1. 08 4月, 2018 11 次提交
    • E
      sctp: do not leak kernel memory to user space · 6780db24
      Eric Dumazet 提交于
      syzbot produced a nice report [1]
      
      Issue here is that a recvmmsg() managed to leak 8 bytes of kernel memory
      to user space, because sin_zero (padding field) was not properly cleared.
      
      [1]
      BUG: KMSAN: uninit-value in copy_to_user include/linux/uaccess.h:184 [inline]
      BUG: KMSAN: uninit-value in move_addr_to_user+0x32e/0x530 net/socket.c:227
      CPU: 1 PID: 3586 Comm: syzkaller481044 Not tainted 4.16.0+ #82
      Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
      Call Trace:
       __dump_stack lib/dump_stack.c:17 [inline]
       dump_stack+0x185/0x1d0 lib/dump_stack.c:53
       kmsan_report+0x142/0x240 mm/kmsan/kmsan.c:1067
       kmsan_internal_check_memory+0x164/0x1d0 mm/kmsan/kmsan.c:1176
       kmsan_copy_to_user+0x69/0x160 mm/kmsan/kmsan.c:1199
       copy_to_user include/linux/uaccess.h:184 [inline]
       move_addr_to_user+0x32e/0x530 net/socket.c:227
       ___sys_recvmsg+0x4e2/0x810 net/socket.c:2211
       __sys_recvmmsg+0x54e/0xdb0 net/socket.c:2313
       SYSC_recvmmsg+0x29b/0x3e0 net/socket.c:2394
       SyS_recvmmsg+0x76/0xa0 net/socket.c:2378
       do_syscall_64+0x309/0x430 arch/x86/entry/common.c:287
       entry_SYSCALL_64_after_hwframe+0x3d/0xa2
      RIP: 0033:0x4401c9
      RSP: 002b:00007ffc56f73098 EFLAGS: 00000217 ORIG_RAX: 000000000000012b
      RAX: ffffffffffffffda RBX: 00000000004002c8 RCX: 00000000004401c9
      RDX: 0000000000000001 RSI: 0000000020003ac0 RDI: 0000000000000003
      RBP: 00000000006ca018 R08: 0000000020003bc0 R09: 0000000000000010
      R10: 0000000000000000 R11: 0000000000000217 R12: 0000000000401af0
      R13: 0000000000401b80 R14: 0000000000000000 R15: 0000000000000000
      
      Local variable description: ----addr@___sys_recvmsg
      Variable was created at:
       ___sys_recvmsg+0xd5/0x810 net/socket.c:2172
       __sys_recvmmsg+0x54e/0xdb0 net/socket.c:2313
      
      Bytes 8-15 of 16 are uninitialized
      
      ==================================================================
      Kernel panic - not syncing: panic_on_warn set ...
      
      CPU: 1 PID: 3586 Comm: syzkaller481044 Tainted: G    B            4.16.0+ #82
      Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
      Call Trace:
       __dump_stack lib/dump_stack.c:17 [inline]
       dump_stack+0x185/0x1d0 lib/dump_stack.c:53
       panic+0x39d/0x940 kernel/panic.c:183
       kmsan_report+0x238/0x240 mm/kmsan/kmsan.c:1083
       kmsan_internal_check_memory+0x164/0x1d0 mm/kmsan/kmsan.c:1176
       kmsan_copy_to_user+0x69/0x160 mm/kmsan/kmsan.c:1199
       copy_to_user include/linux/uaccess.h:184 [inline]
       move_addr_to_user+0x32e/0x530 net/socket.c:227
       ___sys_recvmsg+0x4e2/0x810 net/socket.c:2211
       __sys_recvmmsg+0x54e/0xdb0 net/socket.c:2313
       SYSC_recvmmsg+0x29b/0x3e0 net/socket.c:2394
       SyS_recvmmsg+0x76/0xa0 net/socket.c:2378
       do_syscall_64+0x309/0x430 arch/x86/entry/common.c:287
       entry_SYSCALL_64_after_hwframe+0x3d/0xa2
      
      Fixes: 1da177e4 ("Linux-2.6.12-rc2")
      Signed-off-by: NEric Dumazet <edumazet@google.com>
      Cc:	Vlad Yasevich <vyasevich@gmail.com>
      Cc:	Neil Horman <nhorman@tuxdriver.com>
      Reported-by: Nsyzbot <syzkaller@googlegroups.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      6780db24
    • D
      Merge branch 'net-fix-uninit-values-in-networking-stack' · ccb48e83
      David S. Miller 提交于
      Eric Dumazet says:
      
      ====================
      net: fix uninit-values in networking stack
      
      It seems syzbot got new features enabled, and fired some interesting
      reports. Oh well.
      ====================
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      ccb48e83
    • E
      soreuseport: initialise timewait reuseport field · 3099a529
      Eric Dumazet 提交于
      syzbot reported an uninit-value in inet_csk_bind_conflict() [1]
      
      It turns out we never propagated sk->sk_reuseport into timewait socket.
      
      [1]
      BUG: KMSAN: uninit-value in inet_csk_bind_conflict+0x5f9/0x990 net/ipv4/inet_connection_sock.c:151
      CPU: 1 PID: 3589 Comm: syzkaller008242 Not tainted 4.16.0+ #82
      Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
      Call Trace:
       __dump_stack lib/dump_stack.c:17 [inline]
       dump_stack+0x185/0x1d0 lib/dump_stack.c:53
       kmsan_report+0x142/0x240 mm/kmsan/kmsan.c:1067
       __msan_warning_32+0x6c/0xb0 mm/kmsan/kmsan_instr.c:676
       inet_csk_bind_conflict+0x5f9/0x990 net/ipv4/inet_connection_sock.c:151
       inet_csk_get_port+0x1d28/0x1e40 net/ipv4/inet_connection_sock.c:320
       inet6_bind+0x121c/0x1820 net/ipv6/af_inet6.c:399
       SYSC_bind+0x3f2/0x4b0 net/socket.c:1474
       SyS_bind+0x54/0x80 net/socket.c:1460
       do_syscall_64+0x309/0x430 arch/x86/entry/common.c:287
       entry_SYSCALL_64_after_hwframe+0x3d/0xa2
      RIP: 0033:0x4416e9
      RSP: 002b:00007ffce6d15c88 EFLAGS: 00000217 ORIG_RAX: 0000000000000031
      RAX: ffffffffffffffda RBX: 0100000000000000 RCX: 00000000004416e9
      RDX: 000000000000001c RSI: 0000000020402000 RDI: 0000000000000004
      RBP: 0000000000000000 R08: 00000000e6d15e08 R09: 00000000e6d15e08
      R10: 0000000000000004 R11: 0000000000000217 R12: 0000000000009478
      R13: 00000000006cd448 R14: 0000000000000000 R15: 0000000000000000
      
      Uninit was stored to memory at:
       kmsan_save_stack_with_flags mm/kmsan/kmsan.c:278 [inline]
       kmsan_save_stack mm/kmsan/kmsan.c:293 [inline]
       kmsan_internal_chain_origin+0x12b/0x210 mm/kmsan/kmsan.c:684
       __msan_chain_origin+0x69/0xc0 mm/kmsan/kmsan_instr.c:521
       tcp_time_wait+0xf17/0xf50 net/ipv4/tcp_minisocks.c:283
       tcp_rcv_state_process+0xebe/0x6490 net/ipv4/tcp_input.c:6003
       tcp_v6_do_rcv+0x11dd/0x1d90 net/ipv6/tcp_ipv6.c:1331
       sk_backlog_rcv include/net/sock.h:908 [inline]
       __release_sock+0x2d6/0x680 net/core/sock.c:2271
       release_sock+0x97/0x2a0 net/core/sock.c:2786
       tcp_close+0x277/0x18f0 net/ipv4/tcp.c:2269
       inet_release+0x240/0x2a0 net/ipv4/af_inet.c:427
       inet6_release+0xaf/0x100 net/ipv6/af_inet6.c:435
       sock_release net/socket.c:595 [inline]
       sock_close+0xe0/0x300 net/socket.c:1149
       __fput+0x49e/0xa10 fs/file_table.c:209
       ____fput+0x37/0x40 fs/file_table.c:243
       task_work_run+0x243/0x2c0 kernel/task_work.c:113
       exit_task_work include/linux/task_work.h:22 [inline]
       do_exit+0x10e1/0x38d0 kernel/exit.c:867
       do_group_exit+0x1a0/0x360 kernel/exit.c:970
       SYSC_exit_group+0x21/0x30 kernel/exit.c:981
       SyS_exit_group+0x25/0x30 kernel/exit.c:979
       do_syscall_64+0x309/0x430 arch/x86/entry/common.c:287
       entry_SYSCALL_64_after_hwframe+0x3d/0xa2
      Uninit was stored to memory at:
       kmsan_save_stack_with_flags mm/kmsan/kmsan.c:278 [inline]
       kmsan_save_stack mm/kmsan/kmsan.c:293 [inline]
       kmsan_internal_chain_origin+0x12b/0x210 mm/kmsan/kmsan.c:684
       __msan_chain_origin+0x69/0xc0 mm/kmsan/kmsan_instr.c:521
       inet_twsk_alloc+0xaef/0xc00 net/ipv4/inet_timewait_sock.c:182
       tcp_time_wait+0xd9/0xf50 net/ipv4/tcp_minisocks.c:258
       tcp_rcv_state_process+0xebe/0x6490 net/ipv4/tcp_input.c:6003
       tcp_v6_do_rcv+0x11dd/0x1d90 net/ipv6/tcp_ipv6.c:1331
       sk_backlog_rcv include/net/sock.h:908 [inline]
       __release_sock+0x2d6/0x680 net/core/sock.c:2271
       release_sock+0x97/0x2a0 net/core/sock.c:2786
       tcp_close+0x277/0x18f0 net/ipv4/tcp.c:2269
       inet_release+0x240/0x2a0 net/ipv4/af_inet.c:427
       inet6_release+0xaf/0x100 net/ipv6/af_inet6.c:435
       sock_release net/socket.c:595 [inline]
       sock_close+0xe0/0x300 net/socket.c:1149
       __fput+0x49e/0xa10 fs/file_table.c:209
       ____fput+0x37/0x40 fs/file_table.c:243
       task_work_run+0x243/0x2c0 kernel/task_work.c:113
       exit_task_work include/linux/task_work.h:22 [inline]
       do_exit+0x10e1/0x38d0 kernel/exit.c:867
       do_group_exit+0x1a0/0x360 kernel/exit.c:970
       SYSC_exit_group+0x21/0x30 kernel/exit.c:981
       SyS_exit_group+0x25/0x30 kernel/exit.c:979
       do_syscall_64+0x309/0x430 arch/x86/entry/common.c:287
       entry_SYSCALL_64_after_hwframe+0x3d/0xa2
      Uninit was created at:
       kmsan_save_stack_with_flags mm/kmsan/kmsan.c:278 [inline]
       kmsan_internal_poison_shadow+0xb8/0x1b0 mm/kmsan/kmsan.c:188
       kmsan_kmalloc+0x94/0x100 mm/kmsan/kmsan.c:314
       kmem_cache_alloc+0xaab/0xb90 mm/slub.c:2756
       inet_twsk_alloc+0x13b/0xc00 net/ipv4/inet_timewait_sock.c:163
       tcp_time_wait+0xd9/0xf50 net/ipv4/tcp_minisocks.c:258
       tcp_rcv_state_process+0xebe/0x6490 net/ipv4/tcp_input.c:6003
       tcp_v6_do_rcv+0x11dd/0x1d90 net/ipv6/tcp_ipv6.c:1331
       sk_backlog_rcv include/net/sock.h:908 [inline]
       __release_sock+0x2d6/0x680 net/core/sock.c:2271
       release_sock+0x97/0x2a0 net/core/sock.c:2786
       tcp_close+0x277/0x18f0 net/ipv4/tcp.c:2269
       inet_release+0x240/0x2a0 net/ipv4/af_inet.c:427
       inet6_release+0xaf/0x100 net/ipv6/af_inet6.c:435
       sock_release net/socket.c:595 [inline]
       sock_close+0xe0/0x300 net/socket.c:1149
       __fput+0x49e/0xa10 fs/file_table.c:209
       ____fput+0x37/0x40 fs/file_table.c:243
       task_work_run+0x243/0x2c0 kernel/task_work.c:113
       exit_task_work include/linux/task_work.h:22 [inline]
       do_exit+0x10e1/0x38d0 kernel/exit.c:867
       do_group_exit+0x1a0/0x360 kernel/exit.c:970
       SYSC_exit_group+0x21/0x30 kernel/exit.c:981
       SyS_exit_group+0x25/0x30 kernel/exit.c:979
       do_syscall_64+0x309/0x430 arch/x86/entry/common.c:287
       entry_SYSCALL_64_after_hwframe+0x3d/0xa2
      
      Fixes: da5e3630 ("soreuseport: TCP/IPv4 implementation")
      Signed-off-by: NEric Dumazet <edumazet@google.com>
      Reported-by: Nsyzbot <syzkaller@googlegroups.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      3099a529
    • E
      ipv4: fix uninit-value in ip_route_output_key_hash_rcu() · d0ea2b12
      Eric Dumazet 提交于
      syzbot complained that res.type could be used while not initialized.
      
      Using RTN_UNSPEC as initial value seems better than using garbage.
      
      BUG: KMSAN: uninit-value in __mkroute_output net/ipv4/route.c:2200 [inline]
      BUG: KMSAN: uninit-value in ip_route_output_key_hash_rcu+0x31f0/0x3940 net/ipv4/route.c:2493
      CPU: 1 PID: 12207 Comm: syz-executor0 Not tainted 4.16.0+ #81
      Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
      Call Trace:
       __dump_stack lib/dump_stack.c:17 [inline]
       dump_stack+0x185/0x1d0 lib/dump_stack.c:53
       kmsan_report+0x142/0x240 mm/kmsan/kmsan.c:1067
       __msan_warning_32+0x6c/0xb0 mm/kmsan/kmsan_instr.c:676
       __mkroute_output net/ipv4/route.c:2200 [inline]
       ip_route_output_key_hash_rcu+0x31f0/0x3940 net/ipv4/route.c:2493
       ip_route_output_key_hash net/ipv4/route.c:2322 [inline]
       __ip_route_output_key include/net/route.h:126 [inline]
       ip_route_output_flow+0x1eb/0x3c0 net/ipv4/route.c:2577
       raw_sendmsg+0x1861/0x3ed0 net/ipv4/raw.c:653
       inet_sendmsg+0x48d/0x740 net/ipv4/af_inet.c:764
       sock_sendmsg_nosec net/socket.c:630 [inline]
       sock_sendmsg net/socket.c:640 [inline]
       SYSC_sendto+0x6c3/0x7e0 net/socket.c:1747
       SyS_sendto+0x8a/0xb0 net/socket.c:1715
       do_syscall_64+0x309/0x430 arch/x86/entry/common.c:287
       entry_SYSCALL_64_after_hwframe+0x3d/0xa2
      RIP: 0033:0x455259
      RSP: 002b:00007fdc0625dc68 EFLAGS: 00000246 ORIG_RAX: 000000000000002c
      RAX: ffffffffffffffda RBX: 00007fdc0625e6d4 RCX: 0000000000455259
      RDX: 0000000000000000 RSI: 0000000020000040 RDI: 0000000000000013
      RBP: 000000000072bea0 R08: 0000000020000080 R09: 0000000000000010
      R10: 0000000000000000 R11: 0000000000000246 R12: 00000000ffffffff
      R13: 00000000000004f7 R14: 00000000006fa7c8 R15: 0000000000000000
      
      Local variable description: ----res.i.i@ip_route_output_flow
      Variable was created at:
       ip_route_output_flow+0x75/0x3c0 net/ipv4/route.c:2576
       raw_sendmsg+0x1861/0x3ed0 net/ipv4/raw.c:653
      Signed-off-by: NEric Dumazet <edumazet@google.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      d0ea2b12
    • E
      dccp: initialize ireq->ir_mark · b855ff82
      Eric Dumazet 提交于
      syzbot reported an uninit-value read of skb->mark in iptable_mangle_hook()
      
      Thanks to the nice report, I tracked the problem to dccp not caring
      of ireq->ir_mark for passive sessions.
      
      BUG: KMSAN: uninit-value in ipt_mangle_out net/ipv4/netfilter/iptable_mangle.c:66 [inline]
      BUG: KMSAN: uninit-value in iptable_mangle_hook+0x5e5/0x720 net/ipv4/netfilter/iptable_mangle.c:84
      CPU: 0 PID: 5300 Comm: syz-executor3 Not tainted 4.16.0+ #81
      Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
      Call Trace:
       __dump_stack lib/dump_stack.c:17 [inline]
       dump_stack+0x185/0x1d0 lib/dump_stack.c:53
       kmsan_report+0x142/0x240 mm/kmsan/kmsan.c:1067
       __msan_warning_32+0x6c/0xb0 mm/kmsan/kmsan_instr.c:676
       ipt_mangle_out net/ipv4/netfilter/iptable_mangle.c:66 [inline]
       iptable_mangle_hook+0x5e5/0x720 net/ipv4/netfilter/iptable_mangle.c:84
       nf_hook_entry_hookfn include/linux/netfilter.h:120 [inline]
       nf_hook_slow+0x158/0x3d0 net/netfilter/core.c:483
       nf_hook include/linux/netfilter.h:243 [inline]
       __ip_local_out net/ipv4/ip_output.c:113 [inline]
       ip_local_out net/ipv4/ip_output.c:122 [inline]
       ip_queue_xmit+0x1d21/0x21c0 net/ipv4/ip_output.c:504
       dccp_transmit_skb+0x15eb/0x1900 net/dccp/output.c:142
       dccp_xmit_packet+0x814/0x9e0 net/dccp/output.c:281
       dccp_write_xmit+0x20f/0x480 net/dccp/output.c:363
       dccp_sendmsg+0x12ca/0x12d0 net/dccp/proto.c:818
       inet_sendmsg+0x48d/0x740 net/ipv4/af_inet.c:764
       sock_sendmsg_nosec net/socket.c:630 [inline]
       sock_sendmsg net/socket.c:640 [inline]
       ___sys_sendmsg+0xec0/0x1310 net/socket.c:2046
       __sys_sendmsg net/socket.c:2080 [inline]
       SYSC_sendmsg+0x2a3/0x3d0 net/socket.c:2091
       SyS_sendmsg+0x54/0x80 net/socket.c:2087
       do_syscall_64+0x309/0x430 arch/x86/entry/common.c:287
       entry_SYSCALL_64_after_hwframe+0x3d/0xa2
      RIP: 0033:0x455259
      RSP: 002b:00007f1a4473dc68 EFLAGS: 00000246 ORIG_RAX: 000000000000002e
      RAX: ffffffffffffffda RBX: 00007f1a4473e6d4 RCX: 0000000000455259
      RDX: 0000000000000000 RSI: 0000000020b76fc8 RDI: 0000000000000015
      RBP: 000000000072bea0 R08: 0000000000000000 R09: 0000000000000000
      R10: 0000000000000000 R11: 0000000000000246 R12: 00000000ffffffff
      R13: 00000000000004f0 R14: 00000000006fa720 R15: 0000000000000000
      
      Uninit was stored to memory at:
       kmsan_save_stack_with_flags mm/kmsan/kmsan.c:278 [inline]
       kmsan_save_stack mm/kmsan/kmsan.c:293 [inline]
       kmsan_internal_chain_origin+0x12b/0x210 mm/kmsan/kmsan.c:684
       __msan_chain_origin+0x69/0xc0 mm/kmsan/kmsan_instr.c:521
       ip_queue_xmit+0x1e35/0x21c0 net/ipv4/ip_output.c:502
       dccp_transmit_skb+0x15eb/0x1900 net/dccp/output.c:142
       dccp_xmit_packet+0x814/0x9e0 net/dccp/output.c:281
       dccp_write_xmit+0x20f/0x480 net/dccp/output.c:363
       dccp_sendmsg+0x12ca/0x12d0 net/dccp/proto.c:818
       inet_sendmsg+0x48d/0x740 net/ipv4/af_inet.c:764
       sock_sendmsg_nosec net/socket.c:630 [inline]
       sock_sendmsg net/socket.c:640 [inline]
       ___sys_sendmsg+0xec0/0x1310 net/socket.c:2046
       __sys_sendmsg net/socket.c:2080 [inline]
       SYSC_sendmsg+0x2a3/0x3d0 net/socket.c:2091
       SyS_sendmsg+0x54/0x80 net/socket.c:2087
       do_syscall_64+0x309/0x430 arch/x86/entry/common.c:287
       entry_SYSCALL_64_after_hwframe+0x3d/0xa2
      Uninit was stored to memory at:
       kmsan_save_stack_with_flags mm/kmsan/kmsan.c:278 [inline]
       kmsan_save_stack mm/kmsan/kmsan.c:293 [inline]
       kmsan_internal_chain_origin+0x12b/0x210 mm/kmsan/kmsan.c:684
       __msan_chain_origin+0x69/0xc0 mm/kmsan/kmsan_instr.c:521
       inet_csk_clone_lock+0x503/0x580 net/ipv4/inet_connection_sock.c:797
       dccp_create_openreq_child+0x7f/0x890 net/dccp/minisocks.c:92
       dccp_v4_request_recv_sock+0x22c/0xe90 net/dccp/ipv4.c:408
       dccp_v6_request_recv_sock+0x290/0x2000 net/dccp/ipv6.c:414
       dccp_check_req+0x7b9/0x8f0 net/dccp/minisocks.c:197
       dccp_v4_rcv+0x12e4/0x2630 net/dccp/ipv4.c:840
       ip_local_deliver_finish+0x6ed/0xd40 net/ipv4/ip_input.c:216
       NF_HOOK include/linux/netfilter.h:288 [inline]
       ip_local_deliver+0x43c/0x4e0 net/ipv4/ip_input.c:257
       dst_input include/net/dst.h:449 [inline]
       ip_rcv_finish+0x1253/0x16d0 net/ipv4/ip_input.c:397
       NF_HOOK include/linux/netfilter.h:288 [inline]
       ip_rcv+0x119d/0x16f0 net/ipv4/ip_input.c:493
       __netif_receive_skb_core+0x47cf/0x4a80 net/core/dev.c:4562
       __netif_receive_skb net/core/dev.c:4627 [inline]
       process_backlog+0x62d/0xe20 net/core/dev.c:5307
       napi_poll net/core/dev.c:5705 [inline]
       net_rx_action+0x7c1/0x1a70 net/core/dev.c:5771
       __do_softirq+0x56d/0x93d kernel/softirq.c:285
      Uninit was created at:
       kmsan_save_stack_with_flags mm/kmsan/kmsan.c:278 [inline]
       kmsan_internal_poison_shadow+0xb8/0x1b0 mm/kmsan/kmsan.c:188
       kmsan_kmalloc+0x94/0x100 mm/kmsan/kmsan.c:314
       kmem_cache_alloc+0xaab/0xb90 mm/slub.c:2756
       reqsk_alloc include/net/request_sock.h:88 [inline]
       inet_reqsk_alloc+0xc4/0x7f0 net/ipv4/tcp_input.c:6145
       dccp_v4_conn_request+0x5cc/0x1770 net/dccp/ipv4.c:600
       dccp_v6_conn_request+0x299/0x1880 net/dccp/ipv6.c:317
       dccp_rcv_state_process+0x2ea/0x2410 net/dccp/input.c:612
       dccp_v4_do_rcv+0x229/0x340 net/dccp/ipv4.c:682
       dccp_v6_do_rcv+0x16d/0x1220 net/dccp/ipv6.c:578
       sk_backlog_rcv include/net/sock.h:908 [inline]
       __sk_receive_skb+0x60e/0xf20 net/core/sock.c:513
       dccp_v4_rcv+0x24d4/0x2630 net/dccp/ipv4.c:874
       ip_local_deliver_finish+0x6ed/0xd40 net/ipv4/ip_input.c:216
       NF_HOOK include/linux/netfilter.h:288 [inline]
       ip_local_deliver+0x43c/0x4e0 net/ipv4/ip_input.c:257
       dst_input include/net/dst.h:449 [inline]
       ip_rcv_finish+0x1253/0x16d0 net/ipv4/ip_input.c:397
       NF_HOOK include/linux/netfilter.h:288 [inline]
       ip_rcv+0x119d/0x16f0 net/ipv4/ip_input.c:493
       __netif_receive_skb_core+0x47cf/0x4a80 net/core/dev.c:4562
       __netif_receive_skb net/core/dev.c:4627 [inline]
       process_backlog+0x62d/0xe20 net/core/dev.c:5307
       napi_poll net/core/dev.c:5705 [inline]
       net_rx_action+0x7c1/0x1a70 net/core/dev.c:5771
       __do_softirq+0x56d/0x93d kernel/softirq.c:285
      Signed-off-by: NEric Dumazet <edumazet@google.com>
      Reported-by: Nsyzbot <syzkaller@googlegroups.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      b855ff82
    • E
      net: fix uninit-value in __hw_addr_add_ex() · 77d36398
      Eric Dumazet 提交于
      syzbot complained :
      
      BUG: KMSAN: uninit-value in memcmp+0x119/0x180 lib/string.c:861
      CPU: 0 PID: 3 Comm: kworker/0:0 Not tainted 4.16.0+ #82
      Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
      Workqueue: ipv6_addrconf addrconf_dad_work
      Call Trace:
       __dump_stack lib/dump_stack.c:17 [inline]
       dump_stack+0x185/0x1d0 lib/dump_stack.c:53
       kmsan_report+0x142/0x240 mm/kmsan/kmsan.c:1067
       __msan_warning_32+0x6c/0xb0 mm/kmsan/kmsan_instr.c:676
       memcmp+0x119/0x180 lib/string.c:861
       __hw_addr_add_ex net/core/dev_addr_lists.c:60 [inline]
       __dev_mc_add+0x1c2/0x8e0 net/core/dev_addr_lists.c:670
       dev_mc_add+0x6d/0x80 net/core/dev_addr_lists.c:687
       igmp6_group_added+0x2db/0xa00 net/ipv6/mcast.c:662
       ipv6_dev_mc_inc+0xe9e/0x1130 net/ipv6/mcast.c:914
       addrconf_join_solict net/ipv6/addrconf.c:2078 [inline]
       addrconf_dad_begin net/ipv6/addrconf.c:3828 [inline]
       addrconf_dad_work+0x427/0x2150 net/ipv6/addrconf.c:3954
       process_one_work+0x12c6/0x1f60 kernel/workqueue.c:2113
       worker_thread+0x113c/0x24f0 kernel/workqueue.c:2247
       kthread+0x539/0x720 kernel/kthread.c:239
      
      Fixes: f001fde5 ("net: introduce a list of device addresses dev_addr_list (v6)")
      Signed-off-by: NEric Dumazet <edumazet@google.com>
      Reported-by: Nsyzbot <syzkaller@googlegroups.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      77d36398
    • E
      net: initialize skb->peeked when cloning · b13dda9f
      Eric Dumazet 提交于
      syzbot reported __skb_try_recv_from_queue() was using skb->peeked
      while it was potentially unitialized.
      
      We need to clear it in __skb_clone()
      
      Fixes: 1da177e4 ("Linux-2.6.12-rc2")
      Signed-off-by: NEric Dumazet <edumazet@google.com>
      Reported-by: Nsyzbot <syzkaller@googlegroups.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      b13dda9f
    • E
      net: fix rtnh_ok() · b1993a2d
      Eric Dumazet 提交于
      syzbot reported :
      
      BUG: KMSAN: uninit-value in rtnh_ok include/net/nexthop.h:11 [inline]
      BUG: KMSAN: uninit-value in fib_count_nexthops net/ipv4/fib_semantics.c:469 [inline]
      BUG: KMSAN: uninit-value in fib_create_info+0x554/0x8d20 net/ipv4/fib_semantics.c:1091
      
      @remaining is an integer, coming from user space.
      If it is negative we want rtnh_ok() to return false.
      
      Fixes: 4e902c57 ("[IPv4]: FIB configuration using struct fib_config")
      Signed-off-by: NEric Dumazet <edumazet@google.com>
      Reported-by: Nsyzbot <syzkaller@googlegroups.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      b1993a2d
    • E
      netlink: fix uninit-value in netlink_sendmsg · 6091f09c
      Eric Dumazet 提交于
      syzbot reported :
      
      BUG: KMSAN: uninit-value in ffs arch/x86/include/asm/bitops.h:432 [inline]
      BUG: KMSAN: uninit-value in netlink_sendmsg+0xb26/0x1310 net/netlink/af_netlink.c:1851
      
      Fixes: 1da177e4 ("Linux-2.6.12-rc2")
      Signed-off-by: NEric Dumazet <edumazet@google.com>
      Reported-by: Nsyzbot <syzkaller@googlegroups.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      6091f09c
    • E
      crypto: af_alg - fix possible uninit-value in alg_bind() · a466856e
      Eric Dumazet 提交于
      syzbot reported :
      
      BUG: KMSAN: uninit-value in alg_bind+0xe3/0xd90 crypto/af_alg.c:162
      
      We need to check addr_len before dereferencing sa (or uaddr)
      
      Fixes: bb30b884 ("crypto: af_alg - whitelist mask and type")
      Signed-off-by: NEric Dumazet <edumazet@google.com>
      Reported-by: Nsyzbot <syzkaller@googlegroups.com>
      Cc: Stephan Mueller <smueller@chronox.de>
      Cc: Herbert Xu <herbert@gondor.apana.org.au>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      a466856e
    • C
      net_sched: fix a missing idr_remove() in u32_delete_key() · f12c6432
      Cong Wang 提交于
      When we delete a u32 key via u32_delete_key(), we forget to
      call idr_remove() to remove its handle from IDR.
      
      Fixes: e7614370 ("net_sched: use idr to allocate u32 filter handles")
      Reported-by: NMarcin Kabiesz <admin@hostcenter.eu>
      Tested-by: NMarcin Kabiesz <admin@hostcenter.eu>
      Signed-off-by: NCong Wang <xiyou.wangcong@gmail.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      f12c6432
  2. 07 4月, 2018 1 次提交
  3. 06 4月, 2018 19 次提交
    • D
      Merge branch '100GbE' of git://git.kernel.org/pub/scm/linux/kernel/git/jkirsher/net-queue · eb192480
      David S. Miller 提交于
      Jeff Kirsher says:
      
      ====================
      Intel Wired LAN Driver Updates 2018-04-06
      
      This series contains a couple of fixes for the new ice driver.
      
      Wei Yongjun fixes the return error code for error case during init.
      
      Anirudh fixes the incorrect use of ARRAY_SIZE() in the ice ethtool code
      and fixed "for" loop calculations.
      ====================
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      eb192480
    • A
      ice: Bug fixes in ethtool code · cba5957d
      Anirudh Venkataramanan 提交于
      1) Return correct size from ice_get_regs_len.
      2) Fix incorrect use of ARRAY_SIZE in ice_get_regs.
      
      Fixes: fcea6f3d (ice: Add stats and ethtool support)
      Signed-off-by: NAnirudh Venkataramanan <anirudh.venkataramanan@intel.com>
      Tested-by: NTony Brelinski <tonyx.brelinski@intel.com>
      Signed-off-by: NJeff Kirsher <jeffrey.t.kirsher@intel.com>
      cba5957d
    • W
      ice: Fix error return code in ice_init_hw() · 63bb4e1e
      Wei Yongjun 提交于
      Fix to return error code ICE_ERR_NO_MEMORY from the alloc error
      handling case instead of 0, as done elsewhere in this function.
      
      Fixes: dc49c772 ("ice: Get MAC/PHY/link info and scheduler topology")
      Signed-off-by: NWei Yongjun <weiyongjun1@huawei.com>
      Acked-by: NAnirudh Venkataramanan <anirudh.venkataramanan@intel.com>
      Tested-by: NTony Brelinski <tonyx.brelinski@intel.com>
      Signed-off-by: NJeff Kirsher <jeffrey.t.kirsher@intel.com>
      63bb4e1e
    • D
      net/sched: fix NULL dereference in the error path of tcf_bpf_init() · 3239534a
      Davide Caratti 提交于
      when tcf_bpf_init_from_ops() fails (e.g. because of program having invalid
      number of instructions), tcf_bpf_cfg_cleanup() calls bpf_prog_put(NULL) or
      bpf_prog_destroy(NULL). Unless CONFIG_BPF_SYSCALL is unset, this causes
      the following error:
      
       BUG: unable to handle kernel NULL pointer dereference at 0000000000000020
       PGD 800000007345a067 P4D 800000007345a067 PUD 340e1067 PMD 0
       Oops: 0000 [#1] SMP PTI
       Modules linked in: act_bpf(E) ip6table_filter ip6_tables iptable_filter binfmt_misc ext4 mbcache jbd2 crct10dif_pclmul crc32_pclmul ghash_clmulni_intel snd_hda_codec_generic pcbc snd_hda_intel snd_hda_codec snd_hda_core snd_hwdep snd_seq snd_seq_device snd_pcm aesni_intel crypto_simd glue_helper cryptd joydev snd_timer snd virtio_balloon pcspkr soundcore i2c_piix4 nfsd auth_rpcgss nfs_acl lockd grace sunrpc ip_tables xfs libcrc32c ata_generic pata_acpi qxl drm_kms_helper syscopyarea sysfillrect sysimgblt fb_sys_fops ttm virtio_blk drm virtio_net virtio_console i2c_core crc32c_intel serio_raw virtio_pci ata_piix libata virtio_ring floppy virtio dm_mirror dm_region_hash dm_log dm_mod [last unloaded: act_bpf]
       CPU: 3 PID: 5654 Comm: tc Tainted: G            E    4.16.0.bpf_test+ #408
       Hardware name: Red Hat KVM, BIOS 0.5.1 01/01/2011
       RIP: 0010:__bpf_prog_put+0xc/0xc0
       RSP: 0018:ffff9594003ef728 EFLAGS: 00010202
       RAX: 0000000000000000 RBX: ffff9594003ef758 RCX: 0000000000000024
       RDX: 0000000000000000 RSI: 0000000000000001 RDI: 0000000000000000
       RBP: 0000000000000000 R08: 0000000000000001 R09: 0000000000000044
       R10: 0000000000000220 R11: ffff8a7ab9f17131 R12: 0000000000000000
       R13: ffff8a7ab7c3c8e0 R14: 0000000000000001 R15: ffff8a7ab88f1054
       FS:  00007fcb2f17c740(0000) GS:ffff8a7abfd80000(0000) knlGS:0000000000000000
       CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
       CR2: 0000000000000020 CR3: 000000007c888006 CR4: 00000000001606e0
       Call Trace:
        tcf_bpf_cfg_cleanup+0x2f/0x40 [act_bpf]
        tcf_bpf_cleanup+0x4c/0x70 [act_bpf]
        __tcf_idr_release+0x79/0x140
        tcf_bpf_init+0x125/0x330 [act_bpf]
        tcf_action_init_1+0x2cc/0x430
        ? get_page_from_freelist+0x3f0/0x11b0
        tcf_action_init+0xd3/0x1b0
        tc_ctl_action+0x18b/0x240
        rtnetlink_rcv_msg+0x29c/0x310
        ? _cond_resched+0x15/0x30
        ? __kmalloc_node_track_caller+0x1b9/0x270
        ? rtnl_calcit.isra.29+0x100/0x100
        netlink_rcv_skb+0xd2/0x110
        netlink_unicast+0x17c/0x230
        netlink_sendmsg+0x2cd/0x3c0
        sock_sendmsg+0x30/0x40
        ___sys_sendmsg+0x27a/0x290
        ? mem_cgroup_commit_charge+0x80/0x130
        ? page_add_new_anon_rmap+0x73/0xc0
        ? do_anonymous_page+0x2a2/0x560
        ? __handle_mm_fault+0xc75/0xe20
        __sys_sendmsg+0x58/0xa0
        do_syscall_64+0x6e/0x1a0
        entry_SYSCALL_64_after_hwframe+0x3d/0xa2
       RIP: 0033:0x7fcb2e58eba0
       RSP: 002b:00007ffc93c496c8 EFLAGS: 00000246 ORIG_RAX: 000000000000002e
       RAX: ffffffffffffffda RBX: 00007ffc93c497f0 RCX: 00007fcb2e58eba0
       RDX: 0000000000000000 RSI: 00007ffc93c49740 RDI: 0000000000000003
       RBP: 000000005ac6a646 R08: 0000000000000002 R09: 0000000000000000
       R10: 00007ffc93c49120 R11: 0000000000000246 R12: 0000000000000000
       R13: 00007ffc93c49804 R14: 0000000000000001 R15: 000000000066afa0
       Code: 5f 00 48 8b 43 20 48 c7 c7 70 2f 7c b8 c7 40 10 00 00 00 00 5b e9 a5 8b 61 00 0f 1f 44 00 00 0f 1f 44 00 00 41 54 55 48 89 fd 53 <48> 8b 47 20 f0 ff 08 74 05 5b 5d 41 5c c3 41 89 f4 0f 1f 44 00
       RIP: __bpf_prog_put+0xc/0xc0 RSP: ffff9594003ef728
       CR2: 0000000000000020
      
      Fix it in tcf_bpf_cfg_cleanup(), ensuring that bpf_prog_{put,destroy}(f)
      is called only when f is not NULL.
      
      Fixes: bbc09e78 ("net/sched: fix idr leak on the error path of tcf_bpf_init()")
      Reported-by: NLucas Bates <lucasb@mojatatu.com>
      Signed-off-by: NDavide Caratti <dcaratti@redhat.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      3239534a
    • J
      net/ipv6: Increment OUTxxx counters after netfilter hook · 71a1c915
      Jeff Barnhill 提交于
      At the end of ip6_forward(), IPSTATS_MIB_OUTFORWDATAGRAMS and
      IPSTATS_MIB_OUTOCTETS are incremented immediately before the NF_HOOK call
      for NFPROTO_IPV6 / NF_INET_FORWARD.  As a result, these counters get
      incremented regardless of whether or not the netfilter hook allows the
      packet to continue being processed.  This change increments the counters
      in ip6_forward_finish() so that it will not happen if the netfilter hook
      chooses to terminate the packet, which is similar to how IPv4 works.
      Signed-off-by: NJeff Barnhill <0xeffeff@gmail.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      71a1c915
    • D
      Merge branch 'hv_netvsc-Fix-shutdown-issues-on-older-Windows-hosts' · a2aeea1c
      David S. Miller 提交于
      Mohammed Gamal says:
      
      ====================
      hv_netvsc: Fix shutdown issues on older Windows hosts
      
      Guests running on WS2012 hosts would not shutdown when changing network
      interface setting (e.g. Number of channels, MTU ... etc).
      
      This patch series addresses these shutdown issues we enecountered with WS2012
      hosts. It's essentialy a rework of the series sent in
      https://lkml.org/lkml/2018/1/23/111 on top of latest upstream
      ====================
      
      Fixes: 0ef58b0a ("hv_netvsc: change GPAD teardown order on older versions")
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      a2aeea1c
    • M
      hv_netvsc: Pass net_device parameter to revoke and teardown functions · 3f076eff
      Mohammed Gamal 提交于
      The callers to netvsc_revoke_*_buf() and netvsc_teardown_*_gpadl()
      already have their net_device instances. Pass them as a paramaeter to
      the function instead of obtaining them from netvsc_device struct
      everytime
      Signed-off-by: NMohammed Gamal <mgamal@redhat.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      3f076eff
    • M
      hv_netvsc: Ensure correct teardown message sequence order · a56d99d7
      Mohammed Gamal 提交于
      Prior to commit 0cf73780 ("hv_netvsc: netvsc_teardown_gpadl() split")
      the call sequence in netvsc_device_remove() was as follows (as
      implemented in netvsc_destroy_buf()):
      1- Send NVSP_MSG1_TYPE_REVOKE_RECV_BUF message
      2- Teardown receive buffer GPADL
      3- Send NVSP_MSG1_TYPE_REVOKE_SEND_BUF message
      4- Teardown send buffer GPADL
      5- Close vmbus
      
      This didn't work for WS2016 hosts. Commit 0cf73780
      ("hv_netvsc: netvsc_teardown_gpadl() split") rearranged the
      teardown sequence as follows:
      1- Send NVSP_MSG1_TYPE_REVOKE_RECV_BUF message
      2- Send NVSP_MSG1_TYPE_REVOKE_SEND_BUF message
      3- Close vmbus
      4- Teardown receive buffer GPADL
      5- Teardown send buffer GPADL
      
      That worked well for WS2016 hosts, but it prevented guests on older hosts from
      shutting down after changing network settings. Commit 0ef58b0a
      ("hv_netvsc: change GPAD teardown order on older versions") ensured the
      following message sequence for older hosts
      1- Send NVSP_MSG1_TYPE_REVOKE_RECV_BUF message
      2- Send NVSP_MSG1_TYPE_REVOKE_SEND_BUF message
      3- Teardown receive buffer GPADL
      4- Teardown send buffer GPADL
      5- Close vmbus
      
      However, with this sequence calling `ip link set eth0 mtu 1000` hangs and the
      process becomes uninterruptible. On futher analysis it turns out that on tearing
      down the receive buffer GPADL the kernel is waiting indefinitely
      in vmbus_teardown_gpadl() for a completion to be signaled.
      
      Here is a snippet of where this occurs:
      int vmbus_teardown_gpadl(struct vmbus_channel *channel, u32 gpadl_handle)
      {
              struct vmbus_channel_gpadl_teardown *msg;
              struct vmbus_channel_msginfo *info;
              unsigned long flags;
              int ret;
      
              info = kmalloc(sizeof(*info) +
                             sizeof(struct vmbus_channel_gpadl_teardown), GFP_KERNEL);
              if (!info)
                      return -ENOMEM;
      
              init_completion(&info->waitevent);
              info->waiting_channel = channel;
      [....]
              ret = vmbus_post_msg(msg, sizeof(struct vmbus_channel_gpadl_teardown),
                                   true);
      
              if (ret)
                      goto post_msg_err;
      
              wait_for_completion(&info->waitevent);
      [....]
      }
      
      The completion is signaled from vmbus_ongpadl_torndown(), which gets called when
      the corresponding message is received from the host, which apparently never happens
      in that case.
      This patch works around the issue by restoring the first mentioned message sequence
      for older hosts
      
      Fixes: 0ef58b0a ("hv_netvsc: change GPAD teardown order on older versions")
      Signed-off-by: NMohammed Gamal <mgamal@redhat.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      a56d99d7
    • M
      hv_netvsc: Split netvsc_revoke_buf() and netvsc_teardown_gpadl() · 7992894c
      Mohammed Gamal 提交于
      Split each of the functions into two for each of send/recv buffers.
      This will be needed in order to implement a fine-grained messaging
      sequence to the host so that we accommodate the requirements of
      different Windows versions
      
      Fixes: 0ef58b0a ("hv_netvsc: change GPAD teardown order on older versions")
      Signed-off-by: NMohammed Gamal <mgamal@redhat.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      7992894c
    • M
      hv_netvsc: Use Windows version instead of NVSP version on GPAD teardown · 2afc5d61
      Mohammed Gamal 提交于
      When changing network interface settings, Windows guests
      older than WS2016 can no longer shutdown. This was addressed
      by commit 0ef58b0a ("hv_netvsc: change GPAD teardown order
      on older versions"), however the issue also occurs on WS2012
      guests that share NVSP protocol versions with WS2016 guests.
      Hence we use Windows version directly to differentiate them.
      
      Fixes: 0ef58b0a ("hv_netvsc: change GPAD teardown order on older versions")
      Signed-off-by: NMohammed Gamal <mgamal@redhat.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      2afc5d61
    • M
      net: mvpp2: Fix parser entry init boundary check · 3d92f0b5
      Maxime Chevallier 提交于
      Boundary check in mvpp2_prs_init_from_hw must be done according to the
      passed "tid" parameter, not the mvpp2_prs_entry index, which is not yet
      initialized at the time of the check.
      
      Fixes: 47e0e14e ("net: mvpp2: Make mvpp2_prs_hw_read a parser entry init function")
      Signed-off-by: NMaxime Chevallier <maxime.chevallier@bootlin.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      3d92f0b5
    • M
      arp: fix arp_filter on l3slave devices · 58b35f27
      Miguel Fadon Perlines 提交于
      arp_filter performs an ip_route_output search for arp source address and
      checks if output device is the same where the arp request was received,
      if it is not, the arp request is not answered.
      
      This route lookup is always done on main route table so l3slave devices
      never find the proper route and arp is not answered.
      
      Passing l3mdev_master_ifindex_rcu(dev) return value as oif fixes the
      lookup for l3slave devices while maintaining same behavior for non
      l3slave devices as this function returns 0 in that case.
      
      Fixes: 613d09b3 ("net: Use VRF device index for lookups on TX")
      Signed-off-by: NMiguel Fadon Perlines <mfadon@teldat.com>
      Acked-by: NDavid Ahern <dsa@cumulusnetworks.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      58b35f27
    • D
      Merge branch 'net-tunnel-name-validate' · d68a19f8
      David S. Miller 提交于
      Eric Dumazet says:
      
      ====================
      net: better validate user provided tunnel names
      
      This series changes dev_valid_name() to not attempt reading
      a possibly too long user-provided device name, then use
      this helper in five different tunnel providers.
      ====================
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      d68a19f8
    • E
      vti6: better validate user provided tunnel names · 537b361f
      Eric Dumazet 提交于
      Use valid_name() to make sure user does not provide illegal
      device name.
      
      Fixes: ed1efb2a ("ipv6: Add support for IPsec virtual tunnel interfaces")
      Signed-off-by: NEric Dumazet <edumazet@google.com>
      Cc: Steffen Klassert <steffen.klassert@secunet.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      537b361f
    • E
      ip6_tunnel: better validate user provided tunnel names · db7a65e3
      Eric Dumazet 提交于
      Use valid_name() to make sure user does not provide illegal
      device name.
      
      Fixes: 1da177e4 ("Linux-2.6.12-rc2")
      Signed-off-by: NEric Dumazet <edumazet@google.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      db7a65e3
    • E
      ip6_gre: better validate user provided tunnel names · 5f42df01
      Eric Dumazet 提交于
      Use dev_valid_name() to make sure user does not provide illegal
      device name.
      
      syzbot caught the following bug :
      
      BUG: KASAN: stack-out-of-bounds in strlcpy include/linux/string.h:300 [inline]
      BUG: KASAN: stack-out-of-bounds in ip6gre_tunnel_locate+0x334/0x860 net/ipv6/ip6_gre.c:339
      Write of size 20 at addr ffff8801afb9f7b8 by task syzkaller851048/4466
      
      CPU: 1 PID: 4466 Comm: syzkaller851048 Not tainted 4.16.0+ #1
      Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
      Call Trace:
       __dump_stack lib/dump_stack.c:17 [inline]
       dump_stack+0x1b9/0x29f lib/dump_stack.c:53
       print_address_description+0x6c/0x20b mm/kasan/report.c:256
       kasan_report_error mm/kasan/report.c:354 [inline]
       kasan_report.cold.7+0xac/0x2f5 mm/kasan/report.c:412
       check_memory_region_inline mm/kasan/kasan.c:260 [inline]
       check_memory_region+0x13e/0x1b0 mm/kasan/kasan.c:267
       memcpy+0x37/0x50 mm/kasan/kasan.c:303
       strlcpy include/linux/string.h:300 [inline]
       ip6gre_tunnel_locate+0x334/0x860 net/ipv6/ip6_gre.c:339
       ip6gre_tunnel_ioctl+0x69d/0x12e0 net/ipv6/ip6_gre.c:1195
       dev_ifsioc+0x43e/0xb90 net/core/dev_ioctl.c:334
       dev_ioctl+0x69a/0xcc0 net/core/dev_ioctl.c:525
       sock_ioctl+0x47e/0x680 net/socket.c:1015
       vfs_ioctl fs/ioctl.c:46 [inline]
       file_ioctl fs/ioctl.c:500 [inline]
       do_vfs_ioctl+0x1cf/0x1650 fs/ioctl.c:684
       ksys_ioctl+0xa9/0xd0 fs/ioctl.c:701
       SYSC_ioctl fs/ioctl.c:708 [inline]
       SyS_ioctl+0x24/0x30 fs/ioctl.c:706
       do_syscall_64+0x29e/0x9d0 arch/x86/entry/common.c:287
       entry_SYSCALL_64_after_hwframe+0x42/0xb7
      
      Fixes: c12b395a ("gre: Support GRE over IPv6")
      Signed-off-by: NEric Dumazet <edumazet@google.com>
      Reported-by: Nsyzbot <syzkaller@googlegroups.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      5f42df01
    • E
      ipv6: sit: better validate user provided tunnel names · b95211e0
      Eric Dumazet 提交于
      Use dev_valid_name() to make sure user does not provide illegal
      device name.
      
      syzbot caught the following bug :
      
      BUG: KASAN: stack-out-of-bounds in strlcpy include/linux/string.h:300 [inline]
      BUG: KASAN: stack-out-of-bounds in ipip6_tunnel_locate+0x63b/0xaa0 net/ipv6/sit.c:254
      Write of size 33 at addr ffff8801b64076d8 by task syzkaller932654/4453
      
      CPU: 0 PID: 4453 Comm: syzkaller932654 Not tainted 4.16.0+ #1
      Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
      Call Trace:
       __dump_stack lib/dump_stack.c:17 [inline]
       dump_stack+0x1b9/0x29f lib/dump_stack.c:53
       print_address_description+0x6c/0x20b mm/kasan/report.c:256
       kasan_report_error mm/kasan/report.c:354 [inline]
       kasan_report.cold.7+0xac/0x2f5 mm/kasan/report.c:412
       check_memory_region_inline mm/kasan/kasan.c:260 [inline]
       check_memory_region+0x13e/0x1b0 mm/kasan/kasan.c:267
       memcpy+0x37/0x50 mm/kasan/kasan.c:303
       strlcpy include/linux/string.h:300 [inline]
       ipip6_tunnel_locate+0x63b/0xaa0 net/ipv6/sit.c:254
       ipip6_tunnel_ioctl+0xe71/0x241b net/ipv6/sit.c:1221
       dev_ifsioc+0x43e/0xb90 net/core/dev_ioctl.c:334
       dev_ioctl+0x69a/0xcc0 net/core/dev_ioctl.c:525
       sock_ioctl+0x47e/0x680 net/socket.c:1015
       vfs_ioctl fs/ioctl.c:46 [inline]
       file_ioctl fs/ioctl.c:500 [inline]
       do_vfs_ioctl+0x1cf/0x1650 fs/ioctl.c:684
       ksys_ioctl+0xa9/0xd0 fs/ioctl.c:701
       SYSC_ioctl fs/ioctl.c:708 [inline]
       SyS_ioctl+0x24/0x30 fs/ioctl.c:706
       do_syscall_64+0x29e/0x9d0 arch/x86/entry/common.c:287
       entry_SYSCALL_64_after_hwframe+0x42/0xb7
      
      Fixes: 1da177e4 ("Linux-2.6.12-rc2")
      Signed-off-by: NEric Dumazet <edumazet@google.com>
      Reported-by: Nsyzbot <syzkaller@googlegroups.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      b95211e0
    • E
      ip_tunnel: better validate user provided tunnel names · 9cb726a2
      Eric Dumazet 提交于
      Use dev_valid_name() to make sure user does not provide illegal
      device name.
      
      syzbot caught the following bug :
      
      BUG: KASAN: stack-out-of-bounds in strlcpy include/linux/string.h:300 [inline]
      BUG: KASAN: stack-out-of-bounds in __ip_tunnel_create+0xca/0x6b0 net/ipv4/ip_tunnel.c:257
      Write of size 20 at addr ffff8801ac79f810 by task syzkaller268107/4482
      
      CPU: 0 PID: 4482 Comm: syzkaller268107 Not tainted 4.16.0+ #1
      Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
      Call Trace:
       __dump_stack lib/dump_stack.c:17 [inline]
       dump_stack+0x1b9/0x29f lib/dump_stack.c:53
       print_address_description+0x6c/0x20b mm/kasan/report.c:256
       kasan_report_error mm/kasan/report.c:354 [inline]
       kasan_report.cold.7+0xac/0x2f5 mm/kasan/report.c:412
       check_memory_region_inline mm/kasan/kasan.c:260 [inline]
       check_memory_region+0x13e/0x1b0 mm/kasan/kasan.c:267
       memcpy+0x37/0x50 mm/kasan/kasan.c:303
       strlcpy include/linux/string.h:300 [inline]
       __ip_tunnel_create+0xca/0x6b0 net/ipv4/ip_tunnel.c:257
       ip_tunnel_create net/ipv4/ip_tunnel.c:352 [inline]
       ip_tunnel_ioctl+0x818/0xd40 net/ipv4/ip_tunnel.c:861
       ipip_tunnel_ioctl+0x1c5/0x420 net/ipv4/ipip.c:350
       dev_ifsioc+0x43e/0xb90 net/core/dev_ioctl.c:334
       dev_ioctl+0x69a/0xcc0 net/core/dev_ioctl.c:525
       sock_ioctl+0x47e/0x680 net/socket.c:1015
       vfs_ioctl fs/ioctl.c:46 [inline]
       file_ioctl fs/ioctl.c:500 [inline]
       do_vfs_ioctl+0x1cf/0x1650 fs/ioctl.c:684
       ksys_ioctl+0xa9/0xd0 fs/ioctl.c:701
       SYSC_ioctl fs/ioctl.c:708 [inline]
       SyS_ioctl+0x24/0x30 fs/ioctl.c:706
       do_syscall_64+0x29e/0x9d0 arch/x86/entry/common.c:287
       entry_SYSCALL_64_after_hwframe+0x42/0xb7
      
      Fixes: c5441932 ("GRE: Refactor GRE tunneling code.")
      Signed-off-by: NEric Dumazet <edumazet@google.com>
      Reported-by: Nsyzbot <syzkaller@googlegroups.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      9cb726a2
    • E
      net: fool proof dev_valid_name() · a9d48205
      Eric Dumazet 提交于
      We want to use dev_valid_name() to validate tunnel names,
      so better use strnlen(name, IFNAMSIZ) than strlen(name) to make
      sure to not upset KASAN.
      Signed-off-by: NEric Dumazet <edumazet@google.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      a9d48205
  4. 05 4月, 2018 9 次提交
    • L
      Merge tag 'char-misc-4.17-rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/char-misc · 06dd3dfe
      Linus Torvalds 提交于
      Pull char/misc updates from Greg KH:
       "Here is the big set of char/misc driver patches for 4.17-rc1.
      
        There are a lot of little things in here, nothing huge, but all
        important to the different hardware types involved:
      
         -  thunderbolt driver updates
      
         -  parport updates (people still care...)
      
         -  nvmem driver updates
      
         -  mei updates (as always)
      
         -  hwtracing driver updates
      
         -  hyperv driver updates
      
         -  extcon driver updates
      
         -  ... and a handful of even smaller driver subsystem and individual
            driver updates
      
        All of these have been in linux-next with no reported issues"
      
      * tag 'char-misc-4.17-rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/char-misc: (149 commits)
        hwtracing: Add HW tracing support menu
        intel_th: Add ACPI glue layer
        intel_th: Allow forcing host mode through drvdata
        intel_th: Pick up irq number from resources
        intel_th: Don't touch switch routing in host mode
        intel_th: Use correct method of finding hub
        intel_th: Add SPDX GPL-2.0 header to replace GPLv2 boilerplate
        stm class: Make dummy's master/channel ranges configurable
        stm class: Add SPDX GPL-2.0 header to replace GPLv2 boilerplate
        MAINTAINERS: Bestow upon myself the care for drivers/hwtracing
        hv: add SPDX license id to Kconfig
        hv: add SPDX license to trace
        Drivers: hv: vmbus: do not mark HV_PCIE as perf_device
        Drivers: hv: vmbus: respect what we get from hv_get_synint_state()
        /dev/mem: Avoid overwriting "err" in read_mem()
        eeprom: at24: use SPDX identifier instead of GPL boiler-plate
        eeprom: at24: simplify the i2c functionality checking
        eeprom: at24: fix a line break
        eeprom: at24: tweak newlines
        eeprom: at24: refactor at24_probe()
        ...
      06dd3dfe
    • L
      Merge tag 'driver-core-4.17-rc1' of... · 38047d5c
      Linus Torvalds 提交于
      Merge tag 'driver-core-4.17-rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/driver-core
      
      Pull driver core updates from Greg KH:
       "Here is the "big" set of driver core patches for 4.17-rc1.
      
        There's really not much here, just a bunch of firmware code
        refactoring from Luis as he attempts to wrangle that codebase into
        something that is managable, along with a bunch of userspace tests for
        it. Other than that, a handful of small bugfixes and reverts of things
        that didn't work out.
      
        Full details are in the shortlog, it's not all that much.
      
        All of these have been in linux-next for a while with no reported
        issues"
      
      * tag 'driver-core-4.17-rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/driver-core: (30 commits)
        drivers: base: remove check for callback in coredump_store()
        mt7601u: use firmware_request_cache() to address cache on reboot
        firmware: add firmware_request_cache() to help with cache on reboot
        firmware: fix typo on pr_info_once() when ignore_sysfs_fallback is used
        firmware: explicitly include vmalloc.h
        firmware: ensure the firmware cache is not used on incompatible calls
        test_firmware: modify custom fallback tests to use unique files
        firmware: add helper to check to see if fw cache is setup
        firmware: fix checking for return values for fw_add_devm_name()
        rename: _request_firmware_load() fw_load_sysfs_fallback()
        test_firmware: test three firmware kernel configs using a proc knob
        test_firmware: expand on library with shared helpers
        firmware: enable to force disable the fallback mechanism at run time
        firmware: enable run time change of forcing fallback loader
        firmware: move firmware loader into its own directory
        firmware: split firmware fallback functionality into its own file
        firmware: move loading timeout under struct firmware_fallback_config
        firmware: use helpers for setting up a temporary cache timeout
        firmware: simplify CONFIG_FW_LOADER_USER_HELPER_FALLBACK further
        drivers: base: add description for .coredump() callback
        ...
      38047d5c
    • L
      Merge tag 'staging-4.17-rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/staging · df34df48
      Linus Torvalds 提交于
      Pull staging/IIO updates from Greg KH:
       "Here is the big set of Staging/IIO driver patches for 4.17-rc1.
      
        It is a lot, over 500 changes, but not huge by previous kernel release
        standards. We deleted more lines than we added again (27k added vs.
        91k remvoed), thanks to finally being able to delete the IRDA drivers
        and networking code.
      
        We also deleted the ccree crypto driver, but that's coming back in
        through the crypto tree to you, in a much cleaned-up form.
      
        Added this round is at lot of "mt7621" device support, which is for an
        embedded device that Neil Brown cares about, and of course a handful
        of new IIO drivers as well.
      
        And finally, the fsl-mc core code moved out of the staging tree to the
        "real" part of the kernel, which is nice to see happen as well.
      
        Full details are in the shortlog, which has all of the tiny cleanup
        patches described.
      
        All of these have been in linux-next for a while with no reported
        issues"
      
      * tag 'staging-4.17-rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/staging: (579 commits)
        staging: rtl8723bs: Remove yield call, replace with cond_resched()
        staging: rtl8723bs: Replace yield() call with cond_resched()
        staging: rtl8723bs: Remove unecessary newlines from 'odm.h'.
        staging: rtl8723bs: Rework 'struct _ODM_Phy_Status_Info_' coding style.
        staging: rtl8723bs: Rework 'struct _ODM_Per_Pkt_Info_' coding style.
        staging: rtl8723bs: Replace NULL pointer comparison with '!'.
        staging: rtl8723bs: Factor out rtl8723bs_recv_tasklet() sections.
        staging: rtl8723bs: Fix function signature that goes over 80 characters.
        staging: rtl8723bs: Fix lines too long in update_recvframe_attrib().
        staging: rtl8723bs: Remove unnecessary blank lines in 'rtl8723bs_recv.c'.
        staging: rtl8723bs: Change camel case to snake case in 'rtl8723bs_recv.c'.
        staging: rtl8723bs: Add missing braces in else statement.
        staging: rtl8723bs: Add spaces around ternary operators.
        staging: rtl8723bs: Fix lines with trailing open parentheses.
        staging: rtl8723bs: Remove unnecessary length #define's.
        staging: rtl8723bs: Fix IEEE80211 authentication algorithm constants.
        staging: rtl8723bs: Fix alignment in rtw_wx_set_auth().
        staging: rtl8723bs: Remove braces from single statement conditionals.
        staging: rtl8723bs: Remove unecessary braces from switch statement.
        staging: rtl8723bs: Fix newlines in rtw_wx_set_auth().
        ...
      df34df48
    • L
      Merge tag 'tty-4.17-rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/tty · 9abf8ace
      Linus Torvalds 提交于
      Pull tty/serial driver updates from Greg KH:
       "Here is the big set of tty and serial driver patches for 4.17-rc1
      
        Not all that big really, most are just small fixes and additions to
        existing drivers. There's a bunch of work on the imx serial driver
        recently for some reason, and a new embedded serial driver added as
        well.
      
        Full details are in the shortlog.
      
        All of these have been in the linux-next tree for a while with no
        reported issues"
      
      * tag 'tty-4.17-rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/tty: (66 commits)
        serial: expose buf_overrun count through proc interface
        serial: mvebu-uart: fix tx lost characters
        tty: serial: msm_geni_serial: Fix return value check in qcom_geni_serial_probe()
        tty: serial: msm_geni_serial: Add serial driver support for GENI based QUP
        8250-men-mcb: add support for 16z025 and 16z057
        powerpc: Mark the variable earlycon_acpi_spcr_enable maybe_unused
        serial: stm32: fix initialization of RS485 mode
        ARM: dts: STi: Remove "console=ttyASN" from bootargs for STi boards
        vt: change SGR 21 to follow the standards
        serdev: Fix typo in serdev_device_alloc
        ARM: dts: STi: Fix aliases property name for STi boards
        tty: st-asc: Update tty alias
        serial: stm32: add support for RS485 hardware control mode
        dt-bindings: serial: stm32: add RS485 optional properties
        selftests: add devpts selftests
        devpts: comment devpts_mntget()
        devpts: resolve devpts bind-mounts
        devpts: hoist out check for DEVPTS_SUPER_MAGIC
        serial: 8250: Add Nuvoton NPCM UART
        serial: mxs-auart: disable clks of Alphascale ASM9260
        ...
      9abf8ace
    • L
      Merge tag 'usb-4.17-rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/usb · ac9053d2
      Linus Torvalds 提交于
      Pull USB/PHY updates from Greg KH:
       "Here is the big set of USB and PHY driver patches for 4.17-rc1.
      
        Lots of USB typeC work happened this round, with code moving from the
        staging directory into the "real" part of the kernel, as well as new
        infrastructure being added to be able to handle the different types of
        "roles" that typeC requires.
      
        There is also the normal huge set of USB gadget controller and driver
        updates, along with XHCI changes, and a raft of other tiny fixes all
        over the USB tree. And the PHY driver updates are merged in here as
        well as they interacted with the USB drivers in some places.
      
        All of these have been in linux-next for a while with no reported
        issues"
      
      * tag 'usb-4.17-rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/usb: (250 commits)
        Revert "USB: serial: ftdi_sio: add Id for Physik Instrumente E-870"
        usb: musb: gadget: misplaced out of bounds check
        usb: chipidea: imx: Fix ULPI on imx53
        usb: chipidea: imx: Cleanup ci_hdrc_imx_platform_flag
        usb: chipidea: usbmisc: small clean up
        usb: chipidea: usbmisc: evdo can be set e/o reset
        usb: chipidea: usbmisc: evdo is only specific to OTG port
        USB: serial: ftdi_sio: add Id for Physik Instrumente E-870
        usb: dwc3: gadget: never call ->complete() from ->ep_queue()
        usb: gadget: udc: core: update usb_ep_queue() documentation
        usb: host: Remove the deprecated ATH79 USB host config options
        usb: roles: Fix return value check in intel_xhci_usb_probe()
        USB: gadget: f_midi: fixing a possible double-free in f_midi
        usb: core: Add USB_QUIRK_DELAY_CTRL_MSG to usbcore quirks
        usb: core: Copy parameter string correctly and remove superfluous null check
        USB: announce bcdDevice as well as idVendor, idProduct.
        USB:fix USB3 devices behind USB3 hubs not resuming at hibernate thaw
        usb: hub: Reduce warning to notice on power loss
        USB: serial: ftdi_sio: add support for Harman FirmwareHubEmulator
        USB: serial: cp210x: add ELDAT Easywave RX09 id
        ...
      ac9053d2
    • L
      Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net · f9ca6a56
      Linus Torvalds 提交于
      Pull networking fixes from David Miller:
       "This fixes some fallout from the net-next merge the other day, plus
        some non-merge-window-related bug fixes:
      
        1) Fix sparse warnings in bcmgenet, systemport, b53, and mt7530
           (Florian Fainelli)
      
        2) pptp does a bogus dst_release() on a route we have a single
           refcount on, and attached to a socket, which needs that refcount
           (Eric Dumazet)
      
        3) UDP connected sockets on ipv6 can race with route update handling,
           resulting in a pre-PMTU update route still stuck on the socket and
           thus continuing to get ICMPV6_PKT_TOOBIG errors. We end up never
           seeing the updated route. (Alexey Kodanev)
      
        4) Missing list initializer(s) in TIPC (Jon Maloy)
      
        5) Connect phy early to prevent crashes in lan78xx driver (Alexander
           Graf)
      
        6) Fix build with modular NVMEM (Arnd Bergmann)
      
        7) netdevsim canot mark nsim_devlink_net_ops and nsim_fib_net_ops as
           __net_initdata, as these are references from module unload
           unconditionally (Arnd Bergmann)"
      
      * git://git.kernel.org/pub/scm/linux/kernel/git/davem/net: (23 commits)
        netdevsim: remove incorrect __net_initdata annotations
        sfc: remove ctpio_dmabuf_start from stats
        inet: frags: fix ip6frag_low_thresh boundary
        tipc: Fix namespace violation in tipc_sk_fill_sock_diag
        net: avoid unneeded atomic operation in ip*_append_data()
        nvmem: disallow modular CONFIG_NVMEM
        net: hns3: fix length overflow when CONFIG_ARM64_64K_PAGES
        nfp: use full 40 bits of the NSP buffer address
        lan78xx: Connect phy early
        nfp: add a separate counter for packets with CHECKSUM_COMPLETE
        tipc: Fix missing list initializations in struct tipc_subscription
        ipv6: udp: set dst cache for a connected sk if current not valid
        ipv6: udp: convert 'connected' to bool type in udpv6_sendmsg()
        ipv6: allow to cache dst for a connected sk in ip6_sk_dst_lookup_flow()
        ipv6: add a wrapper for ip6_dst_store() with flowi6 checks
        net: phy: marvell10g: add thermal hwmon device
        pptp: remove a buggy dst release in pptp_connect()
        net: dsa: mt7530: Use NULL instead of plain integer
        net: dsa: b53: Fix sparse warnings in b53_mmap.c
        af_unix: remove redundant lockdep class
        ...
      f9ca6a56
    • L
      Merge branch 'linus' of git://git.kernel.org/pub/scm/linux/kernel/git/herbert/crypto-2.6 · 9eb31227
      Linus Torvalds 提交于
      Pull crypto updates from Herbert Xu:
       "API:
      
         - add AEAD support to crypto engine
      
         - allow batch registration in simd
      
        Algorithms:
      
         - add CFB mode
      
         - add speck block cipher
      
         - add sm4 block cipher
      
         - new test case for crct10dif
      
         - improve scheduling latency on ARM
      
         - scatter/gather support to gcm in aesni
      
         - convert x86 crypto algorithms to skcihper
      
        Drivers:
      
         - hmac(sha224/sha256) support in inside-secure
      
         - aes gcm/ccm support in stm32
      
         - stm32mp1 support in stm32
      
         - ccree driver from staging tree
      
         - gcm support over QI in caam
      
         - add ks-sa hwrng driver"
      
      * 'linus' of git://git.kernel.org/pub/scm/linux/kernel/git/herbert/crypto-2.6: (212 commits)
        crypto: ccree - remove unused enums
        crypto: ahash - Fix early termination in hash walk
        crypto: brcm - explicitly cast cipher to hash type
        crypto: talitos - don't leak pointers to authenc keys
        crypto: qat - don't leak pointers to authenc keys
        crypto: picoxcell - don't leak pointers to authenc keys
        crypto: ixp4xx - don't leak pointers to authenc keys
        crypto: chelsio - don't leak pointers to authenc keys
        crypto: caam/qi - don't leak pointers to authenc keys
        crypto: caam - don't leak pointers to authenc keys
        crypto: lrw - Free rctx->ext with kzfree
        crypto: talitos - fix IPsec cipher in length
        crypto: Deduplicate le32_to_cpu_array() and cpu_to_le32_array()
        crypto: doc - clarify hash callbacks state machine
        crypto: api - Keep failed instances alive
        crypto: api - Make crypto_alg_lookup static
        crypto: api - Remove unused crypto_type lookup function
        crypto: chelsio - Remove declaration of static function from header
        crypto: inside-secure - hmac(sha224) support
        crypto: inside-secure - hmac(sha256) support
        ..
      9eb31227
    • L
      Merge tag 'riscv-for-linus-4.17-mw0' of... · 527cd207
      Linus Torvalds 提交于
      Merge tag 'riscv-for-linus-4.17-mw0' of git://git.kernel.org/pub/scm/linux/kernel/git/palmer/riscv-linux
      
      Pull RISC-V updates from Palmer Dabbelt:
       "This contains the new features we'd like to incorporate into the
        RISC-V port for 4.17. We might have a bit more stuff land later in the
        merge window, but I wanted to get this out earlier just so everyone
        can see where we currently stand.
      
        A short summary of the changes is:
      
         - We've added support for dynamic ftrace on RISC-V targets.
      
         - There have been a handful of cleanups to our atomic and locking
           routines. They now more closely match the released RISC-V memory
           model draft.
      
         - Our module loading support has been cleaned up and is now enabled
           by default, despite some limitations still existing.
      
         - A patch to define COMMANDLINE_FORCE instead of COMMANDLINE_OVERRIDE
           so the generic device tree code picks up handling all our command
           line stuff.
      
        There's more information in the merge commits for each patch set"
      
      * tag 'riscv-for-linus-4.17-mw0' of git://git.kernel.org/pub/scm/linux/kernel/git/palmer/riscv-linux: (21 commits)
        RISC-V: Rename CONFIG_CMDLINE_OVERRIDE to CONFIG_CMDLINE_FORCE
        RISC-V: Add definition of relocation types
        RISC-V: Enable module support in defconfig
        RISC-V: Support SUB32 relocation type in kernel module
        RISC-V: Support ADD32 relocation type in kernel module
        RISC-V: Support ALIGN relocation type in kernel module
        RISC-V: Support RVC_BRANCH/JUMP relocation type in kernel modulewq
        RISC-V: Support HI20/LO12_I/LO12_S relocation type in kernel module
        RISC-V: Support CALL relocation type in kernel module
        RISC-V: Support GOT_HI20/CALL_PLT relocation type in kernel module
        RISC-V: Add section of GOT.PLT for kernel module
        RISC-V: Add sections of PLT and GOT for kernel module
        riscv/atomic: Strengthen implementations with fences
        riscv/spinlock: Strengthen implementations with fences
        riscv/barrier: Define __smp_{store_release,load_acquire}
        riscv/ftrace: Add HAVE_FUNCTION_GRAPH_RET_ADDR_PTR support
        riscv/ftrace: Add DYNAMIC_FTRACE_WITH_REGS support
        riscv/ftrace: Add ARCH_SUPPORTS_FTRACE_OPS support
        riscv/ftrace: Add dynamic function graph tracer support
        riscv/ftrace: Add dynamic function tracer support
        ...
      527cd207
    • L
      Merge tag 'arm64-upstream' of git://git.kernel.org/pub/scm/linux/kernel/git/arm64/linux · 23221d99
      Linus Torvalds 提交于
      Pull arm64 updates from Will Deacon:
       "Nothing particularly stands out here, probably because people were
        tied up with spectre/meltdown stuff last time around. Still, the main
        pieces are:
      
         - Rework of our CPU features framework so that we can whitelist CPUs
           that don't require kpti even in a heterogeneous system
      
         - Support for the IDC/DIC architecture extensions, which allow us to
           elide instruction and data cache maintenance when writing out
           instructions
      
         - Removal of the large memory model which resulted in suboptimal
           codegen by the compiler and increased the use of literal pools,
           which could potentially be used as ROP gadgets since they are
           mapped as executable
      
         - Rework of forced signal delivery so that the siginfo_t is
           well-formed and handling of show_unhandled_signals is consolidated
           and made consistent between different fault types
      
         - More siginfo cleanup based on the initial patches from Eric
           Biederman
      
         - Workaround for Cortex-A55 erratum #1024718
      
         - Some small ACPI IORT updates and cleanups from Lorenzo Pieralisi
      
         - Misc cleanups and non-critical fixes"
      
      * tag 'arm64-upstream' of git://git.kernel.org/pub/scm/linux/kernel/git/arm64/linux: (70 commits)
        arm64: uaccess: Fix omissions from usercopy whitelist
        arm64: fpsimd: Split cpu field out from struct fpsimd_state
        arm64: tlbflush: avoid writing RES0 bits
        arm64: cmpxchg: Include linux/compiler.h in asm/cmpxchg.h
        arm64: move percpu cmpxchg implementation from cmpxchg.h to percpu.h
        arm64: cmpxchg: Include build_bug.h instead of bug.h for BUILD_BUG
        arm64: lse: Include compiler_types.h and export.h for out-of-line LL/SC
        arm64: fpsimd: include <linux/init.h> in fpsimd.h
        drivers/perf: arm_pmu_platform: do not warn about affinity on uniprocessor
        perf: arm_spe: include linux/vmalloc.h for vmap()
        Revert "arm64: Revert L1_CACHE_SHIFT back to 6 (64-byte cache line size)"
        arm64: cpufeature: Avoid warnings due to unused symbols
        arm64: Add work around for Arm Cortex-A55 Erratum 1024718
        arm64: Delay enabling hardware DBM feature
        arm64: Add MIDR encoding for Arm Cortex-A55 and Cortex-A35
        arm64: capabilities: Handle shared entries
        arm64: capabilities: Add support for checks based on a list of MIDRs
        arm64: Add helpers for checking CPU MIDR against a range
        arm64: capabilities: Clean up midr range helpers
        arm64: capabilities: Change scope of VHE to Boot CPU feature
        ...
      23221d99