1. 16 11月, 2021 9 次提交
  2. 15 11月, 2021 19 次提交
  3. 14 11月, 2021 1 次提交
    • P
      net,lsm,selinux: revert the security_sctp_assoc_established() hook · 1aa3b220
      Paul Moore 提交于
      This patch reverts two prior patches, e7310c94
      ("security: implement sctp_assoc_established hook in selinux") and
      7c2ef024 ("security: add sctp_assoc_established hook"), which
      create the security_sctp_assoc_established() LSM hook and provide a
      SELinux implementation.  Unfortunately these two patches were merged
      without proper review (the Reviewed-by and Tested-by tags from
      Richard Haines were for previous revisions of these patches that
      were significantly different) and there are outstanding objections
      from the SELinux maintainers regarding these patches.
      
      Work is currently ongoing to correct the problems identified in the
      reverted patches, as well as others that have come up during review,
      but it is unclear at this point in time when that work will be ready
      for inclusion in the mainline kernel.  In the interest of not keeping
      objectionable code in the kernel for multiple weeks, and potentially
      a kernel release, we are reverting the two problematic patches.
      Signed-off-by: NPaul Moore <paul@paul-moore.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      1aa3b220
  4. 13 11月, 2021 11 次提交
    • A
      tcp: Fix uninitialized access in skb frags array for Rx 0cp. · 70701b83
      Arjun Roy 提交于
      TCP Receive zerocopy iterates through the SKB queue via
      tcp_recv_skb(), acquiring a pointer to an SKB and an offset within
      that SKB to read from. From there, it iterates the SKB frags array to
      determine which offset to start remapping pages from.
      
      However, this is built on the assumption that the offset read so far
      within the SKB is smaller than the SKB length. If this assumption is
      violated, we can attempt to read an invalid frags array element, which
      would cause a fault.
      
      tcp_recv_skb() can cause such an SKB to be returned when the TCP FIN
      flag is set. Therefore, we must guard against this occurrence inside
      skb_advance_frag().
      
      One way that we can reproduce this error follows:
      1) In a receiver program, call getsockopt(TCP_ZEROCOPY_RECEIVE) with:
      char some_array[32 * 1024];
      struct tcp_zerocopy_receive zc = {
        .copybuf_address  = (__u64) &some_array[0],
        .copybuf_len = 32 * 1024,
      };
      
      2) In a sender program, after a TCP handshake, send the following
      sequence of packets:
        i) Seq = [X, X+4000]
        ii) Seq = [X+4000, X+5000]
        iii) Seq = [X+4000, X+5000], Flags = FIN | URG, urgptr=1000
      
      (This can happen without URG, if we have a signal pending, but URG is
      a convenient way to reproduce the behaviour).
      
      In this case, the following event sequence will occur on the receiver:
      
      tcp_zerocopy_receive():
      -> receive_fallback_to_copy() // copybuf_len >= inq
      -> tcp_recvmsg_locked() // reads 5000 bytes, then breaks due to URG
      -> tcp_recv_skb() // yields skb with skb->len == offset
      -> tcp_zerocopy_set_hint_for_skb()
      -> skb_advance_to_frag() // will returns a frags ptr. >= nr_frags
      -> find_next_mappable_frag() // will dereference this bad frags ptr.
      
      With this patch, skb_advance_to_frag() will no longer return an
      invalid frags pointer, and will return NULL instead, fixing the issue.
      Signed-off-by: NArjun Roy <arjunroy@google.com>
      Signed-off-by: NEric Dumazet <edumazet@google.com>
      Fixes: 05255b82 ("tcp: add TCP_ZEROCOPY_RECEIVE support for zerocopy receive")
      Link: https://lore.kernel.org/r/20211111235215.2605384-1-arjunroy.kdev@gmail.comSigned-off-by: NJakub Kicinski <kuba@kernel.org>
      70701b83
    • J
      ethernet: sis900: fix indentation · aae45872
      Jakub Kicinski 提交于
      A space has snuck in.
      Reported-by: Nkernel test robot <lkp@intel.com>
      Fixes: 74fad215 ("ethernet: sis900: use eth_hw_addr_set()")
      Link: https://lore.kernel.org/r/20211111210824.676201-1-kuba@kernel.orgSigned-off-by: NJakub Kicinski <kuba@kernel.org>
      aae45872
    • K
      net/ipa: ipa_resource: Fix wrong for loop range · 27df68d5
      Konrad Dybcio 提交于
      The source group count was mistakenly assigned to both dst and src loops.
      Fix it to make IPA probe and work again.
      
      Fixes: 4fd704b3 ("net: ipa: record number of groups in data")
      Acked-by: NAngeloGioacchino Del Regno <angelogioacchino.delregno@somainline.org>
      Reviewed-by: NMarijn Suijten <marijn.suijten@somainline.org>
      Signed-off-by: NKonrad Dybcio <konrad.dybcio@somainline.org>
      Reviewed-by: NAlex Elder <elder@linaro.org>
      Link: https://lore.kernel.org/r/20211111183724.593478-1-konrad.dybcio@somainline.orgSigned-off-by: NJakub Kicinski <kuba@kernel.org>
      27df68d5
    • J
      selftests: net: switch to socat in the GSO GRE test · 0cda7d4b
      Jakub Kicinski 提交于
      Commit a985442f ("selftests: net: properly support IPv6 in GSO GRE test")
      is not compatible with:
      
        Ncat: Version 7.80 ( https://nmap.org/ncat )
      
      (which is distributed with Fedora/Red Hat), tests fail with:
      
        nc: invalid option -- 'N'
      
      Let's switch to socat which is far more dependable.
      
      Fixes: 025efa0a ("selftests: add simple GSO GRE test")
      Fixes: a985442f ("selftests: net: properly support IPv6 in GSO GRE test")
      Tested-by: NAndrea Righi <andrea.righi@canonical.com>
      Link: https://lore.kernel.org/r/20211111162929.530470-1-kuba@kernel.orgSigned-off-by: NJakub Kicinski <kuba@kernel.org>
      0cda7d4b
    • R
      ptp: ptp_clockmatrix: repair non-kernel-doc comment · 87530779
      Randy Dunlap 提交于
      Do not use "/**" to begin a comment that is not in kernel-doc format.
      
      Prevents this docs build warning:
      
      drivers/ptp/ptp_clockmatrix.c:1679: warning: This comment starts with '/**', but isn't a kernel-doc comment. Refer Documentation/doc-guide/kernel-doc.rst
          * Maximum absolute value for write phase offset in picoseconds
      
      Then remove the kernel-doc-like function parameter descriptions
      since they don't add any useful info. (suggested by Jakub)
      
      Fixes: 794c3dff ("ptp: ptp_clockmatrix: Add support for FW 5.2 (8A34005)")
      Signed-off-by: NRandy Dunlap <rdunlap@infradead.org>
      Reported-by: Nkernel test robot <lkp@intel.com>
      Cc: Min Li <min.li.xe@renesas.com>
      Acked-by: NRichard Cochran <richardcochran@gmail.com>
      Link: https://lore.kernel.org/r/20211111155034.29153-1-rdunlap@infradead.orgSigned-off-by: NJakub Kicinski <kuba@kernel.org>
      87530779
    • L
      hamradio: remove needs_free_netdev to avoid UAF · 81b1d548
      Lin Ma 提交于
      The former patch "defer 6pack kfree after unregister_netdev" reorders
      the kfree of two buffer after the unregister_netdev to prevent the race
      condition. It also adds free_netdev() function in sixpack_close(), which
      is a direct copy from the similar code in mkiss_close().
      
      However, in sixpack driver, the flag needs_free_netdev is set to true in
      sp_setup(), hence the unregister_netdev() will free the netdev
      automatically. Therefore, as the sp is netdev_priv, use-after-free
      occurs.
      
      This patch removes the needs_free_netdev = true and just let the
      free_netdev to finish this deallocation task.
      
      Fixes: 0b911192 ("hamradio: defer 6pack kfree after unregister_netdev")
      Signed-off-by: NLin Ma <linma@zju.edu.cn>
      Link: https://lore.kernel.org/r/20211111141402.7551-1-linma@zju.edu.cnSigned-off-by: NJakub Kicinski <kuba@kernel.org>
      81b1d548
    • L
      Merge branch 'linus' of git://git.kernel.org/pub/scm/linux/kernel/git/herbert/crypto-2.6 · 66f4beaa
      Linus Torvalds 提交于
      Pull crypto fix from Herbert Xu:
       "This fixes a boot crash regression"
      
      * 'linus' of git://git.kernel.org/pub/scm/linux/kernel/git/herbert/crypto-2.6:
        crypto: api - Fix boot-up crash when crypto manager is disabled
      66f4beaa
    • L
      Merge tag 'scsi-misc' of git://git.kernel.org/pub/scm/linux/kernel/git/jejb/scsi · 6cbcc7ab
      Linus Torvalds 提交于
      Pull more SCSI updates from James Bottomley:
       "This series is all the stragglers that didn't quite make the first
        merge window pull. It's mostly minor updates and bug fixes of merge
        window code but it also has two driver updates: ufs and qla2xxx"
      
      * tag 'scsi-misc' of git://git.kernel.org/pub/scm/linux/kernel/git/jejb/scsi: (46 commits)
        scsi: scsi_debug: Don't call kcalloc() if size arg is zero
        scsi: core: Remove command size deduction from scsi_setup_scsi_cmnd()
        scsi: scsi_ioctl: Validate command size
        scsi: ufs: ufshpb: Properly handle max-single-cmd
        scsi: core: Avoid leaving shost->last_reset with stale value if EH does not run
        scsi: bsg: Fix errno when scsi_bsg_register_queue() fails
        scsi: sr: Remove duplicate assignment
        scsi: ufs: ufs-exynos: Introduce ExynosAuto v9 virtual host
        scsi: ufs: ufs-exynos: Multi-host configuration for ExynosAuto v9
        scsi: ufs: ufs-exynos: Support ExynosAuto v9 UFS
        scsi: ufs: ufs-exynos: Add pre/post_hce_enable drv callbacks
        scsi: ufs: ufs-exynos: Factor out priv data init
        scsi: ufs: ufs-exynos: Add EXYNOS_UFS_OPT_SKIP_CONFIG_PHY_ATTR option
        scsi: ufs: ufs-exynos: Support custom version of ufs_hba_variant_ops
        scsi: ufs: ufs-exynos: Add setup_clocks callback
        scsi: ufs: ufs-exynos: Add refclkout_stop control
        scsi: ufs: ufs-exynos: Simplify drv_data retrieval
        scsi: ufs: ufs-exynos: Change pclk available max value
        scsi: ufs: Add quirk to enable host controller without PH configuration
        scsi: ufs: Add quirk to handle broken UIC command
        ...
      6cbcc7ab
    • L
      Merge tag 'pwm/for-5.16-rc1' of... · 030c28a0
      Linus Torvalds 提交于
      Merge tag 'pwm/for-5.16-rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/thierry.reding/linux-pwm
      
      Pull pwm updates from Thierry Reding:
       "This set is mostly small fixes and cleanups, so more of a janitorial
        update for this cycle"
      
      * tag 'pwm/for-5.16-rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/thierry.reding/linux-pwm:
        pwm: vt8500: Rename pwm_busy_wait() to make it obviously driver-specific
        dt-bindings: pwm: tpu: Add R-Car M3-W+ device tree bindings
        dt-bindings: pwm: tpu: Add R-Car V3U device tree bindings
        pwm: pwm-samsung: Trigger manual update when disabling PWM
        pwm: visconti: Simplify using devm_pwmchip_add()
        pwm: samsung: Describe driver in Kconfig
        pwm: Make it explicit that pwm_apply_state() might sleep
        pwm: Add might_sleep() annotations for !CONFIG_PWM API functions
        pwm: atmel: Drop unused header
      030c28a0
    • L
      Merge tag 'sound-fix-5.16-rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/tiwai/sound · 0d5d7463
      Linus Torvalds 提交于
      Pull sound fixes from Takashi Iwai:
       "A collection of fixes for 5.16-rc1, notably for a few regressions that
        were found in 5.15 and pre-rc1:
      
         - revert of the unification of SG-buffer helper functions on x86 and
           the relevant fix
      
         - regression fixes for mmap after the recent code refactoring
      
         - two NULL dereference fixes in HD-audio controller driver
      
         - UAF fixes in ALSA timer core
      
         - a few usual HD-audio and FireWire quirks"
      
      * tag 'sound-fix-5.16-rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/tiwai/sound:
        ALSA: fireworks: add support for Loud Onyx 1200f quirk
        ALSA: hda: fix general protection fault in azx_runtime_idle
        ALSA: hda: Free card instance properly at probe errors
        ALSA: hda/realtek: Add quirk for HP EliteBook 840 G7 mute LED
        ALSA: memalloc: Remove a stale comment
        ALSA: synth: missing check for possible NULL after the call to kstrdup
        ALSA: memalloc: Use proper SG helpers for noncontig allocations
        ALSA: pci: rme: Fix unaligned buffer addresses
        ALSA: firewire-motu: add support for MOTU Track 16
        ALSA: PCM: Fix NULL dereference at mmap checks
        ALSA: hda/realtek: Add quirk for ASUS UX550VE
        ALSA: timer: Unconditionally unlink slave instances, too
        ALSA: memalloc: Catch call with NULL snd_dma_buffer pointer
        Revert "ALSA: memalloc: Convert x86 SG-buffer handling with non-contiguous type"
        ALSA: hda/realtek: Add a quirk for Acer Spin SP513-54N
        ALSA: firewire-motu: add support for MOTU Traveler mk3
        ALSA: hda/realtek: Headset fixup for Clevo NH77HJQ
        ALSA: timer: Fix use-after-free problem
      0d5d7463
    • L
      Merge tag 'drm-next-2021-11-12' of git://anongit.freedesktop.org/drm/drm · 304ac803
      Linus Torvalds 提交于
      Pull more drm updates from Dave Airlie:
       "I missed a drm-misc-next pull for the main pull last week. It wasn't
        that major and isn't the bulk of this at all. This has a bunch of
        fixes all over, a lot for amdgpu and i915.
      
        bridge:
         - HPD improvments for lt9611uxc
         - eDP aux-bus support for ps8640
         - LVDS data-mapping selection support
      
        ttm:
         - remove huge page functionality (needs reworking)
         - fix a race condition during BO eviction
      
        panels:
         - add some new panels
      
        fbdev:
         - fix double-free
         - remove unused scrolling acceleration
         - CONFIG_FB dep improvements
      
        locking:
         - improve contended locking logging
         - naming collision fix
      
        dma-buf:
         - add dma_resv_for_each_fence iterator
         - fix fence refcounting bug
         - name locking fixesA
      
        prime:
         - fix object references during mmap
      
        nouveau:
         - various code style changes
         - refcount fix
         - device removal fixes
         - protect client list with a mutex
         - fix CE0 address calculation
      
        i915:
         - DP rates related fixes
         - Revert disabling dual eDP that was causing state readout problems
         - put the cdclk vtables in const data
         - Fix DVO port type for older platforms
         - Fix blankscreen by turning DP++ TMDS output buffers on encoder->shutdown
         - CCS FBs related fixes
         - Fix recursive lock in GuC submission
         - Revert guc_id from i915_request tracepoint
         - Build fix around dmabuf
      
        amdgpu:
         - GPU reset fix
         - Aldebaran fix
         - Yellow Carp fixes
         - DCN2.1 DMCUB fix
         - IOMMU regression fix for Picasso
         - DSC display fixes
         - BPC display calculation fixes
         - Other misc display fixes
         - Don't allow partial copy from user for DC debugfs
         - SRIOV fixes
         - GFX9 CSB pin count fix
         - Various IP version check fixes
         - DP 2.0 fixes
         - Limit DCN1 MPO fix to DCN1
      
        amdkfd:
         - SVM fixes
         - Fix gfx version for renoir
         - Reset fixes
      
        udl:
         - timeout fix
      
        imx:
         - circular locking fix
      
        virtio:
         - NULL ptr deref fix"
      
      * tag 'drm-next-2021-11-12' of git://anongit.freedesktop.org/drm/drm: (126 commits)
        drm/ttm: Double check mem_type of BO while eviction
        drm/amdgpu: add missed support for UVD IP_VERSION(3, 0, 64)
        drm/amdgpu: drop jpeg IP initialization in SRIOV case
        drm/amd/display: reject both non-zero src_x and src_y only for DCN1x
        drm/amd/display: Add callbacks for DMUB HPD IRQ notifications
        drm/amd/display: Don't lock connection_mutex for DMUB HPD
        drm/amd/display: Add comment where CONFIG_DRM_AMD_DC_DCN macro ends
        drm/amdkfd: Fix retry fault drain race conditions
        drm/amdkfd: lower the VAs base offset to 8KB
        drm/amd/display: fix exit from amdgpu_dm_atomic_check() abruptly
        drm/amd/amdgpu: fix the kfd pre_reset sequence in sriov
        drm/amdgpu: fix uvd crash on Polaris12 during driver unloading
        drm/i915/adlp/fb: Prevent the mapping of redundant trailing padding NULL pages
        drm/i915/fb: Fix rounding error in subsampled plane size calculation
        drm/i915/hdmi: Turn DP++ TMDS output buffers back on in encoder->shutdown()
        drm/locking: fix __stack_depot_* name conflict
        drm/virtio: Fix NULL dereference error in virtio_gpu_poll
        drm/amdgpu: fix SI handling in amdgpu_device_asic_has_dc_support()
        drm/amdgpu: Fix dangling kfd_bo pointer for shared BOs
        drm/amd/amdkfd: Don't sent command to HWS on kfd reset
        ...
      304ac803