1. 22 4月, 2017 7 次提交
  2. 21 4月, 2017 15 次提交
  3. 19 4月, 2017 10 次提交
    • S
      sh_eth: unmap DMA buffers when freeing rings · 1debdc8f
      Sergei Shtylyov 提交于
      The DMA API debugging (when enabled) causes:
      
      WARNING: CPU: 0 PID: 1445 at lib/dma-debug.c:519 add_dma_entry+0xe0/0x12c
      DMA-API: exceeded 7 overlapping mappings of cacheline 0x01b2974d
      
      to be  printed after repeated initialization of the Ether device, e.g.
      suspend/resume or 'ifconfig' up/down. This is because DMA buffers mapped
      using dma_map_single() in sh_eth_ring_format() and sh_eth_start_xmit() are
      never unmapped. Resolve this problem by unmapping the buffers when freeing
      the descriptor  rings;  in order  to do it right, we'd have to add an extra
      parameter to sh_eth_txfree() (we rename this function to sh_eth_tx_free(),
      while at it).
      
      Based on the commit a47b70ea ("ravb: unmap descriptors when freeing
      rings").
      Signed-off-by: NSergei Shtylyov <sergei.shtylyov@cogentembedded.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      1debdc8f
    • L
      Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/sparc · 005882e5
      Linus Torvalds 提交于
      Pull sparc fixes from David Miller:
       "Two Sparc bug fixes from Daniel Jordan and Nitin Gupta"
      
      * git://git.kernel.org/pub/scm/linux/kernel/git/davem/sparc:
        sparc64: Fix hugepage page table free
        sparc64: Use LOCKDEP_SMALL, not PROVE_LOCKING_SMALL
      005882e5
    • L
      Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net · 40d9018e
      Linus Torvalds 提交于
      Pull networking fixes from David Miller:
      
       1) BPF tail call handling bug fixes from Daniel Borkmann.
      
       2) Fix allowance of too many rx queues in sfc driver, from Bert
          Kenward.
      
       3) Non-loopback ipv6 packets claiming src of ::1 should be dropped,
          from Florian Westphal.
      
       4) Statistics requests on KSZ9031 can crash, fix from Grygorii
          Strashko.
      
       5) TX ring handling fixes in mediatek driver, from Sean Wang.
      
       6) ip_ra_control can deadlock, fix lock acquisition ordering to fix,
          from Cong WANG.
      
       7) Fix use after free in ip_recv_error(), from Willem de Buijn.
      
      * git://git.kernel.org/pub/scm/linux/kernel/git/davem/net:
        bpf: fix checking xdp_adjust_head on tail calls
        bpf: fix cb access in socket filter programs on tail calls
        ipv6: drop non loopback packets claiming to originate from ::1
        net: ethernet: mediatek: fix inconsistency of port number carried in TXD
        net: ethernet: mediatek: fix inconsistency between TXD and the used buffer
        net: phy: micrel: fix crash when statistic requested for KSZ9031 phy
        net: vrf: Fix setting NLM_F_EXCL flag when adding l3mdev rule
        net: thunderx: Fix set_max_bgx_per_node for 81xx rgx
        net-timestamp: avoid use-after-free in ip_recv_error
        ipv4: fix a deadlock in ip_ra_control
        sfc: limit the number of receive queues
      40d9018e
    • N
      sparc64: Fix hugepage page table free · 544f8f93
      Nitin Gupta 提交于
      Make sure the start adderess is aligned to PMD_SIZE
      boundary when freeing page table backing a hugepage
      region. The issue was causing segfaults when a region
      backed by 64K pages was unmapped since such a region
      is in general not PMD_SIZE aligned.
      Signed-off-by: NNitin Gupta <nitin.m.gupta@oracle.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      544f8f93
    • D
      sparc64: Use LOCKDEP_SMALL, not PROVE_LOCKING_SMALL · 395102db
      Daniel Jordan 提交于
      CONFIG_PROVE_LOCKING_SMALL shrinks the memory usage of lockdep so the
      kernel text, data, and bss fit in the required 32MB limit, but this
      option is not set for every config that enables lockdep.
      
      A 4.10 kernel fails to boot with the console output
      
          Kernel: Using 8 locked TLB entries for main kernel image.
          hypervisor_tlb_lock[2000000:0:8000000071c007c3:1]: errors with f
          Program terminated
      
      with these config options
      
          CONFIG_LOCKDEP=y
          CONFIG_LOCK_STAT=y
          CONFIG_PROVE_LOCKING=n
      
      To fix, rename CONFIG_PROVE_LOCKING_SMALL to CONFIG_LOCKDEP_SMALL, and
      enable this option with CONFIG_LOCKDEP=y so we get the reduced memory
      usage every time lockdep is turned on.
      
      Tested that CONFIG_LOCKDEP_SMALL is set to 'y' if and only if
      CONFIG_LOCKDEP is set to 'y'.  When other lockdep-related config options
      that select CONFIG_LOCKDEP are enabled (e.g. CONFIG_LOCK_STAT or
      CONFIG_PROVE_LOCKING), verified that CONFIG_LOCKDEP_SMALL is also
      enabled.
      
      Fixes: e6b5f1be ("config: Adding the new config parameter CONFIG_PROVE_LOCKING_SMALL for sparc")
      Signed-off-by: NDaniel Jordan <daniel.m.jordan@oracle.com>
      Reviewed-by: NBabu Moger <babu.moger@oracle.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      395102db
    • L
      Merge tag 'trace-v4.11-rc5-4' of git://git.kernel.org/pub/scm/linux/kernel/git/rostedt/linux-trace · fb5e2154
      Linus Torvalds 提交于
      Pull ftrace testcase update from Steven Rostedt:
       "While testing my development branch, without the fix for the pid use
        after free bug, the selftest that Namhyung added triggers it. I
        figured it would be good to add the test for the bug after the fix,
        such that it does not exist without the fix.
      
        I added another patch that lets the test only test part of the pid
        filtering, and ignores the function-fork (filtering on children as
        well) if the function-fork feature does not exist. This feature is
        added by Namhyung just before he added this test. But since the test
        tests both with and without the feature, it would be good to let it
        not fail if the feature does not exist"
      
      * tag 'trace-v4.11-rc5-4' of git://git.kernel.org/pub/scm/linux/kernel/git/rostedt/linux-trace:
        selftests: ftrace: Add check for function-fork before running pid filter test
        selftests: ftrace: Add a testcase for function PID filter
      fb5e2154
    • S
      selftests: ftrace: Add check for function-fork before running pid filter test · 9ed19c76
      Steven Rostedt (VMware) 提交于
      Have the func-filter-pid test check for the function-fork option before
      testing it. It can still test the pid filtering, but will stop before
      testing the function-fork option for children inheriting the pids.
      This allows the test to be added before the function-fork feature, but after
      a bug fix that triggers one of the bugs the test can cause.
      
      Cc: Namhyung Kim <namhyung@kernel.org>
      Cc: Shuah Khan <shuahkh@osg.samsung.com>
      Signed-off-by: NSteven Rostedt (VMware) <rostedt@goodmis.org>
      9ed19c76
    • L
      Merge tag 'trace-v4.11-rc5-3' of git://git.kernel.org/pub/scm/linux/kernel/git/rostedt/linux-trace · 0bad6d7e
      Linus Torvalds 提交于
      Pull ftrace fix from Steven Rostedt:
       "Namhyung Kim discovered a use after free bug. It has to do with adding
        a pid filter to function tracing in an instance, and then freeing the
        instance"
      
      * tag 'trace-v4.11-rc5-3' of git://git.kernel.org/pub/scm/linux/kernel/git/rostedt/linux-trace:
        ftrace: Fix function pid filter on instances
      0bad6d7e
    • L
      Merge branch 'linus' of git://git.kernel.org/pub/scm/linux/kernel/git/herbert/crypto-2.6 · 5ee4c5a9
      Linus Torvalds 提交于
      Pull crypto fixes from Herbert Xu:
       "This fixes the following problems:
      
         - regression in new XTS/LRW code when used with async crypto
      
         - long-standing bug in ahash API when used with certain algos
      
         - bogus memory dereference in async algif_aead with certain algos"
      
      * 'linus' of git://git.kernel.org/pub/scm/linux/kernel/git/herbert/crypto-2.6:
        crypto: algif_aead - Fix bogus request dereference in completion function
        crypto: ahash - Fix EINPROGRESS notification callback
        crypto: lrw - Fix use-after-free on EINPROGRESS
        crypto: xts - Fix use-after-free on EINPROGRESS
      5ee4c5a9
    • N
      selftests: ftrace: Add a testcase for function PID filter · 093be89a
      Namhyung Kim 提交于
      Like event pid filtering test, add function pid filtering test with the
      new "function-fork" option.  It also tests it on an instance directory
      so that it can verify the bug related pid filtering on instances.
      
      Link: http://lkml.kernel.org/r/20170417024430.21194-5-namhyung@kernel.org
      
      Cc: Ingo Molnar <mingo@kernel.org>
      Cc: Masami Hiramatsu <mhiramat@kernel.org>
      Cc: Shuah Khan <shuahkh@osg.samsung.com>
      Signed-off-by: NNamhyung Kim <namhyung@kernel.org>
      Signed-off-by: NSteven Rostedt (VMware) <rostedt@goodmis.org>
      093be89a
  4. 18 4月, 2017 8 次提交
    • H
      af_key: Fix sadb_x_ipsecrequest parsing · 096f41d3
      Herbert Xu 提交于
      The parsing of sadb_x_ipsecrequest is broken in a number of ways.
      First of all we're not verifying sadb_x_ipsecrequest_len.  This
      is needed when the structure carries addresses at the end.  Worse
      we don't even look at the length when we parse those optional
      addresses.
      
      The migration code had similar parsing code that's better but
      it also has some deficiencies.  The length is overcounted first
      of all as it includes the header itself.  It also fails to check
      the length before dereferencing the sa_family field.
      
      This patch fixes those problems in parse_sockaddr_pair and then
      uses it in parse_ipsecrequest.
      Reported-by: NAndrey Konovalov <andreyknvl@google.com>
      Signed-off-by: NHerbert Xu <herbert@gondor.apana.org.au>
      Signed-off-by: NSteffen Klassert <steffen.klassert@secunet.com>
      096f41d3
    • L
      Merge branch 'parisc-4.11-5' of git://git.kernel.org/pub/scm/linux/kernel/git/deller/parisc-linux · 20bb78f6
      Linus Torvalds 提交于
      Pull parisc fix from Helge Deller:
       "One patch which fixes get_user() for 64-bit values on 32-bit kernels.
      
        Up to now we lost the upper 32-bits of the returned 64-bit value"
      
      * 'parisc-4.11-5' of git://git.kernel.org/pub/scm/linux/kernel/git/deller/parisc-linux:
        parisc: Fix get_user() for 64-bit value on 32-bit kernel
      20bb78f6
    • N
      ftrace: Fix function pid filter on instances · d879d0b8
      Namhyung Kim 提交于
      When function tracer has a pid filter, it adds a probe to sched_switch
      to track if current task can be ignored.  The probe checks the
      ftrace_ignore_pid from current tr to filter tasks.  But it misses to
      delete the probe when removing an instance so that it can cause a crash
      due to the invalid tr pointer (use-after-free).
      
      This is easily reproducible with the following:
      
        # cd /sys/kernel/debug/tracing
        # mkdir instances/buggy
        # echo $$ > instances/buggy/set_ftrace_pid
        # rmdir instances/buggy
      
        ============================================================================
        BUG: KASAN: use-after-free in ftrace_filter_pid_sched_switch_probe+0x3d/0x90
        Read of size 8 by task kworker/0:1/17
        CPU: 0 PID: 17 Comm: kworker/0:1 Tainted: G    B           4.11.0-rc3  #198
        Call Trace:
         dump_stack+0x68/0x9f
         kasan_object_err+0x21/0x70
         kasan_report.part.1+0x22b/0x500
         ? ftrace_filter_pid_sched_switch_probe+0x3d/0x90
         kasan_report+0x25/0x30
         __asan_load8+0x5e/0x70
         ftrace_filter_pid_sched_switch_probe+0x3d/0x90
         ? fpid_start+0x130/0x130
         __schedule+0x571/0xce0
         ...
      
      To fix it, use ftrace_clear_pids() to unregister the probe.  As
      instance_rmdir() already updated ftrace codes, it can just free the
      filter safely.
      
      Link: http://lkml.kernel.org/r/20170417024430.21194-2-namhyung@kernel.org
      
      Fixes: 0c8916c3 ("tracing: Add rmdir to remove multibuffer instances")
      Cc: Ingo Molnar <mingo@kernel.org>
      Cc: stable@vger.kernel.org
      Reviewed-by: NMasami Hiramatsu <mhiramat@kernel.org>
      Signed-off-by: NNamhyung Kim <namhyung@kernel.org>
      Signed-off-by: NSteven Rostedt (VMware) <rostedt@goodmis.org>
      d879d0b8
    • D
      Merge branch 'bpf-fixes' · acf167f3
      David S. Miller 提交于
      Daniel Borkmann says:
      
      ====================
      Two BPF fixes
      
      The set fixes cb_access and xdp_adjust_head bits in struct bpf_prog,
      that are used for requirement checks on the program rather than f.e.
      heuristics. Thus, for tail calls, we cannot make any assumptions and
      are forced to set them.
      ====================
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      acf167f3
    • D
      bpf: fix checking xdp_adjust_head on tail calls · c2002f98
      Daniel Borkmann 提交于
      Commit 17bedab2 ("bpf: xdp: Allow head adjustment in XDP prog")
      added the xdp_adjust_head bit to the BPF prog in order to tell drivers
      that the program that is to be attached requires support for the XDP
      bpf_xdp_adjust_head() helper such that drivers not supporting this
      helper can reject the program. There are also drivers that do support
      the helper, but need to check for xdp_adjust_head bit in order to move
      packet metadata prepended by the firmware away for making headroom.
      
      For these cases, the current check for xdp_adjust_head bit is insufficient
      since there can be cases where the program itself does not use the
      bpf_xdp_adjust_head() helper, but tail calls into another program that
      uses bpf_xdp_adjust_head(). As such, the xdp_adjust_head bit is still
      set to 0. Since the first program has no control over which program it
      calls into, we need to assume that bpf_xdp_adjust_head() helper is used
      upon tail calls. Thus, for the very same reasons in cb_access, set the
      xdp_adjust_head bit to 1 when the main program uses tail calls.
      
      Fixes: 17bedab2 ("bpf: xdp: Allow head adjustment in XDP prog")
      Signed-off-by: NDaniel Borkmann <daniel@iogearbox.net>
      Acked-by: NAlexei Starovoitov <ast@kernel.org>
      Cc: Martin KaFai Lau <kafai@fb.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      c2002f98
    • D
      bpf: fix cb access in socket filter programs on tail calls · 6b1bb01b
      Daniel Borkmann 提交于
      Commit ff936a04 ("bpf: fix cb access in socket filter programs")
      added a fix for socket filter programs such that in i) AF_PACKET the
      20 bytes of skb->cb[] area gets zeroed before use in order to not leak
      data, and ii) socket filter programs attached to TCP/UDP sockets need
      to save/restore these 20 bytes since they are also used by protocol
      layers at that time.
      
      The problem is that bpf_prog_run_save_cb() and bpf_prog_run_clear_cb()
      only look at the actual attached program to determine whether to zero
      or save/restore the skb->cb[] parts. There can be cases where the
      actual attached program does not access the skb->cb[], but the program
      tail calls into another program which does access this area. In such
      a case, the zero or save/restore is currently not performed.
      
      Since the programs we tail call into are unknown at verification time
      and can dynamically change, we need to assume that whenever the attached
      program performs a tail call, that later programs could access the
      skb->cb[], and therefore we need to always set cb_access to 1.
      
      Fixes: ff936a04 ("bpf: fix cb access in socket filter programs")
      Signed-off-by: NDaniel Borkmann <daniel@iogearbox.net>
      Acked-by: NAlexei Starovoitov <ast@kernel.org>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      6b1bb01b
    • F
      ipv6: drop non loopback packets claiming to originate from ::1 · 0aa8c13e
      Florian Westphal 提交于
      We lack a saddr check for ::1. This causes security issues e.g. with acls
      permitting connections from ::1 because of assumption that these originate
      from local machine.
      
      Assuming a source address of ::1 is local seems reasonable.
      RFC4291 doesn't allow such a source address either, so drop such packets.
      Reported-by: NEric Dumazet <edumazet@google.com>
      Signed-off-by: NFlorian Westphal <fw@strlen.de>
      Acked-by: NEric Dumazet <edumazet@google.com>
      Acked-by: NHannes Frederic Sowa <hannes@stressinduktion.org>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      0aa8c13e
    • D
      Merge branch 'mediatek-tx-bugs' · 71947f0f
      David S. Miller 提交于
      Sean Wang says:
      
      ====================
      mediatek: Fix crash caused by reporting inconsistent skb->len to BQL
      
      Changes since v1:
      - fix inconsistent enumeration which easily causes the potential bug
      
      The series fixes kernel BUG caused by inconsistent SKB length reported
      into BQL. The reason for inconsistent length comes from hardware BUG which
      results in different port number carried on the TXD within the lifecycle of
      SKB. So patch 2) is proposed for use a software way to track which port
      the SKB involving instead of hardware way. And patch 1) is given for another
      issue I found which causes TXD and SKB inconsistency that is not expected
      in the initial logic, so it is also being corrected it in the series.
      
      The log for the kernel BUG caused by the issue is posted as below.
      
      [  120.825955] kernel BUG at ... lib/dynamic_queue_limits.c:26!
      [  120.837684] Internal error: Oops - BUG: 0 [#1] SMP ARM
      [  120.842778] Modules linked in:
      [  120.845811] CPU: 0 PID: 0 Comm: swapper/0 Not tainted 4.11.0-rc1-191576-gdbcef47 #35
      [  120.853488] Hardware name: Mediatek Cortex-A7 (Device Tree)
      [  120.859012] task: c1007480 task.stack: c1000000
      [  120.863510] PC is at dql_completed+0x108/0x17c
      [  120.867915] LR is at 0x46
      [  120.870512] pc : [<c03c19c8>]    lr : [<00000046>]    psr: 80000113
      [  120.870512] sp : c1001d58  ip : c1001d80  fp : c1001d7c
      [  120.881895] r10: 0000003e  r9 : df6b3400  r8 : 0ed86506
      [  120.887075] r7 : 00000001  r6 : 00000001  r5 : 0ed8654c  r4 : df0135d8
      [  120.893546] r3 : 00000001  r2 : df016800  r1 : 0000fece  r0 : df6b3480
      [  120.900018] Flags: Nzcv  IRQs on  FIQs on  Mode SVC_32  ISA ARM  Segment none
      [  120.907093] Control: 10c5387d  Table: 9e27806a  DAC: 00000051
      [  120.912789] Process swapper/0 (pid: 0, stack limit = 0xc1000218)
      [  120.918744] Stack: (0xc1001d58 to 0xc1002000)
      
      ....
      
      121.085331] 1fc0: 00000000 c0a52a28 00000000 c10855d4 c1003c58 c0a52a24 c100885c 8000406a
      [  121.093444] 1fe0: 410fc073 00000000 00000000 c1001ff8 8000807c c0a009cc 00000000 00000000
      [  121.101575] [<c03c19c8>] (dql_completed) from [<c04cb010>] (mtk_napi_tx+0x1d0/0x37c)
      [  121.109263] [<c04cb010>] (mtk_napi_tx) from [<c05e28cc>] (net_rx_action+0x24c/0x3b8)
      [  121.116951] [<c05e28cc>] (net_rx_action) from [<c010152c>] (__do_softirq+0xe4/0x35c)
      [  121.124638] [<c010152c>] (__do_softirq) from [<c012a624>] (irq_exit+0xe8/0x150)
      [  121.131895] [<c012a624>] (irq_exit) from [<c017750c>] (__handle_domain_irq+0x70/0xc4)
      [  121.139666] [<c017750c>] (__handle_domain_irq) from [<c0101404>] (gic_handle_irq+0x58/0x9c)
      [  121.147953] [<c0101404>] (gic_handle_irq) from [<c010e18c>] (__irq_svc+0x6c/0x90)
      [  121.155373] Exception stack(0xc1001ef8 to 0xc1001f40)
      ====================
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      71947f0f