1. 20 10月, 2018 2 次提交
    • G
      Merge tag 'usb-4.19-final' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/usb · c7b70a64
      Greg Kroah-Hartman 提交于
      I wrote:
        "USB fixes for 4.19-final
      
         Here are a small number of last-minute USB driver fixes
      
         Included here are:
           - spectre fix for usb storage gadgets
           - xhci fixes
           - cdc-acm fixes
           - usbip fixes for reported problems
      
         All of these have been in linux-next with no reported issues."
      
      * tag 'usb-4.19-final' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/usb:
        usb: gadget: storage: Fix Spectre v1 vulnerability
        USB: fix the usbfs flag sanitization for control transfers
        usb: xhci: pci: Enable Intel USB role mux on Apollo Lake platforms
        usb: roles: intel_xhci: Fix Unbalanced pm_runtime_enable
        cdc-acm: correct counting of UART states in serial state notification
        cdc-acm: do not reset notification buffer index upon urb unlinking
        cdc-acm: fix race between reset and control messaging
        usb: usbip: Fix BUG: KASAN: slab-out-of-bounds in vhci_hub_control()
        selftests: usbip: add wait after attach and before checking port status
      c7b70a64
    • G
      Merge tag 'for-linus-20181019' of git://git.kernel.dk/linux-block · b2a205ff
      Greg Kroah-Hartman 提交于
      Jens writes:
        "Block fixes for 4.19-final
      
         Two small fixes that should go into this release."
      
      * tag 'for-linus-20181019' of git://git.kernel.dk/linux-block:
        block: don't deal with discard limit in blkdev_issue_discard()
        nvme: remove ns sibling before clearing path
      b2a205ff
  2. 19 10月, 2018 12 次提交
    • G
      Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net · 91b15613
      Greg Kroah-Hartman 提交于
      David writes:
        "Networking
      
         1) Fix gro_cells leak in xfrm layer, from Li RongQing.
      
         2) BPF selftests change RLIMIT_MEMLOCK blindly, don't do that.  From
            Eric Dumazet.
      
         3) AF_XDP calls synchronize_net() under RCU lock, fix from Björn
            Töpel.
      
         4) Out of bounds packet access in _decode_session6(), from Alexei
            Starovoitov.
      
         5) Several ethtool bugs, where we copy a struct into the kernel twice
            and our validations of the values in the first copy can be
            invalidated by the second copy due to asynchronous updates to the
            memory by the user.  From Wenwen Wang.
      
         6) Missing netlink attribute validation in cls_api, from Davide
            Caratti.
      
         7) LLC SAP sockets neet to be SOCK_RCU FREE, from Cong Wang.
      
         8) rxrpc operates on wrong kvec, from Yue Haibing.
      
         9) A regression was introduced by the disassosciation of route
            neighbour references in rt6_probe(), causing probe for
            neighbourless routes to not be properly rate limited.  Fix from
            Sabrina Dubroca.
      
         10) Unsafe RCU locking in tipc, from Tung Nguyen.
      
         11) Use after free in inet6_mc_check(), from Eric Dumazet.
      
         12) PMTU from icmp packets should update the SCTP transport pathmtu,
             from Xin Long.
      
         13) Missing peer put on error in rxrpc, from David Howells.
      
         14) Fix pedit in nfp driver, from Pieter Jansen van Vuuren.
      
         15) Fix overflowing shift statement in qla3xxx driver, from Nathan
             Chancellor.
      
         16) Fix Spectre v1 in ptp code, from Gustavo A. R. Silva.
      
         17) udp6_unicast_rcv_skb() interprets udpv6_queue_rcv_skb() return
             value in an inverted manner, fix from Paolo Abeni.
      
         18) Fix missed unresolved entries in ipmr dumps, from Nikolay
             Aleksandrov.
      
         19) Fix NAPI handling under high load, we can completely miss events
             when NAPI has to loop more than one time in a cycle.  From Heiner
             Kallweit."
      
      * git://git.kernel.org/pub/scm/linux/kernel/git/davem/net: (49 commits)
        ip6_tunnel: Fix encapsulation layout
        tipc: fix info leak from kernel tipc_event
        net: socket: fix a missing-check bug
        net: sched: Fix for duplicate class dump
        r8169: fix NAPI handling under high load
        net: ipmr: fix unresolved entry dumps
        net: mscc: ocelot: Fix comment in ocelot_vlant_wait_for_completion()
        sctp: fix the data size calculation in sctp_data_size
        virtio_net: avoid using netif_tx_disable() for serializing tx routine
        udp6: fix encap return code for resubmitting
        mlxsw: core: Fix use-after-free when flashing firmware during init
        sctp: not free the new asoc when sctp_wait_for_connect returns err
        sctp: fix race on sctp_id2asoc
        r8169: re-enable MSI-X on RTL8168g
        net: bpfilter: use get_pid_task instead of pid_task
        ptp: fix Spectre v1 vulnerability
        net: qla3xxx: Remove overflowing shift statement
        geneve, vxlan: Don't set exceptions if skb->len < mtu
        geneve, vxlan: Don't check skb_dst() twice
        sctp: get pr_assoc and pr_stream all status with SCTP_PR_SCTP_ALL instead
        ...
      91b15613
    • G
      Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/sparc · 2a966610
      Greg Kroah-Hartman 提交于
      David writes:
        "Sparc fixes:
      
         The main bit here is fixing how fallback system calls are handled in
         the sparc vDSO.
      
         Unfortunately, I fat fingered the commit and some perf debugging
         hacks slipped into the vDSO fix, which I revert in the very next
         commit."
      
      * git://git.kernel.org/pub/scm/linux/kernel/git/davem/sparc:
        sparc: Revert unintended perf changes.
        sparc: vDSO: Silence an uninitialized variable warning
        sparc: Fix syscall fallback bugs in VDSO.
      2a966610
    • G
      Merge tag 'drm-fixes-2018-10-19' of git://anongit.freedesktop.org/drm/drm · 7555c5d5
      Greg Kroah-Hartman 提交于
      Dave writes:
        "drm fixes for 4.19 final
      
         Just a last set of misc core fixes for final.
      
         4 fixes, one use after free, one fb integration fix, one EDID fix,
         and one laptop panel quirk,"
      
      * tag 'drm-fixes-2018-10-19' of git://anongit.freedesktop.org/drm/drm:
        drm/edid: VSDB yCBCr420 Deep Color mode bit definitions
        drm: fix use of freed memory in drm_mode_setcrtc
        drm: fb-helper: Reject all pixel format changing requests
        drm/edid: Add 6 bpc quirk for BOE panel in HP Pavilion 15-n233sl
      7555c5d5
    • G
      Merge tag 'for-gkh' of git://git.kernel.org/pub/scm/linux/kernel/git/rdma/rdma · eb6d938f
      Greg Kroah-Hartman 提交于
      Doug writes:
        "Really final for-rc pull request for 4.19
      
         Ok, so last week I thought we had sent our final pull request for
         4.19.  Well, wouldn't ya know someone went and found a couple Spectre
         v1 fixes were needed :-/.  So, a couple *very* small specter patches
         for this (hopefully) final -rc week."
      
      * tag 'for-gkh' of git://git.kernel.org/pub/scm/linux/kernel/git/rdma/rdma:
        RDMA/ucma: Fix Spectre v1 vulnerability
        IB/ucm: Fix Spectre v1 vulnerability
      eb6d938f
    • D
      Merge tag 'drm-misc-fixes-2018-10-18' of git://anongit.freedesktop.org/drm/drm-misc into drm-fixes · f8e6e1b6
      Dave Airlie 提交于
      drm-misc-fixes for v4.19:
      - Fix use of freed memory in drm_mode_setcrtc.
      - Reject pixel format changing requests in fb helper.
      - Add 6 bpc quirk for HP Pavilion 15-n233sl
      - Fix VSDB yCBCr420 Deep Color mode bit definitions
      Signed-off-by: NDave Airlie <airlied@redhat.com>
      
      From: Maarten Lankhorst <maarten.lankhorst@linux.intel.com>
      Link: https://patchwork.freedesktop.org/patch/msgid/647fe5d0-4ec5-57cc-9f23-a4836b29e278@linux.intel.com
      f8e6e1b6
    • S
      ip6_tunnel: Fix encapsulation layout · d4d576f5
      Stefano Brivio 提交于
      Commit 058214a4 ("ip6_tun: Add infrastructure for doing
      encapsulation") added the ip6_tnl_encap() call in ip6_tnl_xmit(), before
      the call to ipv6_push_frag_opts() to append the IPv6 Tunnel Encapsulation
      Limit option (option 4, RFC 2473, par. 5.1) to the outer IPv6 header.
      
      As long as the option didn't actually end up in generated packets, this
      wasn't an issue. Then commit 89a23c8b ("ip6_tunnel: Fix missing tunnel
      encapsulation limit option") fixed sending of this option, and the
      resulting layout, e.g. for FoU, is:
      
      .-------------------.------------.----------.-------------------.----- - -
      | Outer IPv6 Header | UDP header | Option 4 | Inner IPv6 Header | Payload
      '-------------------'------------'----------'-------------------'----- - -
      
      Needless to say, FoU and GUE (at least) won't work over IPv6. The option
      is appended by default, and I couldn't find a way to disable it with the
      current iproute2.
      
      Turn this into a more reasonable:
      
      .-------------------.----------.------------.-------------------.----- - -
      | Outer IPv6 Header | Option 4 | UDP header | Inner IPv6 Header | Payload
      '-------------------'----------'------------'-------------------'----- - -
      
      With this, and with 84dad559 ("udp6: fix encap return code for
      resubmitting"), FoU and GUE work again over IPv6.
      
      Fixes: 058214a4 ("ip6_tun: Add infrastructure for doing encapsulation")
      Signed-off-by: NStefano Brivio <sbrivio@redhat.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      d4d576f5
    • J
      tipc: fix info leak from kernel tipc_event · b06f9d9f
      Jon Maloy 提交于
      We initialize a struct tipc_event allocated on the kernel stack to
      zero to avert info leak to user space.
      
      Reported-by: syzbot+057458894bc8cada4dee@syzkaller.appspotmail.com
      Signed-off-by: NJon Maloy <jon.maloy@ericsson.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      b06f9d9f
    • W
      net: socket: fix a missing-check bug · b6168562
      Wenwen Wang 提交于
      In ethtool_ioctl(), the ioctl command 'ethcmd' is checked through a switch
      statement to see whether it is necessary to pre-process the ethtool
      structure, because, as mentioned in the comment, the structure
      ethtool_rxnfc is defined with padding. If yes, a user-space buffer 'rxnfc'
      is allocated through compat_alloc_user_space(). One thing to note here is
      that, if 'ethcmd' is ETHTOOL_GRXCLSRLALL, the size of the buffer 'rxnfc' is
      partially determined by 'rule_cnt', which is actually acquired from the
      user-space buffer 'compat_rxnfc', i.e., 'compat_rxnfc->rule_cnt', through
      get_user(). After 'rxnfc' is allocated, the data in the original user-space
      buffer 'compat_rxnfc' is then copied to 'rxnfc' through copy_in_user(),
      including the 'rule_cnt' field. However, after this copy, no check is
      re-enforced on 'rxnfc->rule_cnt'. So it is possible that a malicious user
      race to change the value in the 'compat_rxnfc->rule_cnt' between these two
      copies. Through this way, the attacker can bypass the previous check on
      'rule_cnt' and inject malicious data. This can cause undefined behavior of
      the kernel and introduce potential security risk.
      
      This patch avoids the above issue via copying the value acquired by
      get_user() to 'rxnfc->rule_cn', if 'ethcmd' is ETHTOOL_GRXCLSRLALL.
      Signed-off-by: NWenwen Wang <wang6495@umn.edu>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      b6168562
    • P
      net: sched: Fix for duplicate class dump · 3c53ed8f
      Phil Sutter 提交于
      When dumping classes by parent, kernel would return classes twice:
      
      | # tc qdisc add dev lo root prio
      | # tc class show dev lo
      | class prio 8001:1 parent 8001:
      | class prio 8001:2 parent 8001:
      | class prio 8001:3 parent 8001:
      | # tc class show dev lo parent 8001:
      | class prio 8001:1 parent 8001:
      | class prio 8001:2 parent 8001:
      | class prio 8001:3 parent 8001:
      | class prio 8001:1 parent 8001:
      | class prio 8001:2 parent 8001:
      | class prio 8001:3 parent 8001:
      
      This comes from qdisc_match_from_root() potentially returning the root
      qdisc itself if its handle matched. Though in that case, root's classes
      were already dumped a few lines above.
      
      Fixes: cb395b20 ("net: sched: optimize class dumps")
      Signed-off-by: NPhil Sutter <phil@nwl.cc>
      Reviewed-by: NJiri Pirko <jiri@mellanox.com>
      Reviewed-by: NEric Dumazet <edumazet@google.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      3c53ed8f
    • H
      r8169: fix NAPI handling under high load · 6b839b6c
      Heiner Kallweit 提交于
      rtl_rx() and rtl_tx() are called only if the respective bits are set
      in the interrupt status register. Under high load NAPI may not be
      able to process all data (work_done == budget) and it will schedule
      subsequent calls to the poll callback.
      rtl_ack_events() however resets the bits in the interrupt status
      register, therefore subsequent calls to rtl8169_poll() won't call
      rtl_rx() and rtl_tx() - chip interrupts are still disabled.
      
      Fix this by calling rtl_rx() and rtl_tx() independent of the bits
      set in the interrupt status register. Both functions will detect
      if there's nothing to do for them.
      
      Fixes: da78dbff ("r8169: remove work from irq handler.")
      Signed-off-by: NHeiner Kallweit <hkallweit1@gmail.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      6b839b6c
    • D
      sparc: Revert unintended perf changes. · 27faeebd
      David S. Miller 提交于
      Some local debugging hacks accidently slipped into the VDSO commit.
      
      Sorry!
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      27faeebd
    • D
      Merge branch 'master' of git://git.kernel.org/pub/scm/linux/kernel/git/klassert/ipsec · 2ee653f6
      David S. Miller 提交于
      Steffen Klassert says:
      
      ====================
      pull request (net): ipsec 2018-10-18
      
      1) Free the xfrm interface gro_cells when deleting the
         interface, otherwise we leak it. From Li RongQing.
      
      2) net/core/flow.c does not exist anymore, so remove it
         from the MAINTAINERS file.
      
      3) Fix a slab-out-of-bounds in _decode_session6.
         From Alexei Starovoitov.
      
      4) Fix RCU protection when policies inserted into
         thei bydst lists. From Florian Westphal.
      
      Please pull or let me know if there are problems.
      ====================
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      2ee653f6
  3. 18 10月, 2018 26 次提交