm.com>
      Cc: Igor Mammedov <imammedo@redhat.com>
      Cc: Vitaly Kuznetsov <vkuznets@redhat.com>
      Cc: Anshuman Khandual <khandual@linux.vnet.ibm.com>
      Signed-off-by: default avatarAndrew Morton <akpm@linux-foundation.org>
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      15c30bc0
    • Andrey Ryabinin's avatar
      mm/kasan: don't vfree() nonexistent vm_area · 0f901dcb
      Andrey Ryabinin authored
      KASAN uses different routines to map shadow for hot added memory and
      memory obtained in boot process.  Attempt to offline memory onlined by
      normal boot process leads to this:
      
          Trying to vfree() nonexistent vm area (000000005d3b34b9)
          WARNING: CPU: 2 PID: 13215 at mm/vmalloc.c:1525 __vunmap+0x147/0x190
      
          Call Trace:
           kasan_mem_notifier+0xad/0xb9
           notifier_call_chain+0x166/0x260
           __blocking_notifier_call_chain+0xdb/0x140
           __offline_pages+0x96a/0xb10
           memory_subsys_offline+0x76/0xc0
           device_offline+0xb8/0x120
           store_mem_state+0xfa/0x120
           kernfs_fop_write+0x1d5/0x320
           __vfs_write+0xd4/0x530
           vfs_write+0x105/0x340
           SyS_write+0xb0/0x140
      
      Obviously we can't call vfree() to free memory that wasn't allocated via
      vmalloc().  Use find_vm_area() to see if we can call vfree().
      
      Unfortunately it's a bit tricky to properly unmap and free shadow
      allocated during boot, so we'll have to keep it.  If memory will come
      online again that shadow will be reused.
      
      Matthew asked: how can you call vfree() on something that isn't a
      vmalloc address?
      
        vfree() is able to free any address returned by
        __vmalloc_node_range().  And __vmalloc_node_range() gives you any
        address you ask.  It doesn't have to be an address in [VMALLOC_START,
        VMALLOC_END] range.
      
        That's also how the module_alloc()/module_memfree() works on
        architectures that have designated area for modules.
      
      [aryabinin@virtuozzo.com: improve comments]
        Link: http://lkml.kernel.org/r/dabee6ab-3a7a-51cd-3b86-5468718e0390@virtuozzo.com
      [akpm@linux-foundation.org: fix typos, reflow comment]
      Link: http://lkml.kernel.org/r/20180201163349.8700-1-aryabinin@virtuozzo.com
      Fixes: fa69b598 ("mm/kasan: add support for memory hotplug")
      Signed-off-by: default avatarAndrey Ryabinin <aryabinin@virtuozzo.com>
      Reported-by: default avatarPaul Menzel <pmenzel+linux-kasan-dev@molgen.mpg.de>
      Cc: Alexander Potapenko <glider@google.com>
      Cc: Dmitry Vyukov <dvyukov@google.com>
      Cc: Matthew Wilcox <willy@infradead.org>
      Cc: <stable@vger.kernel.org>
      Signed-off-by: default avatarAndrew Morton <akpm@linux-foundation.org>
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      0f901dcb
    • Mike Kravetz's avatar
      MAINTAINERS: change hugetlbfs maintainer and update files · b9ddff9b
      Mike Kravetz authored
      The current hugetlbfs maintainer has not been active for more than a few
      years.  I have been been active in this area for more than two years and
      plan to remain active in the foreseeable future.
      
      Also, update the hugetlbfs entry to include linux-mm mail list and
      additional hugetlbfs related files.  hugetlb.c and hugetlb.h are not
      100% hugetlbfs, but a majority of their content is hugetlbfs related.
      
      Link: http://lkml.kernel.org/r/20180518225236.19079-1-mike.kravetz@oracle.comSigned-off-by: default avatarMike Kravetz <mike.kravetz@oracle.com>
      Acked-by: default avatarNaoya Horiguchi <n-horiguchi@ah.jp.nec.com>
      Acked-by: default avatarKirill A. Shutemov <kirill.shutemov@linux.intel.com>
      Acked-by: default avatarVlastimil Babka <vbabka@suse.cz>
      Acked-by: default avatarMichal Hocko <mhocko@suse.com>
      Cc: Nadia Yvette Chambers <nyc@holomorphy.com>
      Cc: "Aneesh Kumar K . V" <aneesh.kumar@linux.vnet.ibm.com>
      Cc: Jan Kara <jack@suse.cz>
      Signed-off-by: default avatarAndrew Morton <akpm@linux-foundation.org>
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      b9ddff9b
    • Davidlohr Bueso's avatar
      ipc/shm: fix shmat() nil address after round-down when remapping · 8f89c007
      Davidlohr Bueso authored
      shmat()'s SHM_REMAP option forbids passing a nil address for; this is in
      fact the very first thing we check for.  Andrea reported that for
      SHM_RND|SHM_REMAP cases we can end up bypassing the initial addr check,
      but we need to check again if the address was rounded down to nil.  As
      of this patch, such cases will return -EINVAL.
      
      Link: http://lkml.kernel.org/r/20180503204934.kk63josdu6u53fbd@linux-n805Signed-off-by: default avatarDavidlohr Bueso <dbueso@suse.de>
      Reported-by: default avatarAndrea Arcangeli <aarcange@redhat.com>
      Cc: Joe Lawrence <joe.lawrence@redhat.com>
      Cc: Manfred Spraul <manfred@colorfullife.com>
      Cc: <stable@vger.kernel.org>
      Signed-off-by: default avatarAndrew Morton <akpm@linux-foundation.org>
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      8f89c007
    • Davidlohr Bueso's avatar
      Revert "ipc/shm: Fix shmat mmap nil-page protection" · a73ab244
      Davidlohr Bueso authored
      Patch series "ipc/shm: shmat() fixes around nil-page".
      
      These patches fix two issues reported[1] a while back by Joe and Andrea
      around how shmat(2) behaves with nil-page.
      
      The first reverts a commit that it was incorrectly thought that mapping
      nil-page (address=0) was a no no with MAP_FIXED.  This is not the case,
      with the exception of SHM_REMAP; which is address in the second patch.
      
      I chose two patches because it is easier to backport and it explicitly
      reverts bogus behaviour.  Both patches ought to be in -stable and ltp
      testcases need updated (the added testcase around the cve can be
      modified to just test for SHM_RND|SHM_REMAP).
      
      [1] lkml.kernel.org/r/20180430172152.nfa564pvgpk3ut7p@linux-n805
      
      This patch (of 2):
      
      Commit 95e91b83 ("ipc/shm: Fix shmat mmap nil-page protection")
      worked on the idea that we should not be mapping as root addr=0 and
      MAP_FIXED.  However, it was reported that this scenario is in fact
      valid, thus making the patch both bogus and breaks userspace as well.
      
      For example X11's libint10.so relies on shmat(1, SHM_RND) for lowmem
      initialization[1].
      
      [1] https://cgit.freedesktop.org/xorg/xserver/tree/hw/xfree86/os-support/linux/int10/linux.c#n347
      Link: http://lkml.kernel.org/r/20180503203243.15045-2-dave@stgolabs.net
      Fixes: 95e91b83 ("ipc/shm: Fix shmat mmap nil-page protection")
      Signed-off-by: default avatarDavidlohr Bueso <dbueso@suse.de>
      Reported-by: default avatarJoe Lawrence <joe.lawrence@redhat.com>
      Reported-by: default avatarAndrea Arcangeli <aarcange@redhat.com>
      Cc: Manfred Spraul <manfred@colorfullife.com>
      Cc: <stable@vger.kernel.org>
      Signed-off-by: default avatarAndrew Morton <akpm@linux-foundation.org>
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      a73ab244
    • Matthew Wilcox's avatar
      idr: fix invalid ptr dereference on item delete · 7a4deea1
      Matthew Wilcox authored
      If the radix tree underlying the IDR happens to be full and we attempt
      to remove an id which is larger than any id in the IDR, we will call
      __radix_tree_delete() with an uninitialised 'slot' pointer, at which
      point anything could happen.  This was easiest to hit with a single
      entry at id 0 and attempting to remove a non-0 id, but it could have
      happened with 64 entries and attempting to remove an id >= 64.
      
      Roman said:
      
        The syzcaller test boils down to opening /dev/kvm, creating an
        eventfd, and calling a couple of KVM ioctls. None of this requires
        superuser. And the result is dereferencing an uninitialized pointer
        which is likely a crash. The specific path caught by syzbot is via
        KVM_HYPERV_EVENTD ioctl which is new in 4.17. But I guess there are
        other user-triggerable paths, so cc:stable is probably justified.
      
      Matthew added:
      
        We have around 250 calls to idr_remove() in the kernel today. Many of
        them pass an ID which is embedded in the object they're removing, so
        they're safe. Picking a few likely candidates:
      
        drivers/firewire/core-cdev.c looks unsafe; the ID comes from an ioctl.
        drivers/gpu/drm/amd/amdgpu/amdgpu_ctx.c is similar
        drivers/atm/nicstar.c could be taken down by a handcrafted packet
      
      Link: http://lkml.kernel.org/r/20180518175025.GD6361@bombadil.infradead.org
      Fixes: 0a835c4f ("Reimplement IDR and IDA using the radix tree")
      Reported-by: <syzbot+35666cba7f0a337e2e79@syzkaller.appspotmail.com>
      Debugged-by: default avatarRoman Kagan <rkagan@virtuozzo.com>
      Signed-off-by: default avatarMatthew Wilcox <mawilcox@microsoft.com>
      Cc: <stable@vger.kernel.org>
      Signed-off-by: default avatarAndrew Morton <akpm@linux-foundation.org>
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      7a4deea1
    • Changwei Ge's avatar
      ocfs2: revert "ocfs2/o2hb: check len for bio_add_page() to avoid getting incorrect bio" · 3373de20
      Changwei Ge authored
      This reverts commit ba16ddfb ("ocfs2/o2hb: check len for
      bio_add_page() to avoid getting incorrect bio").
      
      In my testing, this patch introduces a problem that mkfs can't have
      slots more than 16 with 4k block size.
      
      And the original logic is safe actually with the situation it mentions
      so revert this commit.
      
      Attach test log:
        (mkfs.ocfs2,27479,2):o2hb_setup_one_bio:463 page 0, vec_len = 4096, vec_start = 0
        (mkfs.ocfs2,27479,2):o2hb_setup_one_bio:463 page 1, vec_len = 4096, vec_start = 0
        (mkfs.ocfs2,27479,2):o2hb_setup_one_bio:463 page 2, vec_len = 4096, vec_start = 0
        (mkfs.ocfs2,27479,2):o2hb_setup_one_bio:463 page 3, vec_len = 4096, vec_start = 0
        (mkfs.ocfs2,27479,2):o2hb_setup_one_bio:463 page 4, vec_len = 4096, vec_start = 0
        (mkfs.ocfs2,27479,2):o2hb_setup_one_bio:463 page 5, vec_len = 4096, vec_start = 0
        (mkfs.ocfs2,27479,2):o2hb_setup_one_bio:463 page 6, vec_len = 4096, vec_start = 0
        (mkfs.ocfs2,27479,2):o2hb_setup_one_bio:463 page 7, vec_len = 4096, vec_start = 0
        (mkfs.ocfs2,27479,2):o2hb_setup_one_bio:463 page 8, vec_len = 4096, vec_start = 0
        (mkfs.ocfs2,27479,2):o2hb_setup_one_bio:463 page 9, vec_len = 4096, vec_start = 0
        (mkfs.ocfs2,27479,2):o2hb_setup_one_bio:463 page 10, vec_len = 4096, vec_start = 0
        (mkfs.ocfs2,27479,2):o2hb_setup_one_bio:463 page 11, vec_len = 4096, vec_start = 0
        (mkfs.ocfs2,27479,2):o2hb_setup_one_bio:463 page 12, vec_len = 4096, vec_start = 0
        (mkfs.ocfs2,27479,2):o2hb_setup_one_bio:463 page 13, vec_len = 4096, vec_start = 0
        (mkfs.ocfs2,27479,2):o2hb_setup_one_bio:463 page 14, vec_len = 4096, vec_start = 0
        (mkfs.ocfs2,27479,2):o2hb_setup_one_bio:463 page 15, vec_len = 4096, vec_start = 0
        (mkfs.ocfs2,27479,2):o2hb_setup_one_bio:463 page 16, vec_len = 4096, vec_start = 0
        (mkfs.ocfs2,27479,2):o2hb_setup_one_bio:471 ERROR: Adding page[16] to bio failed, page ffffea0002d7ed40, len 0, vec_len 4096, vec_start 0,bi_sector 8192
        (mkfs.ocfs2,27479,2):o2hb_read_slots:500 ERROR: status = -5
        (mkfs.ocfs2,27479,2):o2hb_populate_slot_data:1911 ERROR: status = -5
        (mkfs.ocfs2,27479,2):o2hb_region_dev_write:2012 ERROR: status = -5
      
      Link: http://lkml.kernel.org/r/SIXPR06MB0461721F398A5A92FC68C39ED5920@SIXPR06MB0461.apcprd06.prod.outlook.comSigned-off-by: default avatarChangwei Ge <ge.changwei@h3c.com>
      Cc: Jun Piao <piaojun@huawei.com>
      Cc: Yiwen Jiang <jiangyiwen@huawei.com>
      Cc: Joseph Qi <jiangqi903@gmail.com>
      Cc: Mark Fasheh <mark@fasheh.com>
      Cc: Joel Becker <jlbec@evilplan.org>
      Cc: Junxiao Bi <junxiao.bi@oracle.com>
      Signed-off-by: default avatarAndrew Morton <akpm@linux-foundation.org>
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      3373de20
    • Omar Sandoval's avatar
      mm: fix nr_rotate_swap leak in swapon() error case · 7cbf3192
      Omar Sandoval authored
      If swapon() fails after incrementing nr_rotate_swap, we don't decrement
      it and thus effectively leak it.  Make sure we decrement it if we
      incremented it.
      
      Link: http://lkml.kernel.org/r/b6fe6b879f17fa68eee6cbd876f459f6e5e33495.1526491581.git.osandov@fb.com
      Fixes: 81a0298b ("mm, swap: don't use VMA based swap readahead if HDD is used as swap")
      Signed-off-by: default avatarOmar Sandoval <osandov@fb.com>
      Reviewed-by: default avatarRik van Riel <riel@surriel.com>
      Reviewed-by: default avatar"Huang, Ying" <ying.huang@intel.com>
      Signed-off-by: default avatarAndrew Morton <akpm@linux-foundation.org>
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      7cbf3192
  4. 25 May, 2018 12 commits
    • Thomas Falcon's avatar
      ibmvnic: Fix partial success login retries · eb110410
      Thomas Falcon authored
      In its current state, the driver will handle backing device
      login in a loop for a certain number of retries while the
      device returns a partial success, indicating that the driver
      may need to try again using a smaller number of resources.
      
      The variable it checks to continue retrying may change
      over the course of operations, resulting in reallocation
      of resources but exits without sending the login attempt.
      Guard against this by introducing a boolean variable that
      will retain the state indicating that the driver needs to
      reattempt login with backing device firmware.
      Signed-off-by: default avatarThomas Falcon <tlfalcon@linux.vnet.ibm.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      eb110410
    • David S. Miller's avatar
      Merge git://git.kernel.org/pub/scm/linux/kernel/git/bpf/bpf · d2f30f51
      David S. Miller authored
      Daniel Borkmann says:
      
      ====================
      pull-request: bpf 2018-05-24
      
      The following pull-request contains BPF updates for your *net* tree.
      
      The main changes are:
      
      1) Fix a bug in the original fix to prevent out of bounds speculation when
         multiple tail call maps from different branches or calls end up at the
         same tail call helper invocation, from Daniel.
      
      2) Two selftest fixes, one in reuseport_bpf_numa where test is skipped in
         case of missing numa support and another one to update kernel config to
         properly support xdp_meta.sh test, from Anders.
      
       ...
      
      Would be great if you have a chance to merge net into net-next after that.
      
      The verifier fix would be needed later as a dependency in bpf-next for
      upcomig work there. When you do the merge there's a trivial conflict on
      BPF side with 849fa506 ("bpf/verifier: refine retval R0 state for
      bpf_get_stack helper"): Resolution is to keep both functions, the
      do_refine_retval_range() and record_func_map().
      ====================
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      d2f30f51
    • Stefano Brivio's avatar
      selftests/net: Add missing config options for PMTU tests · 24e4b075
      Stefano Brivio authored
      PMTU tests in pmtu.sh need support for VTI, VTI6 and dummy
      interfaces: add them to config file.
      Reported-by: default avatarNaresh Kamboju <naresh.kamboju@linaro.org>
      Fixes: d1f1b9cb ("selftests: net: Introduce first PMTU test")
      Signed-off-by: default avatarStefano Brivio <sbrivio@redhat.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      24e4b075
    • David S. Miller's avatar
      Merge tag 'batadv-net-for-davem-20180524' of git://git.open-mesh.org/linux-merge · e3ffec48
      David S. Miller authored
      Simon Wunderlich says:
      
      ====================
      Here are some batman-adv bugfixes:
      
       - prevent hardif_put call with NULL parameter, by Colin Ian King
      
       - Avoid race in Translation Table allocator, by Sven Eckelmann
      
       - Fix Translation Table sync flags for intermediate Responses,
         by Linus Luessing
      
       - prevent sending inconsistent Translation Table TVLVs,
         by Marek Lindner
      ====================
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      e3ffec48
    • Linus Torvalds's avatar
      Merge tag 'arm64-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/arm64/linux · 62d18ecf
      Linus Torvalds authored
      Pull more arm64 fixes from Will Deacon:
      
       - fix application of read-only permissions to kernel section mappings
      
       - sanitise reported ESR values for signals delivered on a kernel
         address
      
       - ensure tishift GCC helpers are exported to modules
      
       - fix inline asm constraints for some LSE atomics
      
      * tag 'arm64-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/arm64/linux:
        arm64: Make sure permission updates happen for pmd/pud
        arm64: fault: Don't leak data in ESR context for user fault on kernel VA
        arm64: export tishift functions to modules
        arm64: lse: Add early clobbers to some input/output asm operands
      62d18ecf
    • Linus Torvalds's avatar
      Merge tag 'powerpc-4.17-7' of git://git.kernel.org/pub/scm/linux/kernel/git/powerpc/linux · b133ef6e
      Linus Torvalds authored
      Pull powerpc fix from Michael Ellerman:
       "Just one fix, to make sure the PCR (Processor Compatibility Register)
        is reset on boot.
      
        Otherwise if we're running in compat mode in a guest (eg. pretending a
        Power9 is a Power8) and the host kernel oopses and kdumps then the
        kdump kernel's userspace will be running in Power8 mode, and will
        SIGILL if it uses Power9-only instructions.
      
        Thanks to Michael Neuling"
      
      * tag 'powerpc-4.17-7' of git://git.kernel.org/pub/scm/linux/kernel/git/powerpc/linux:
        powerpc/64s: Clear PCR on boot
      b133ef6e
    • Linus Torvalds's avatar
      Merge tag 'mmc-v4.17-rc3' of git://git.kernel.org/pub/scm/linux/kernel/git/ulfh/mmc · f287fe35
      Linus Torvalds authored
      Pull MMC fixes from Ulf Hansson:
       "MMC core:
         - Propagate correct error code for RPMB requests
      
        MMC host:
         - sdhci-iproc: Drop hard coded cap for 1.8v
         - sdhci-iproc: Fix 32bit writes for transfer mode
         - sdhci-iproc: Enable SDHCI_QUIRK2_HOST_OFF_CARD_ON for cygnus"
      
      * tag 'mmc-v4.17-rc3' of git://git.kernel.org/pub/scm/linux/kernel/git/ulfh/mmc:
        mmc: sdhci-iproc: add SDHCI_QUIRK2_HOST_OFF_CARD_ON for cygnus
        mmc: sdhci-iproc: fix 32bit writes for TRANSFER_MODE register
        mmc: sdhci-iproc: remove hard coded mmc cap 1.8v
        mmc: block: propagate correct returned value in mmc_rpmb_ioctl
      f287fe35
    • Linus Torvalds's avatar
      Merge tag 'drm-fixes-for-v4.17-rc7' of git://people.freedesktop.org/~airlied/linux · b9f57019
      Linus Torvalds authored
      Pull drm fixes from Dave Airlie:
       "Only two sets of drivers fixes: one rcar-du lvds regression fix, and a
        group of fixes for vmwgfx"
      
      * tag 'drm-fixes-for-v4.17-rc7' of git://people.freedesktop.org/~airlied/linux:
        drm/vmwgfx: Schedule an fb dirty update after resume
        drm/vmwgfx: Fix host logging / guestinfo reading error paths
        drm/vmwgfx: Fix 32-bit VMW_PORT_HB_[IN|OUT] macros
        drm: rcar-du: lvds: Fix crash in .atomic_check when disabling connector
      b9f57019
    • Linus Torvalds's avatar
      Merge tag 'sound-4.17-rc7' of git://git.kernel.org/pub/scm/linux/kernel/git/tiwai/sound · a1a9f537
      Linus Torvalds authored
      Pull sound fixes from Takashi Iwai:
       "Two fixes:
      
         - a timer pause event notification was garbled upon the recent
           hardening work; corrected now
      
         - HD-audio runtime PM regression fix due to the incorrect return
           type"
      
      * tag 'sound-4.17-rc7' of git://git.kernel.org/pub/scm/linux/kernel/git/tiwai/sound:
        ALSA: hda - Fix runtime PM
        ALSA: timer: Fix pause event notification
      a1a9f537
    • Qing Huang's avatar
      mlx4_core: allocate ICM memory in page size chunks · 1383cb81
      Qing Huang authored
      When a system is under memory presure (high usage with fragments),
      the original 256KB ICM chunk allocations will likely trigger kernel
      memory management to enter slow path doing memory compact/migration
      ops in order to complete high order memory allocations.
      
      When that happens, user processes calling uverb APIs may get stuck
      for more than 120s easily even though there are a lot of free pages
      in smaller chunks available in the system.
      
      Syslog:
      ...
      Dec 10 09:04:51 slcc03db02 kernel: [397078.572732] INFO: task
      oracle_205573_e:205573 blocked for more than 120 seconds.
      ...
      
      With 4KB ICM chunk size on x86_64 arch, the above issue is fixed.
      
      However in order to support smaller ICM chunk size, we need to fix
      another issue in large size kcalloc allocations.
      
      E.g.
      Setting log_num_mtt=30 requires 1G mtt entries. With the 4KB ICM chunk
      size, each ICM chunk can only hold 512 mtt entries (8 bytes for each mtt
      entry). So we need a 16MB allocation for a table->icm pointer array to
      hold 2M pointers which can easily cause kcalloc to fail.
      
      The solution is to use kvzalloc to replace kcalloc which will fall back
      to vmalloc automatically if kmalloc fails.
      Signed-off-by: default avatarQing Huang <qing.huang@oracle.com>
      Acked-by: default avatarDaniel Jurgens <danielj@mellanox.com>
      Reviewed-by: default avatarZhu Yanjun <yanjun.zhu@oracle.com>
      Reviewed-by: default avatarTariq Toukan <tariqt@mellanox.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      1383cb81
    • Govindarajulu Varadarajan's avatar
      enic: set DMA mask to 47 bit · 322eaa06
      Govindarajulu Varadarajan authored
      In commit 624dbf55 ("driver/net: enic: Try DMA 64 first, then
      failover to DMA") DMA mask was changed from 40 bits to 64 bits.
      Hardware actually supports only 47 bits.
      
      Fixes: 624dbf55 ("driver/net: enic: Try DMA 64 first, then failover to DMA")
      Signed-off-by: default avatarGovindarajulu Varadarajan <gvaradar@cisco.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      322eaa06
    • Eric Biggers's avatar
      ppp: remove the PPPIOCDETACH ioctl · af8d3c7c
      Eric Biggers authored
      The PPPIOCDETACH ioctl effectively tries to "close" the given ppp file
      before f_count has reached 0, which is fundamentally a bad idea.  It
      does check 'f_count < 2', which excludes concurrent operations on the
      file since they would only be possible with a shared fd table, in which
      case each fdget() would take a file reference.  However, it fails to
      account for the fact that even with 'f_count == 1' the file can still be
      linked into epoll instances.  As reported by syzbot, this can trivially
      be used to cause a use-after-free.
      
      Yet, the only known user of PPPIOCDETACH is pppd versions older than
      ppp-2.4.2, which was released almost 15 years ago (November 2003).
      Also, PPPIOCDETACH apparently stopped working reliably at around the
      same time, when the f_count check was added to the kernel, e.g. see
      https://lkml.org/lkml/2002/12/31/83.  Also, the current 'f_count < 2'
      check makes PPPIOCDETACH only work in single-threaded applications; it
      always fails if called from a multithreaded application.
      
      All pppd versions released in the last 15 years just close() the file
      descriptor instead.
      
      Therefore, instead of hacking around this bug by exporting epoll
      internals to modules, and probably missing other related bugs, just
      remove the PPPIOCDETACH ioctl and see if anyone actually notices.  Leave
      a stub in place that prints a one-time warning and returns EINVAL.
      
      Reported-by: syzbot+16363c99d4134717c05b@syzkaller.appspotmail.com
      Fixes: 1da177e4 ("Linux-2.6.12-rc2")
      Signed-off-by: default avatarEric Biggers <ebiggers@google.com>
      Acked-by: default avatarPaul Mackerras <paulus@ozlabs.org>
      Reviewed-by: default avatarGuillaume Nault <g.nault@alphalink.fr>
      Tested-by: default avatarGuillaume Nault <g.nault@alphalink.fr>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      af8d3c7c