1. 09 8月, 2021 1 次提交
    • R
      dccp: add do-while-0 stubs for dccp_pr_debug macros · 86aab09a
      Randy Dunlap 提交于
      GCC complains about empty macros in an 'if' statement, so convert
      them to 'do {} while (0)' macros.
      
      Fixes these build warnings:
      
      net/dccp/output.c: In function 'dccp_xmit_packet':
      ../net/dccp/output.c:283:71: warning: suggest braces around empty body in an 'if' statement [-Wempty-body]
        283 |                 dccp_pr_debug("transmit_skb() returned err=%d\n", err);
      net/dccp/ackvec.c: In function 'dccp_ackvec_update_old':
      ../net/dccp/ackvec.c:163:80: warning: suggest braces around empty body in an 'else' statement [-Wempty-body]
        163 |                                               (unsigned long long)seqno, state);
      
      Fixes: dc841e30 ("dccp: Extend CCID packet dequeueing interface")
      Fixes: 38024086 ("dccp ccid-2: Update code for the Ack Vector input/registration routine")
      Signed-off-by: NRandy Dunlap <rdunlap@infradead.org>
      Cc: dccp@vger.kernel.org
      Cc: "David S. Miller" <davem@davemloft.net>
      Cc: Jakub Kicinski <kuba@kernel.org>
      Cc: Gerrit Renker <gerrit@erg.abdn.ac.uk>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      86aab09a
  2. 08 8月, 2021 9 次提交
    • P
      ppp: Fix generating ppp unit id when ifname is not specified · 3125f26c
      Pali Rohár 提交于
      When registering new ppp interface via PPPIOCNEWUNIT ioctl then kernel has
      to choose interface name as this ioctl API does not support specifying it.
      
      Kernel in this case register new interface with name "ppp<id>" where <id>
      is the ppp unit id, which can be obtained via PPPIOCGUNIT ioctl. This
      applies also in the case when registering new ppp interface via rtnl
      without supplying IFLA_IFNAME.
      
      PPPIOCNEWUNIT ioctl allows to specify own ppp unit id which will kernel
      assign to ppp interface, in case this ppp id is not already used by other
      ppp interface.
      
      In case user does not specify ppp unit id then kernel choose the first free
      ppp unit id. This applies also for case when creating ppp interface via
      rtnl method as it does not provide a way for specifying own ppp unit id.
      
      If some network interface (does not have to be ppp) has name "ppp<id>"
      with this first free ppp id then PPPIOCNEWUNIT ioctl or rtnl call fails.
      
      And registering new ppp interface is not possible anymore, until interface
      which holds conflicting name is renamed. Or when using rtnl method with
      custom interface name in IFLA_IFNAME.
      
      As list of allocated / used ppp unit ids is not possible to retrieve from
      kernel to userspace, userspace has no idea what happens nor which interface
      is doing this conflict.
      
      So change the algorithm how ppp unit id is generated. And choose the first
      number which is not neither used as ppp unit id nor in some network
      interface with pattern "ppp<id>".
      
      This issue can be simply reproduced by following pppd call when there is no
      ppp interface registered and also no interface with name pattern "ppp<id>":
      
          pppd ifname ppp1 +ipv6 noip noauth nolock local nodetach pty "pppd +ipv6 noip noauth nolock local nodetach notty"
      
      Or by creating the one ppp interface (which gets assigned ppp unit id 0),
      renaming it to "ppp1" and then trying to create a new ppp interface (which
      will always fails as next free ppp unit id is 1, but network interface with
      name "ppp1" exists).
      
      This patch fixes above described issue by generating new and new ppp unit
      id until some non-conflicting id with network interfaces is generated.
      Signed-off-by: NPali Rohár <pali@kernel.org>
      Cc: stable@vger.kernel.org
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      3125f26c
    • P
      ppp: Fix generating ifname when empty IFLA_IFNAME is specified · 2459dcb9
      Pali Rohár 提交于
      IFLA_IFNAME is nul-term string which means that IFLA_IFNAME buffer can be
      larger than length of string which contains.
      
      Function __rtnl_newlink() generates new own ifname if either IFLA_IFNAME
      was not specified at all or userspace passed empty nul-term string.
      
      It is expected that if userspace does not specify ifname for new ppp netdev
      then kernel generates one in format "ppp<id>" where id matches to the ppp
      unit id which can be later obtained by PPPIOCGUNIT ioctl.
      
      And it works in this way if IFLA_IFNAME is not specified at all. But it
      does not work when IFLA_IFNAME is specified with empty string.
      
      So fix this logic also for empty IFLA_IFNAME in ppp_nl_newlink() function
      and correctly generates ifname based on ppp unit identifier if userspace
      did not provided preferred ifname.
      
      Without this patch when IFLA_IFNAME was specified with empty string then
      kernel created a new ppp interface in format "ppp<id>" but id did not
      match ppp unit id returned by PPPIOCGUNIT ioctl. In this case id was some
      number generated by __rtnl_newlink() function.
      Signed-off-by: NPali Rohár <pali@kernel.org>
      Fixes: bb8082f6 ("ppp: build ifname using unit identifier for rtnl based devices")
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      2459dcb9
    • D
      Merge branch 'bnxt_en-ptp-fixes' · 2f5501a8
      David S. Miller 提交于
      Michael Chan says:
      
      ====================
      bnxt_en: PTP fixes
      
      This series includes 2 fixes for the PTP feature.  Update to the new
      firmware interface so that the driver can pass the PTP sequence number
      header offset of TX packets to the firmware.  This is needed for all
      PTP packet types (v1, v2, with or without VLAN) to work.  The 2nd
      fix is to use a different register window to read the PHC to avoid
      conflict with an older Broadcom tool.
      ====================
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      2f5501a8
    • M
      bnxt_en: Use register window 6 instead of 5 to read the PHC · 92529df7
      Michael Chan 提交于
      Some older Broadcom debug tools use window 5 and may conflict, so switch
      to use window 6 instead.
      
      Fixes: 118612d5 ("bnxt_en: Add PTP clock APIs, ioctls, and ethtool methods")
      Reviewed-by: NAndy Gospodarek <gospo@broadcom.com>
      Signed-off-by: NMichael Chan <michael.chan@broadcom.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      92529df7
    • M
      bnxt_en: Update firmware call to retrieve TX PTP timestamp · 9e266807
      Michael Chan 提交于
      New firmware interface requires the PTP sequence ID header offset to
      be passed to the firmware to properly find the matching timestamp
      for all protocols.
      
      Fixes: 83bb623c ("bnxt_en: Transmit and retrieve packet timestamps")
      Reviewed-by: NEdwin Peer <edwin.peer@broadcom.com>
      Signed-off-by: NMichael Chan <michael.chan@broadcom.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      9e266807
    • M
      bnxt_en: Update firmware interface to 1.10.2.52 · fbfee257
      Michael Chan 提交于
      The key change is the firmware call to retrieve the PTP TX timestamp.
      The header offset for the PTP sequence number field is now added.
      Signed-off-by: NMichael Chan <michael.chan@broadcom.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      fbfee257
    • K
      once: Fix panic when module unload · 1027b96e
      Kefeng Wang 提交于
      DO_ONCE
      DEFINE_STATIC_KEY_TRUE(___once_key);
      __do_once_done
        once_disable_jump(once_key);
          INIT_WORK(&w->work, once_deferred);
          struct once_work *w;
          w->key = key;
          schedule_work(&w->work);                     module unload
                                                         //*the key is
      destroy*
      process_one_work
        once_deferred
          BUG_ON(!static_key_enabled(work->key));
             static_key_count((struct static_key *)x)    //*access key, crash*
      
      When module uses DO_ONCE mechanism, it could crash due to the above
      concurrency problem, we could reproduce it with link[1].
      
      Fix it by add/put module refcount in the once work process.
      
      [1] https://lore.kernel.org/netdev/eaa6c371-465e-57eb-6be9-f4b16b9d7cbf@huawei.com/
      
      Cc: Hannes Frederic Sowa <hannes@stressinduktion.org>
      Cc: Daniel Borkmann <daniel@iogearbox.net>
      Cc: David S. Miller <davem@davemloft.net>
      Cc: Eric Dumazet <edumazet@google.com>
      Reported-by: NMinmin chen <chenmingmin@huawei.com>
      Signed-off-by: NKefeng Wang <wangkefeng.wang@huawei.com>
      Acked-by: NHannes Frederic Sowa <hannes@stressinduktion.org>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      1027b96e
    • V
      ptp: Fix possible memory leak caused by invalid cast · d329e41a
      Vinicius Costa Gomes 提交于
      Fixes possible leak of PTP virtual clocks.
      
      The number of PTP virtual clocks to be unregistered is passed as
      'u32', but the function that unregister the devices handles that as
      'u8'.
      
      Fixes: 73f37068 ("ptp: support ptp physical/virtual clocks conversion")
      Signed-off-by: NVinicius Costa Gomes <vinicius.gomes@intel.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      d329e41a
    • B
      net: phy: micrel: Fix link detection on ksz87xx switch" · 2383cb94
      Ben Hutchings 提交于
      Commit a5e63c7d "net: phy: micrel: Fix detection of ksz87xx
      switch" broke link detection on the external ports of the KSZ8795.
      
      The previously unused phy_driver structure for these devices specifies
      config_aneg and read_status functions that appear to be designed for a
      fixed link and do not work with the embedded PHYs in the KSZ8795.
      
      Delete the use of these functions in favour of the generic PHY
      implementations which were used previously.
      
      Fixes: a5e63c7d ("net: phy: micrel: Fix detection of ksz87xx switch")
      Signed-off-by: NBen Hutchings <ben.hutchings@mind.be>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      2383cb94
  3. 07 8月, 2021 10 次提交
  4. 06 8月, 2021 19 次提交
    • J
      Merge git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf · cc4e5eec
      Jakub Kicinski 提交于
      Pablo Neira Ayuso says:
      
      ====================
      Netfilter fixes for net
      
      The following patchset contains Netfilter fixes for net:
      
      1) Restrict range element expansion in ipset to avoid soft lockup,
         from Jozsef Kadlecsik.
      
      2) Memleak in error path for nf_conntrack_bridge for IPv4 packets,
         from Yajun Deng.
      
      3) Simplify conntrack garbage collection strategy to avoid frequent
         wake-ups, from Florian Westphal.
      
      4) Fix NFNLA_HOOK_FUNCTION_NAME string, do not include module name.
      
      5) Missing chain family netlink attribute in chain description
         in nfnetlink_hook.
      
      6) Incorrect sequence number on nfnetlink_hook dumps.
      
      7) Use netlink request family in reply message for consistency.
      
      8) Remove offload_pickup sysctl, use conntrack for established state
         instead, from Florian Westphal.
      
      9) Translate NFPROTO_INET/ingress to NFPROTO_NETDEV/ingress, since
         NFPROTO_INET is not exposed through nfnetlink_hook.
      
      * git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf:
        netfilter: nfnetlink_hook: translate inet ingress to netdev
        netfilter: conntrack: remove offload_pickup sysctl again
        netfilter: nfnetlink_hook: Use same family as request message
        netfilter: nfnetlink_hook: use the sequence number of the request message
        netfilter: nfnetlink_hook: missing chain family
        netfilter: nfnetlink_hook: strip off module name from hookfn
        netfilter: conntrack: collect all entries in one cycle
        netfilter: nf_conntrack_bridge: Fix memory leak when error
        netfilter: ipset: Limit the maximal range of consecutive elements to add/delete
      ====================
      
      Link: https://lore.kernel.org/r/20210806151149.6356-1-pablo@netfilter.orgSigned-off-by: NJakub Kicinski <kuba@kernel.org>
      cc4e5eec
    • P
      netfilter: nfnetlink_hook: translate inet ingress to netdev · 269fc695
      Pablo Neira Ayuso 提交于
      The NFPROTO_INET pseudofamily is not exposed through this new netlink
      interface. The netlink dump either shows NFPROTO_IPV4 or NFPROTO_IPV6
      for NFPROTO_INET prerouting/input/forward/output/postrouting hooks.
      The NFNLA_CHAIN_FAMILY attribute provides the family chain, which
      specifies if this hook applies to inet traffic only (either IPv4 or
      IPv6).
      
      Translate the inet/ingress hook to netdev/ingress to fully hide the
      NFPROTO_INET implementation details.
      
      Fixes: e2cf17d3 ("netfilter: add new hook nfnl subsystem")
      Signed-off-by: NPablo Neira Ayuso <pablo@netfilter.org>
      269fc695
    • F
      netfilter: conntrack: remove offload_pickup sysctl again · 4592ee7f
      Florian Westphal 提交于
      These two sysctls were added because the hardcoded defaults (2 minutes,
      tcp, 30 seconds, udp) turned out to be too low for some setups.
      
      They appeared in 5.14-rc1 so it should be fine to remove it again.
      
      Marcelo convinced me that there should be no difference between a flow
      that was offloaded vs. a flow that was not wrt. timeout handling.
      Thus the default is changed to those for TCP established and UDP stream,
      5 days and 120 seconds, respectively.
      
      Marcelo also suggested to account for the timeout value used for the
      offloading, this avoids increase beyond the value in the conntrack-sysctl
      and will also instantly expire the conntrack entry with altered sysctls.
      
      Example:
         nf_conntrack_udp_timeout_stream=60
         nf_flowtable_udp_timeout=60
      
      This will remove offloaded udp flows after one minute, rather than two.
      
      An earlier version of this patch also cleared the ASSURED bit to
      allow nf_conntrack to evict the entry via early_drop (i.e., table full).
      However, it looks like we can safely assume that connection timed out
      via HW is still in established state, so this isn't needed.
      
      Quoting Oz:
       [..] the hardware sends all packets with a set FIN flags to sw.
       [..] Connections that are aged in hardware are expected to be in the
       established state.
      
      In case it turns out that back-to-sw-path transition can occur for
      'dodgy' connections too (e.g., one side disappeared while software-path
      would have been in RETRANS timeout), we can adjust this later.
      
      Cc: Oz Shlomo <ozsh@nvidia.com>
      Cc: Paul Blakey <paulb@nvidia.com>
      Suggested-by: NMarcelo Ricardo Leitner <marcelo.leitner@gmail.com>
      Signed-off-by: NFlorian Westphal <fw@strlen.de>
      Reviewed-by: NMarcelo Ricardo Leitner <marcelo.leitner@gmail.com>
      Reviewed-by: NOz Shlomo <ozsh@nvidia.com>
      Signed-off-by: NPablo Neira Ayuso <pablo@netfilter.org>
      4592ee7f
    • P
      netfilter: nfnetlink_hook: Use same family as request message · 69311e7c
      Pablo Neira Ayuso 提交于
      Use the same family as the request message, for consistency. The
      netlink payload provides sufficient information to describe the hook
      object, including the family.
      
      This makes it easier to userspace to correlate the hooks are that
      visited by the packets for a certain family.
      
      Fixes: e2cf17d3 ("netfilter: add new hook nfnl subsystem")
      Signed-off-by: NPablo Neira Ayuso <pablo@netfilter.org>
      69311e7c
    • P
      netfilter: nfnetlink_hook: use the sequence number of the request message · 3d9bbaf6
      Pablo Neira Ayuso 提交于
      The sequence number allows to correlate the netlink reply message (as
      part of the dump) with the original request message.
      
      The cb->seq field is internally used to detect an interference (update)
      of the hook list during the netlink dump, do not use it as sequence
      number in the netlink dump header.
      
      Fixes: e2cf17d3 ("netfilter: add new hook nfnl subsystem")
      Signed-off-by: NPablo Neira Ayuso <pablo@netfilter.org>
      3d9bbaf6
    • P
      netfilter: nfnetlink_hook: missing chain family · a6e57c4a
      Pablo Neira Ayuso 提交于
      The family is relevant for pseudo-families like NFPROTO_INET
      otherwise the user needs to rely on the hook function name to
      differentiate it from NFPROTO_IPV4 and NFPROTO_IPV6 names.
      
      Add nfnl_hook_chain_desc_attributes instead of using the existing
      NFTA_CHAIN_* attributes, since these do not provide a family number.
      
      Fixes: e2cf17d3 ("netfilter: add new hook nfnl subsystem")
      Signed-off-by: NPablo Neira Ayuso <pablo@netfilter.org>
      a6e57c4a
    • P
      netfilter: nfnetlink_hook: strip off module name from hookfn · 61e0c2bc
      Pablo Neira Ayuso 提交于
      NFNLA_HOOK_FUNCTION_NAME should include the hook function name only,
      the module name is already provided by NFNLA_HOOK_MODULE_NAME.
      
      Fixes: e2cf17d3 ("netfilter: add new hook nfnl subsystem")
      Signed-off-by: NPablo Neira Ayuso <pablo@netfilter.org>
      61e0c2bc
    • F
      netfilter: conntrack: collect all entries in one cycle · 4608fdfc
      Florian Westphal 提交于
      Michal Kubecek reports that conntrack gc is responsible for frequent
      wakeups (every 125ms) on idle systems.
      
      On busy systems, timed out entries are evicted during lookup.
      The gc worker is only needed to remove entries after system becomes idle
      after a busy period.
      
      To resolve this, always scan the entire table.
      If the scan is taking too long, reschedule so other work_structs can run
      and resume from next bucket.
      
      After a completed scan, wait for 2 minutes before the next cycle.
      Heuristics for faster re-schedule are removed.
      
      GC_SCAN_INTERVAL could be exposed as a sysctl in the future to allow
      tuning this as-needed or even turn the gc worker off.
      Reported-by: NMichal Kubecek <mkubecek@suse.cz>
      Signed-off-by: NFlorian Westphal <fw@strlen.de>
      Signed-off-by: NPablo Neira Ayuso <pablo@netfilter.org>
      4608fdfc
    • J
      net: mvvp2: fix short frame size on s390 · 704e624f
      John Hubbard 提交于
      On s390, the following build warning occurs:
      
      drivers/net/ethernet/marvell/mvpp2/mvpp2.h:844:2: warning: overflow in
      conversion from 'long unsigned int' to 'int' changes value from
      '18446744073709551584' to '-32' [-Woverflow]
      844 |  ((total_size) - MVPP2_SKB_HEADROOM - MVPP2_SKB_SHINFO_SIZE)
      
      This happens because MVPP2_SKB_SHINFO_SIZE, which is 320 bytes (which is
      already 64-byte aligned) on some architectures, actually gets ALIGN'd up
      to 512 bytes in the s390 case.
      
      So then, when this is invoked:
      
          MVPP2_RX_MAX_PKT_SIZE(MVPP2_BM_SHORT_FRAME_SIZE)
      
      ...that turns into:
      
           704 - 224 - 512 == -32
      
      ...which is not a good frame size to end up with! The warning above is a
      bit lucky: it notices a signed/unsigned bad behavior here, which leads
      to the real problem of a frame that is too short for its contents.
      
      Increase MVPP2_BM_SHORT_FRAME_SIZE by 32 (from 704 to 736), which is
      just exactly big enough. (The other values can't readily be changed
      without causing a lot of other problems.)
      
      Fixes: 07dd0a7a ("mvpp2: add basic XDP support")
      Cc: Sven Auhagen <sven.auhagen@voleatech.de>
      Cc: Matteo Croce <mcroce@microsoft.com>
      Cc: David S. Miller <davem@davemloft.net>
      Signed-off-by: NJohn Hubbard <jhubbard@nvidia.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      704e624f
    • D
      net: dsa: mt7530: add the missing RxUnicast MIB counter · aff51c5d
      DENG Qingfang 提交于
      Add the missing RxUnicast counter.
      
      Fixes: b8f126a8 ("net-next: dsa: add dsa support for Mediatek MT7530 switch")
      Signed-off-by: NDENG Qingfang <dqfext@gmail.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      aff51c5d
    • L
      Merge tag 'net-5.14-rc5' of git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net · 902e7f37
      Linus Torvalds 提交于
      Pull networking fixes from Jakub Kicinski:
       "Including fixes from ipsec.
      
        Current release - regressions:
      
         - sched: taprio: fix init procedure to avoid inf loop when dumping
      
         - sctp: move the active_key update after sh_keys is added
      
        Current release - new code bugs:
      
         - sparx5: fix build with old GCC & bitmask on 32-bit targets
      
        Previous releases - regressions:
      
         - xfrm: redo the PREEMPT_RT RCU vs hash_resize_mutex deadlock fix
      
         - xfrm: fixes for the compat netlink attribute translator
      
         - phy: micrel: Fix detection of ksz87xx switch
      
        Previous releases - always broken:
      
         - gro: set inner transport header offset in tcp/udp GRO hook to avoid
           crashes when such packets reach GSO
      
         - vsock: handle VIRTIO_VSOCK_OP_CREDIT_REQUEST, as required by spec
      
         - dsa: sja1105: fix static FDB entries on SJA1105P/Q/R/S and SJA1110
      
         - bridge: validate the NUD_PERMANENT bit when adding an extern_learn
           FDB entry
      
         - usb: lan78xx: don't modify phy_device state concurrently
      
         - usb: pegasus: check for errors of IO routines"
      
      * tag 'net-5.14-rc5' of git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net: (48 commits)
        net: vxge: fix use-after-free in vxge_device_unregister
        net: fec: fix use-after-free in fec_drv_remove
        net: pegasus: fix uninit-value in get_interrupt_interval
        net: ethernet: ti: am65-cpsw: fix crash in am65_cpsw_port_offload_fwd_mark_update()
        bnx2x: fix an error code in bnx2x_nic_load()
        net: wwan: iosm: fix recursive lock acquire in unregister
        net: wwan: iosm: correct data protocol mask bit
        net: wwan: iosm: endianness type correction
        net: wwan: iosm: fix lkp buildbot warning
        net: usb: lan78xx: don't modify phy_device state concurrently
        docs: networking: netdevsim rules
        net: usb: pegasus: Remove the changelog and DRIVER_VERSION.
        net: usb: pegasus: Check the return value of get_geristers() and friends;
        net/prestera: Fix devlink groups leakage in error flow
        net: sched: fix lockdep_set_class() typo error for sch->seqlock
        net: dsa: qca: ar9331: reorder MDIO write sequence
        VSOCK: handle VIRTIO_VSOCK_OP_CREDIT_REQUEST
        mptcp: drop unused rcu member in mptcp_pm_addr_entry
        net: ipv6: fix returned variable type in ip6_skb_dst_mtu
        nfp: update ethtool reporting of pauseframe control
        ...
      902e7f37
    • T
      Bluetooth: defer cleanup of resources in hci_unregister_dev() · e0448092
      Tetsuo Handa 提交于
      syzbot is hitting might_sleep() warning at hci_sock_dev_event() due to
      calling lock_sock() with rw spinlock held [1].
      
      It seems that history of this locking problem is a trial and error.
      
      Commit b40df574 ("[PATCH] bluetooth: fix socket locking in
      hci_sock_dev_event()") in 2.6.21-rc4 changed bh_lock_sock() to
      lock_sock() as an attempt to fix lockdep warning.
      
      Then, commit 4ce61d1c ("[BLUETOOTH]: Fix locking in
      hci_sock_dev_event().") in 2.6.22-rc2 changed lock_sock() to
      local_bh_disable() + bh_lock_sock_nested() as an attempt to fix the
      sleep in atomic context warning.
      
      Then, commit 4b5dd696 ("Bluetooth: Remove local_bh_disable() from
      hci_sock.c") in 3.3-rc1 removed local_bh_disable().
      
      Then, commit e305509e ("Bluetooth: use correct lock to prevent UAF
      of hdev object") in 5.13-rc5 again changed bh_lock_sock_nested() to
      lock_sock() as an attempt to fix CVE-2021-3573.
      
      This difficulty comes from current implementation that
      hci_sock_dev_event(HCI_DEV_UNREG) is responsible for dropping all
      references from sockets because hci_unregister_dev() immediately
      reclaims resources as soon as returning from
      hci_sock_dev_event(HCI_DEV_UNREG).
      
      But the history suggests that hci_sock_dev_event(HCI_DEV_UNREG) was not
      doing what it should do.
      
      Therefore, instead of trying to detach sockets from device, let's accept
      not detaching sockets from device at hci_sock_dev_event(HCI_DEV_UNREG),
      by moving actual cleanup of resources from hci_unregister_dev() to
      hci_cleanup_dev() which is called by bt_host_release() when all
      references to this unregistered device (which is a kobject) are gone.
      
      Since hci_sock_dev_event(HCI_DEV_UNREG) no longer resets
      hci_pi(sk)->hdev, we need to check whether this device was unregistered
      and return an error based on HCI_UNREGISTER flag.  There might be subtle
      behavioral difference in "monitor the hdev" functionality; please report
      if you found something went wrong due to this patch.
      
      Link: https://syzkaller.appspot.com/bug?extid=a5df189917e79d5e59c9 [1]
      Reported-by: Nsyzbot <syzbot+a5df189917e79d5e59c9@syzkaller.appspotmail.com>
      Suggested-by: NLinus Torvalds <torvalds@linux-foundation.org>
      Signed-off-by: NTetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
      Fixes: e305509e ("Bluetooth: use correct lock to prevent UAF of hdev object")
      Acked-by: NLuiz Augusto von Dentz <luiz.von.dentz@intel.com>
      Signed-off-by: NLinus Torvalds <torvalds@linux-foundation.org>
      e0448092
    • L
      Merge tag 'selinux-pr-20210805' of git://git.kernel.org/pub/scm/linux/kernel/git/pcmoore/selinux · 0b53abfc
      Linus Torvalds 提交于
      Pull selinux fix from Paul Moore:
       "One small SELinux fix for a problem where an error code was not being
        propagated back up to userspace when a bogus SELinux policy is loaded
        into the kernel"
      
      * tag 'selinux-pr-20210805' of git://git.kernel.org/pub/scm/linux/kernel/git/pcmoore/selinux:
        selinux: correct the return value when loads initial sids
      0b53abfc
    • L
      Merge branch 'for-v5.14' of git://git.kernel.org/pub/scm/linux/kernel/git/ebiederm/user-namespace · 6209049e
      Linus Torvalds 提交于
      Pull ucounts fix from Eric Biederman:
       "Fix a subtle locking versus reference counting bug in the ucount
        changes, found by syzbot"
      
      * 'for-v5.14' of git://git.kernel.org/pub/scm/linux/kernel/git/ebiederm/user-namespace:
        ucounts: Fix race condition between alloc_ucounts and put_ucounts
      6209049e
    • L
      Merge tag 'trace-v5.14-rc4' of git://git.kernel.org/pub/scm/linux/kernel/git/rostedt/linux-trace · 3c3e9027
      Linus Torvalds 提交于
      Pull tracing fixes from Steven Rostedt:
       "Various tracing fixes:
      
         - Fix NULL pointer dereference caused by an error path
      
         - Give histogram calculation fields a size, otherwise it breaks
           synthetic creation based on them.
      
         - Reject strings being used for number calculations.
      
         - Fix recordmcount.pl warning on llvm building RISC-V allmodconfig
      
         - Fix the draw_functrace.py script to handle the new trace output
      
         - Fix warning of smp_processor_id() in preemptible code"
      
      * tag 'trace-v5.14-rc4' of git://git.kernel.org/pub/scm/linux/kernel/git/rostedt/linux-trace:
        tracing: Quiet smp_processor_id() use in preemptable warning in hwlat
        scripts/tracing: fix the bug that can't parse raw_trace_func
        scripts/recordmcount.pl: Remove check_objcopy() and $can_use_local
        tracing: Reject string operand in the histogram expression
        tracing / histogram: Give calculation hist_fields a size
        tracing: Fix NULL pointer dereference in start_creating
      3c3e9027
    • L
      Merge tag 's390-5.14-4' of git://git.kernel.org/pub/scm/linux/kernel/git/s390/linux · 130951bb
      Linus Torvalds 提交于
      Pull s390 fixes from Heiko Carstens:
      
       - fix zstd build for -march=z900 (undefined reference to __clzdi2)
      
       - add missing .got.plts to vdso linker scripts to fix kpatch build
         errors
      
       - update defconfigs
      
      * tag 's390-5.14-4' of git://git.kernel.org/pub/scm/linux/kernel/git/s390/linux:
        s390: update defconfigs
        s390/boot: fix zstd build for -march=z900
        s390/vdso: add .got.plt in vdso linker script
      130951bb
    • L
      Merge tag 'for-linus' of git://git.kernel.org/pub/scm/virt/kvm/kvm · 97fcc07b
      Linus Torvalds 提交于
      Pull kvm fixes from Paolo Bonzini:
       "Mostly bugfixes; plus, support for XMM arguments to Hyper-V hypercalls
        now obeys KVM_CAP_HYPERV_ENFORCE_CPUID.
      
        Both the XMM arguments feature and KVM_CAP_HYPERV_ENFORCE_CPUID are
        new in 5.14, and each did not know of the other"
      
      * tag 'for-linus' of git://git.kernel.org/pub/scm/virt/kvm/kvm:
        KVM: x86/mmu: Fix per-cpu counter corruption on 32-bit builds
        KVM: selftests: fix hyperv_clock test
        KVM: SVM: improve the code readability for ASID management
        KVM: SVM: Fix off-by-one indexing when nullifying last used SEV VMCB
        KVM: Do not leak memory for duplicate debugfs directories
        KVM: selftests: Test access to XMM fast hypercalls
        KVM: x86: hyper-v: Check if guest is allowed to use XMM registers for hypercall input
        KVM: x86: Introduce trace_kvm_hv_hypercall_done()
        KVM: x86: hyper-v: Check access to hypercall before reading XMM registers
        KVM: x86: accept userspace interrupt only if no event is injected
      97fcc07b
    • L
      Merge branch 'pcmcia-next' of git://git.kernel.org/pub/scm/linux/kernel/git/brodo/linux · 611ffd8a
      Linus Torvalds 提交于
      Pull pcmcia fix from Dominik Brodowski:
       "Zheyu Ma found and fixed a null pointer dereference bug in the device
        driver for the i82092 card reader"
      
      * 'pcmcia-next' of git://git.kernel.org/pub/scm/linux/kernel/git/brodo/linux:
        pcmcia: i82092: fix a null pointer dereference bug
      611ffd8a
    • A
      pipe: increase minimum default pipe size to 2 pages · 46c4c9d1
      Alex Xu (Hello71) 提交于
      This program always prints 4096 and hangs before the patch, and always
      prints 8192 and exits successfully after:
      
        int main()
        {
            int pipefd[2];
            for (int i = 0; i < 1025; i++)
                if (pipe(pipefd) == -1)
                    return 1;
            size_t bufsz = fcntl(pipefd[1], F_GETPIPE_SZ);
            printf("%zd\n", bufsz);
            char *buf = calloc(bufsz, 1);
            write(pipefd[1], buf, bufsz);
            read(pipefd[0], buf, bufsz-1);
            write(pipefd[1], buf, 1);
        }
      
      Note that you may need to increase your RLIMIT_NOFILE before running the
      program.
      
      Fixes: 759c0114 ("pipe: limit the per-user amount of pages allocated in pipes")
      Cc: <stable@vger.kernel.org>
      Link: https://lore.kernel.org/lkml/1628086770.5rn8p04n6j.none@localhost/
      Link: https://lore.kernel.org/lkml/1628127094.lxxn016tj7.none@localhost/Signed-off-by: NAlex Xu (Hello71) <alex_y_xu@yahoo.ca>
      Signed-off-by: NLinus Torvalds <torvalds@linux-foundation.org>
      46c4c9d1
  5. 05 8月, 2021 1 次提交