1. 29 1月, 2019 9 次提交
    • J
      vhost: fix OOB in get_rx_bufs() · b46a0bf7
      Jason Wang 提交于
      After batched used ring updating was introduced in commit e2b3b35e
      ("vhost_net: batch used ring update in rx"). We tend to batch heads in
      vq->heads for more than one packet. But the quota passed to
      get_rx_bufs() was not correctly limited, which can result a OOB write
      in vq->heads.
      
              headcount = get_rx_bufs(vq, vq->heads + nvq->done_idx,
                          vhost_len, &in, vq_log, &log,
                          likely(mergeable) ? UIO_MAXIOV : 1);
      
      UIO_MAXIOV was still used which is wrong since we could have batched
      used in vq->heads, this will cause OOB if the next buffer needs more
      than 960 (1024 (UIO_MAXIOV) - 64 (VHOST_NET_BATCH)) heads after we've
      batched 64 (VHOST_NET_BATCH) heads:
      Acked-by: NStefan Hajnoczi <stefanha@redhat.com>
      
      =============================================================================
      BUG kmalloc-8k (Tainted: G    B            ): Redzone overwritten
      -----------------------------------------------------------------------------
      
      INFO: 0x00000000fd93b7a2-0x00000000f0713384. First byte 0xa9 instead of 0xcc
      INFO: Allocated in alloc_pd+0x22/0x60 age=3933677 cpu=2 pid=2674
          kmem_cache_alloc_trace+0xbb/0x140
          alloc_pd+0x22/0x60
          gen8_ppgtt_create+0x11d/0x5f0
          i915_ppgtt_create+0x16/0x80
          i915_gem_create_context+0x248/0x390
          i915_gem_context_create_ioctl+0x4b/0xe0
          drm_ioctl_kernel+0xa5/0xf0
          drm_ioctl+0x2ed/0x3a0
          do_vfs_ioctl+0x9f/0x620
          ksys_ioctl+0x6b/0x80
          __x64_sys_ioctl+0x11/0x20
          do_syscall_64+0x43/0xf0
          entry_SYSCALL_64_after_hwframe+0x44/0xa9
      INFO: Slab 0x00000000d13e87af objects=3 used=3 fp=0x          (null) flags=0x200000000010201
      INFO: Object 0x0000000003278802 @offset=17064 fp=0x00000000e2e6652b
      
      Fixing this by allocating UIO_MAXIOV + VHOST_NET_BATCH iovs for
      vhost-net. This is done through set the limitation through
      vhost_dev_init(), then set_owner can allocate the number of iov in a
      per device manner.
      
      This fixes CVE-2018-16880.
      
      Fixes: e2b3b35e ("vhost_net: batch used ring update in rx")
      Signed-off-by: NJason Wang <jasowang@redhat.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      b46a0bf7
    • D
      Merge branch 'qed-Bug-fixes' · bfe2599d
      David S. Miller 提交于
      Manish Chopra says:
      
      ====================
      qed: Bug fixes
      
      This series have SR-IOV and some general fixes.
      Please consider applying it to "net"
      ====================
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      bfe2599d
    • M
      qed: Fix stack out of bounds bug · ffb057f9
      Manish Chopra 提交于
      KASAN reported following bug in qed_init_qm_get_idx_from_flags
      due to inappropriate casting of "pq_flags". Fix the type of "pq_flags".
      
      [  196.624707] BUG: KASAN: stack-out-of-bounds in qed_init_qm_get_idx_from_flags+0x1a4/0x1b8 [qed]
      [  196.624712] Read of size 8 at addr ffff809b00bc7360 by task kworker/0:9/1712
      [  196.624714]
      [  196.624720] CPU: 0 PID: 1712 Comm: kworker/0:9 Not tainted 4.18.0-60.el8.aarch64+debug #1
      [  196.624723] Hardware name: To be filled by O.E.M. Saber/Saber, BIOS 0ACKL024 09/26/2018
      [  196.624733] Workqueue: events work_for_cpu_fn
      [  196.624738] Call trace:
      [  196.624742]  dump_backtrace+0x0/0x2f8
      [  196.624745]  show_stack+0x24/0x30
      [  196.624749]  dump_stack+0xe0/0x11c
      [  196.624755]  print_address_description+0x68/0x260
      [  196.624759]  kasan_report+0x178/0x340
      [  196.624762]  __asan_report_load_n_noabort+0x38/0x48
      [  196.624786]  qed_init_qm_get_idx_from_flags+0x1a4/0x1b8 [qed]
      [  196.624808]  qed_init_qm_info+0xec0/0x2200 [qed]
      [  196.624830]  qed_resc_alloc+0x284/0x7e8 [qed]
      [  196.624853]  qed_slowpath_start+0x6cc/0x1ae8 [qed]
      [  196.624864]  __qede_probe.isra.10+0x1cc/0x12c0 [qede]
      [  196.624874]  qede_probe+0x78/0xf0 [qede]
      [  196.624879]  local_pci_probe+0xc4/0x180
      [  196.624882]  work_for_cpu_fn+0x54/0x98
      [  196.624885]  process_one_work+0x758/0x1900
      [  196.624888]  worker_thread+0x4e0/0xd18
      [  196.624892]  kthread+0x2c8/0x350
      [  196.624897]  ret_from_fork+0x10/0x18
      [  196.624899]
      [  196.624902] Allocated by task 2:
      [  196.624906]  kasan_kmalloc.part.1+0x40/0x108
      [  196.624909]  kasan_kmalloc+0xb4/0xc8
      [  196.624913]  kasan_slab_alloc+0x14/0x20
      [  196.624916]  kmem_cache_alloc_node+0x1dc/0x480
      [  196.624921]  copy_process.isra.1.part.2+0x1d8/0x4a98
      [  196.624924]  _do_fork+0x150/0xfa0
      [  196.624926]  kernel_thread+0x48/0x58
      [  196.624930]  kthreadd+0x3a4/0x5a0
      [  196.624932]  ret_from_fork+0x10/0x18
      [  196.624934]
      [  196.624937] Freed by task 0:
      [  196.624938] (stack is not available)
      [  196.624940]
      [  196.624943] The buggy address belongs to the object at ffff809b00bc0000
      [  196.624943]  which belongs to the cache thread_stack of size 32768
      [  196.624946] The buggy address is located 29536 bytes inside of
      [  196.624946]  32768-byte region [ffff809b00bc0000, ffff809b00bc8000)
      [  196.624948] The buggy address belongs to the page:
      [  196.624952] page:ffff7fe026c02e00 count:1 mapcount:0 mapping:ffff809b4001c000 index:0x0 compound_mapcount: 0
      [  196.624960] flags: 0xfffff8000008100(slab|head)
      [  196.624967] raw: 0fffff8000008100 dead000000000100 dead000000000200 ffff809b4001c000
      [  196.624970] raw: 0000000000000000 0000000000080008 00000001ffffffff 0000000000000000
      [  196.624973] page dumped because: kasan: bad access detected
      [  196.624974]
      [  196.624976] Memory state around the buggy address:
      [  196.624980]  ffff809b00bc7200: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      [  196.624983]  ffff809b00bc7280: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      [  196.624985] >ffff809b00bc7300: 00 00 00 00 00 00 00 00 f1 f1 f1 f1 04 f2 f2 f2
      [  196.624988]                                                        ^
      [  196.624990]  ffff809b00bc7380: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      [  196.624993]  ffff809b00bc7400: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      [  196.624995] ==================================================================
      Signed-off-by: NManish Chopra <manishc@marvell.com>
      Signed-off-by: NAriel Elior <aelior@marvell.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      ffb057f9
    • M
      qed: Fix system crash in ll2 xmit · 7c81626a
      Manish Chopra 提交于
      Cache number of fragments in the skb locally as in case
      of linear skb (with zero fragments), tx completion
      (or freeing of skb) may happen before driver tries
      to get number of frgaments from the skb which could
      lead to stale access to an already freed skb.
      Signed-off-by: NManish Chopra <manishc@marvell.com>
      Signed-off-by: NAriel Elior <aelior@marvell.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      7c81626a
    • M
      qed: Fix VF probe failure while FLR · 327852ec
      Manish Chopra 提交于
      VFs may hit VF-PF channel timeout while probing, as in some
      cases it was observed that VF FLR and VF "acquire" message
      transaction (i.e first message from VF to PF in VF's probe flow)
      could occur simultaneously which could lead VF to fail sending
      "acquire" message to PF as VF is marked disabled from HW perspective
      due to FLR, which will result into channel timeout and VF probe failure.
      
      In such cases, try retrying VF "acquire" message so that in later
      attempts it could be successful to pass message to PF after the VF
      FLR is completed and can be probed successfully.
      Signed-off-by: NManish Chopra <manishc@marvell.com>
      Signed-off-by: NAriel Elior <aelior@marvell.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      327852ec
    • M
      qed: Fix LACP pdu drops for VFs · ff929696
      Manish Chopra 提交于
      VF is always configured to drop control frames
      (with reserved mac addresses) but to work LACP
      on the VFs, it would require LACP control frames
      to be forwarded or transmitted successfully.
      
      This patch fixes this in such a way that trusted VFs
      (marked through ndo_set_vf_trust) would be allowed to
      pass the control frames such as LACP pdus.
      Signed-off-by: NManish Chopra <manishc@marvell.com>
      Signed-off-by: NAriel Elior <aelior@marvell.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      ff929696
    • M
      qed: Fix bug in tx promiscuous mode settings · 9e71a15d
      Manish Chopra 提交于
      When running tx switched traffic between VNICs
      created via a bridge(to which VFs are added),
      adapter drops the unicast packets in tx flow due to
      VNIC's ucast mac being unknown to it. But VF interfaces
      being in promiscuous mode should have caused adapter
      to accept all the unknown ucast packets. Later, it
      was found that driver doesn't really configure tx
      promiscuous mode settings to accept all unknown unicast macs.
      
      This patch fixes tx promiscuous mode settings to accept all
      unknown/unmatched unicast macs and works out the scenario.
      Signed-off-by: NManish Chopra <manishc@marvell.com>
      Signed-off-by: NAriel Elior <aelior@marvell.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      9e71a15d
    • AlbinYang's avatar
      net: i825xx: replace dev_kfree_skb_irq by dev_consume_skb_irq for drop profiles · ca899324
      AlbinYang 提交于
      dev_consume_skb_irq() should be called in i596_interrupt() when skb
      xmit done. It makes drop profiles(dropwatch, perf) more friendly.
      Signed-off-by: AlbinYang's avatarYang Wei <albin_yang@163.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      ca899324
    • D
      Merge git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf · ff44a837
      David S. Miller 提交于
      Pablo Neira Ayuso says:
      
      ====================
      Netfilter/IPVS fixes for net
      
      The following patchset contains Netfilter/IPVS fixes for your net tree:
      
      1) The nftnl mutex is now per-netns, therefore use reference counter
         for matches and targets to deal with concurrent updates from netns.
         Moreover, place extensions in a pernet list. Patches from Florian Westphal.
      
      2) Bail out with EINVAL in case of negative timeouts via setsockopt()
         through ip_vs_set_timeout(), from ZhangXiaoxu.
      
      3) Spurious EINVAL on ebtables 32bit binary with 64bit kernel, also
         from Florian.
      
      4) Reset TCP option header parser in case of fingerprint mismatch,
         otherwise follow up overlapping fingerprint definitions including
         TCP options do not work, from Fernando Fernandez Mancera.
      
      5) Compilation warning in ipt_CLUSTER with CONFIG_PROC_FS unset.
         From Anders Roxell.
      ====================
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      ff44a837
  2. 28 1月, 2019 21 次提交
    • A
      netfilter: ipt_CLUSTERIP: fix warning unused variable cn · 206b8cc5
      Anders Roxell 提交于
      When CONFIG_PROC_FS isn't set the variable cn isn't used.
      
      net/ipv4/netfilter/ipt_CLUSTERIP.c: In function ‘clusterip_net_exit’:
      net/ipv4/netfilter/ipt_CLUSTERIP.c:849:24: warning: unused variable ‘cn’ [-Wunused-variable]
        struct clusterip_net *cn = clusterip_pernet(net);
                              ^~
      
      Rework so the variable 'cn' is declared inside "#ifdef CONFIG_PROC_FS".
      
      Fixes: b12f7bad ("netfilter: ipt_CLUSTERIP: remove wrong WARN_ON_ONCE in netns exit routine")
      Signed-off-by: NAnders Roxell <anders.roxell@linaro.org>
      Signed-off-by: NPablo Neira Ayuso <pablo@netfilter.org>
      206b8cc5
    • F
      netfilter: nfnetlink_osf: add missing fmatch check · 1a6a0951
      Fernando Fernandez Mancera 提交于
      When we check the tcp options of a packet and it doesn't match the current
      fingerprint, the tcp packet option pointer must be restored to its initial
      value in order to do the proper tcp options check for the next fingerprint.
      
      Here we can see an example.
      Assumming the following fingerprint base with two lines:
      
      S10:64:1:60:M*,S,T,N,W6:      Linux:3.0::Linux 3.0
      S20:64:1:60:M*,S,T,N,W7:      Linux:4.19:arch:Linux 4.1
      
      Where TCP options are the last field in the OS signature, all of them overlap
      except by the last one, ie. 'W6' versus 'W7'.
      
      In case a packet for Linux 4.19 kicks in, the osf finds no matching because the
      TCP options pointer is updated after checking for the TCP options in the first
      line.
      
      Therefore, reset pointer back to where it should be.
      
      Fixes: 11eeef41 ("netfilter: passive OS fingerprint xtables match")
      Signed-off-by: NFernando Fernandez Mancera <ffmancera@riseup.net>
      Signed-off-by: NPablo Neira Ayuso <pablo@netfilter.org>
      1a6a0951
    • F
      netfilter: ebtables: compat: un-break 32bit setsockopt when no rules are present · 2035f3ff
      Florian Westphal 提交于
      Unlike ip(6)tables ebtables only counts user-defined chains.
      
      The effect is that a 32bit ebtables binary on a 64bit kernel can do
      'ebtables -N FOO' only after adding at least one rule, else the request
      fails with -EINVAL.
      
      This is a similar fix as done in
      3f1e53ab ("netfilter: ebtables: don't attempt to allocate 0-sized compat array").
      
      Fixes: 7d7d7e02 ("netfilter: compat: reject huge allocation requests")
      Reported-by: NFrancesco Ruggeri <fruggeri@arista.com>
      Signed-off-by: NFlorian Westphal <fw@strlen.de>
      Signed-off-by: NPablo Neira Ayuso <pablo@netfilter.org>
      2035f3ff
    • A
      net: dsa: mv88e6xxx: Fix serdes irq setup going recursive · 6fb6e637
      Andrew Lunn 提交于
      Duec to a typo, mv88e6390_serdes_irq_setup() calls itself, rather than
      mv88e6390x_serdes_irq_setup(). It then blows the stack, and shortly
      after the machine blows up.
      
      Fixes: 2defda1f ("net: dsa: mv88e6xxx: Add support for SERDES on ports 2-8 for 6390X")
      Signed-off-by: NAndrew Lunn <andrew@lunn.ch>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      6fb6e637
    • N
      ip6mr: Fix notifiers call on mroute_clean_tables() · 146820cc
      Nir Dotan 提交于
      When the MC route socket is closed, mroute_clean_tables() is called to
      cleanup existing routes. Mistakenly notifiers call was put on the cleanup
      of the unresolved MC route entries cache.
      In a case where the MC socket closes before an unresolved route expires,
      the notifier call leads to a crash, caused by the driver trying to
      increment a non initialized refcount_t object [1] and then when handling
      is done, to decrement it [2]. This was detected by a test recently added in
      commit 6d4efada ("selftests: forwarding: Add multicast routing test").
      
      Fix that by putting notifiers call on the resolved entries traversal,
      instead of on the unresolved entries traversal.
      
      [1]
      
      [  245.748967] refcount_t: increment on 0; use-after-free.
      [  245.754829] WARNING: CPU: 3 PID: 3223 at lib/refcount.c:153 refcount_inc_checked+0x2b/0x30
      ...
      [  245.802357] Hardware name: Mellanox Technologies Ltd. MSN2740/SA001237, BIOS 5.6.5 06/07/2016
      [  245.811873] RIP: 0010:refcount_inc_checked+0x2b/0x30
      ...
      [  245.907487] Call Trace:
      [  245.910231]  mlxsw_sp_router_fib_event.cold.181+0x42/0x47 [mlxsw_spectrum]
      [  245.917913]  notifier_call_chain+0x45/0x7
      [  245.922484]  atomic_notifier_call_chain+0x15/0x20
      [  245.927729]  call_fib_notifiers+0x15/0x30
      [  245.932205]  mroute_clean_tables+0x372/0x3f
      [  245.936971]  ip6mr_sk_done+0xb1/0xc0
      [  245.940960]  ip6_mroute_setsockopt+0x1da/0x5f0
      ...
      
      [2]
      
      [  246.128487] refcount_t: underflow; use-after-free.
      [  246.133859] WARNING: CPU: 0 PID: 7 at lib/refcount.c:187 refcount_sub_and_test_checked+0x4c/0x60
      [  246.183521] Hardware name: Mellanox Technologies Ltd. MSN2740/SA001237, BIOS 5.6.5 06/07/2016
      ...
      [  246.193062] Workqueue: mlxsw_core_ordered mlxsw_sp_router_fibmr_event_work [mlxsw_spectrum]
      [  246.202394] RIP: 0010:refcount_sub_and_test_checked+0x4c/0x60
      ...
      [  246.298889] Call Trace:
      [  246.301617]  refcount_dec_and_test_checked+0x11/0x20
      [  246.307170]  mlxsw_sp_router_fibmr_event_work.cold.196+0x47/0x78 [mlxsw_spectrum]
      [  246.315531]  process_one_work+0x1fa/0x3f0
      [  246.320005]  worker_thread+0x2f/0x3e0
      [  246.324083]  kthread+0x118/0x130
      [  246.327683]  ? wq_update_unbound_numa+0x1b0/0x1b0
      [  246.332926]  ? kthread_park+0x80/0x80
      [  246.337013]  ret_from_fork+0x1f/0x30
      
      Fixes: 088aa3ee ("ip6mr: Support fib notifications")
      Signed-off-by: NNir Dotan <nird@mellanox.com>
      Reviewed-by: NIdo Schimmel <idosch@mellanox.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      146820cc
    • J
      decnet: fix DN_IFREQ_SIZE · 50c29366
      Johannes Berg 提交于
      Digging through the ioctls with Al because of the previous
      patches, we found that on 64-bit decnet's dn_dev_ioctl()
      is wrong, because struct ifreq::ifr_ifru is actually 24
      bytes (not 16 as expected from struct sockaddr) due to the
      ifru_map and ifru_settings members.
      
      Clearly, decnet expects the ioctl to be called with a struct
      like
        struct ifreq_dn {
          char ifr_name[IFNAMSIZ];
          struct sockaddr_dn ifr_addr;
        };
      
      since it does
        struct ifreq *ifr = ...;
        struct sockaddr_dn *sdn = (struct sockaddr_dn *)&ifr->ifr_addr;
      
      This means that DN_IFREQ_SIZE is too big for what it wants on
      64-bit, as it is
        sizeof(struct ifreq) - sizeof(struct sockaddr) +
        sizeof(struct sockaddr_dn)
      
      This assumes that sizeof(struct sockaddr) is the size of ifr_ifru
      but that isn't true.
      
      Fix this to use offsetof(struct ifreq, ifr_ifru).
      
      This indeed doesn't really matter much - the result is that we
      copy in/out 8 bytes more than we should on 64-bit platforms. In
      case the "struct ifreq_dn" lands just on the end of a page though
      it might lead to faults.
      
      As far as I can tell, it has been like this forever, so it seems
      very likely that nobody cares.
      Signed-off-by: NJohannes Berg <johannes.berg@intel.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      50c29366
    • A
      net: stmmac: dwmac-rk: fix error handling in rk_gmac_powerup() · c69c29a1
      Alexey Khoroshilov 提交于
      If phy_power_on() fails in rk_gmac_powerup(), clocks are left enabled.
      
      Found by Linux Driver Verification project (linuxtesting.org).
      Signed-off-by: NAlexey Khoroshilov <khoroshilov@ispras.ru>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      c69c29a1
    • D
      Merge branch 'hns-fixes' · 417c8045
      David S. Miller 提交于
      Peng Li says:
      
      ====================
      net: hns: code optimizations & bugfixes for HNS driver
      
      This patchset includes bugfixes and code optimizations for the HNS
      ethernet controller driver
      ====================
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      417c8045
    • Y
      net: hns: Fix wrong read accesses via Clause 45 MDIO protocol · cec8abba
      Yonglong Liu 提交于
      When reading phy registers via Clause 45 MDIO protocol, after write
      address operation, the driver use another write address operation, so
      can not read the right value of any phy registers. This patch fixes it.
      Signed-off-by: NYonglong Liu <liuyonglong@huawei.com>
      Signed-off-by: NPeng Li <lipeng321@huawei.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      cec8abba
    • Y
      net: hns: Restart autoneg need return failed when autoneg off · ed29ca8b
      Yonglong Liu 提交于
      The hns driver of earlier devices, when autoneg off, restart autoneg
      will return -EINVAL, so make the hns driver for the latest devices
      do the same.
      Signed-off-by: NYonglong Liu <liuyonglong@huawei.com>
      Signed-off-by: NPeng Li <lipeng321@huawei.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      ed29ca8b
    • Y
      net: hns: Fix for missing of_node_put() after of_parse_phandle() · 263c6d75
      Yonglong Liu 提交于
      In hns enet driver, we use of_parse_handle() to get hold of the
      device node related to "ae-handle" but we have missed to put
      the node reference using of_node_put() after we are done using
      the node. This patch fixes it.
      
      Note:
      This problem is stated in Link: https://lkml.org/lkml/2018/12/22/217
      
      Fixes: 48189d6a ("net: hns: enet specifies a reference to dsaf")
      Reported-by: NAlexey Khoroshilov <khoroshilov@ispras.ru>
      Signed-off-by: NYonglong Liu <liuyonglong@huawei.com>
      Signed-off-by: NPeng Li <lipeng321@huawei.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      263c6d75
    • D
      Merge tag 'mlx5-fixes-2019-01-25' of git://git.kernel.org/pub/scm/linux/kernel/git/saeed/linux · 3da15ad3
      David S. Miller 提交于
      Saeed Mahameed says:
      
      ====================
      Mellanox, mlx5 fixes 2019-01-25
      
      This series introduces some fixes to mlx5 driver.
      For more information please see tag log below.
      
      Please pull and let me know if there is any problem.
      
      For -stable v4.13
      ('net/mlx5e: Allow MAC invalidation while spoofchk is ON')
      
      For -stable v4.18
      ('Revert "net/mlx5e: E-Switch, Initialize eswitch only if eswitch manager"')
      ====================
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      3da15ad3
    • B
      net/rose: fix NULL ax25_cb kernel panic · b0cf0292
      Bernard Pidoux 提交于
      When an internally generated frame is handled by rose_xmit(),
      rose_route_frame() is called:
      
              if (!rose_route_frame(skb, NULL)) {
                      dev_kfree_skb(skb);
                      stats->tx_errors++;
                      return NETDEV_TX_OK;
              }
      
      We have the same code sequence in Net/Rom where an internally generated
      frame is handled by nr_xmit() calling nr_route_frame(skb, NULL).
      However, in this function NULL argument is tested while it is not in
      rose_route_frame().
      Then kernel panic occurs later on when calling ax25cmp() with a NULL
      ax25_cb argument as reported many times and recently with syzbot.
      
      We need to test if ax25 is NULL before using it.
      
      Testing:
      Built kernel with CONFIG_ROSE=y.
      Signed-off-by: NBernard Pidoux <f6bvp@free.fr>
      Acked-by: NDmitry Vyukov <dvyukov@google.com>
      Reported-by: syzbot+1a2c456a1ea08fa5b5f7@syzkaller.appspotmail.com
      Cc: "David S. Miller" <davem@davemloft.net>
      Cc: Ralf Baechle <ralf@linux-mips.org>
      Cc: Bernard Pidoux <f6bvp@free.fr>
      Cc: linux-hams@vger.kernel.org
      Cc: netdev@vger.kernel.org
      Cc: linux-kernel@vger.kernel.org
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      b0cf0292
    • T
      net: altera_tse: fix msgdma_tx_completion on non-zero fill_level case · 6571ebce
      Tomonori Sakita 提交于
      If fill_level was not zero and status was not BUSY,
      result of "tx_prod - tx_cons - inuse" might be zero.
      Subtracting 1 unconditionally results invalid negative return value
      on this case.
      Make sure not to return an negative value.
      Signed-off-by: NTomonori Sakita <tomonori.sakita@sord.co.jp>
      Signed-off-by: NAtsushi Nemoto <atsushi.nemoto@sord.co.jp>
      Reviewed-by: NDalon L Westergreen <dalon.westergreen@linux.intel.com>
      Acked-by: NThor Thayer <thor.thayer@linux.intel.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      6571ebce
    • C
      netrom: switch to sock timer API · 63346650
      Cong Wang 提交于
      sk_reset_timer() and sk_stop_timer() properly handle
      sock refcnt for timer function. Switching to them
      could fix a refcounting bug reported by syzbot.
      
      Reported-and-tested-by: syzbot+defa700d16f1bd1b9a05@syzkaller.appspotmail.com
      Cc: Ralf Baechle <ralf@linux-mips.org>
      Cc: linux-hams@vger.kernel.org
      Signed-off-by: NCong Wang <xiyou.wangcong@gmail.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      63346650
    • D
      Merge branch 'master' of git://git.kernel.org/pub/scm/linux/kernel/git/klassert/ipsec · c303a9b2
      David S. Miller 提交于
      Steffen Klassert says:
      
      ====================
      pull request (net): ipsec 2019-01-25
      
      1) Several patches to fix the fallout from the recent
         tree based policy lookup work. From Florian Westphal.
      
      2) Fix VTI for IPCOMP for 'not compressed' IPCOMP packets.
         We need an extra IPIP handler to process these packets
         correctly. From Su Yanjun.
      
      3) Fix validation of template and selector families for
         MODE_ROUTEOPTIMIZATION with ipv4-in-ipv6 packets.
         This can lead to a stack-out-of-bounds because
         flowi4 struct is treated as flowi6 struct.
         Fix from Florian Westphal.
      
      4) Restore the default behaviour of the xfrm set-mark
         in the output path. This was changed accidentally
         when mark setting was extended to the input path.
         From Benedict Wong.
      ====================
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      c303a9b2
    • L
      Merge tag 'for-linus' of git://git.kernel.org/pub/scm/virt/kvm/kvm · 1fc7f56d
      Linus Torvalds 提交于
      Pull KVM fixes from Paolo Bonzini:
       "Quite a few fixes for x86: nested virtualization save/restore, AMD
        nested virtualization and virtual APIC, 32-bit fixes, an important fix
        to restore operation on older processors, and a bunch of hyper-v
        bugfixes. Several are marked stable.
      
        There are also fixes for GCC warnings and for a GCC/objtool interaction"
      
      * tag 'for-linus' of git://git.kernel.org/pub/scm/virt/kvm/kvm:
        KVM: x86: Mark expected switch fall-throughs
        KVM: x86: fix TRACE_INCLUDE_PATH and remove -I. header search paths
        KVM: selftests: check returned evmcs version range
        x86/kvm/hyper-v: nested_enable_evmcs() sets vmcs_version incorrectly
        KVM: VMX: Move vmx_vcpu_run()'s VM-Enter asm blob to a helper function
        kvm: selftests: Fix region overlap check in kvm_util
        kvm: vmx: fix some -Wmissing-prototypes warnings
        KVM: nSVM: clear events pending from svm_complete_interrupts() when exiting to L1
        svm: Fix AVIC incomplete IPI emulation
        svm: Add warning message for AVIC IPI invalid target
        KVM: x86: WARN_ONCE if sending a PV IPI returns a fatal error
        KVM: x86: Fix PV IPIs for 32-bit KVM host
        x86/kvm/hyper-v: recommend using eVMCS only when it is enabled
        x86/kvm/hyper-v: don't recommend doing reset via synthetic MSR
        kvm: x86/vmx: Use kzalloc for cached_vmcs12
        KVM: VMX: Use the correct field var when clearing VM_ENTRY_LOAD_IA32_PERF_GLOBAL_CTRL
        KVM: x86: Fix single-step debugging
        x86/kvm/hyper-v: don't announce GUEST IDLE MSR support
      1fc7f56d
    • L
      Merge tag 'dma-mapping-5.0-2' of git://git.infradead.org/users/hch/dma-mapping · c180f1b0
      Linus Torvalds 提交于
      Pull dma-mapping fix from Christoph Hellwig:
       "Fix a xen-swiotlb regression on arm64"
      
      * tag 'dma-mapping-5.0-2' of git://git.infradead.org/users/hch/dma-mapping:
        arm64/xen: fix xen-swiotlb cache flushing
      c180f1b0
    • L
      Merge tag 'libnvdimm-fixes-5.0-rc4' of git://git.kernel.org/pub/scm/linux/kernel/git/nvdimm/nvdimm · 6a2651b5
      Linus Torvalds 提交于
      Pull libnvdimm fixes from Dan Williams:
       "A fix for namespace label support for non-Intel NVDIMMs that implement
        the ACPI standard label method.
      
        This has apparently never worked and could wait for v5.1. However it
        has enough visibility with hardware vendors [1] and distro bug
        trackers [2], and low enough risk that I decided it should go in for
        -rc4. The other fixups target the new, for v5.0, nvdimm security
        functionality. The larger init path fixup closes a memory leak and a
        potential userspace lockup due to missed notifications.
      
          [1] https://github.com/pmem/ndctl/issues/78
          [2] https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1811785
      
        These have all soaked in -next for a week with no reported issues.
      
        Summary:
      
         - Fix support for NVDIMMs that implement the ACPI standard label
           methods.
      
         - Fix error handling for security overwrite (memory leak / userspace
           hang condition), and another one-line security cleanup"
      
      * tag 'libnvdimm-fixes-5.0-rc4' of git://git.kernel.org/pub/scm/linux/kernel/git/nvdimm/nvdimm:
        acpi/nfit: Fix command-supported detection
        acpi/nfit: Block function zero DSMs
        libnvdimm/security: Require nvdimm_security_setup_events() to succeed
        nfit_test: fix security state pull for nvdimm security nfit_test
      6a2651b5
    • L
      Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/dtor/input · 78e372e6
      Linus Torvalds 提交于
      Pull input fixes from Dmitry Torokhov:
       "A fixup for the input_event fix for y2038 Sparc64, and couple other
        minor fixes"
      
      * 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/dtor/input:
        Input: input_event - fix the CONFIG_SPARC64 mixup
        Input: olpc_apsp - assign priv->dev earlier
        Input: uinput - fix undefined behavior in uinput_validate_absinfo()
        Input: raspberrypi-ts - fix link error
        Input: xpad - add support for SteelSeries Stratus Duo
        Input: input_event - provide override for sparc64
      78e372e6
    • L
      Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net · 037222ad
      Linus Torvalds 提交于
      Pull networking fixes from David Miller:
      
       1) Count ttl-dropped frames properly in mac80211, from Bob Copeland.
      
       2) Integer overflow in ktime handling of bcm can code, from Oliver
          Hartkopp.
      
       3) Fix RX desc handling wrt. hw checksumming in ravb, from Simon
          Horman.
      
       4) Various hash key fixes in hv_netvsc, from Haiyang Zhang.
      
       5) Use after free in ax25, from Eric Dumazet.
      
       6) Several fixes to the SSN support in SCTP, from Xin Long.
      
       7) Do not process frames after a NAPI reschedule in ibmveth, from
          Thomas Falcon.
      
       8) Fix NLA_POLICY_NESTED arguments, from Johannes Berg.
      
      * git://git.kernel.org/pub/scm/linux/kernel/git/davem/net: (42 commits)
        qed: Revert error handling changes.
        cfg80211: extend range deviation for DMG
        cfg80211: reg: remove warn_on for a normal case
        mac80211: Add attribute aligned(2) to struct 'action'
        mac80211: don't initiate TDLS connection if station is not associated to AP
        nl80211: fix NLA_POLICY_NESTED() arguments
        ibmveth: Do not process frames after calling napi_reschedule
        net: dev_is_mac_header_xmit() true for ARPHRD_RAWIP
        net: usb: asix: ax88772_bind return error when hw_reset fail
        MAINTAINERS: Update cavium networking drivers
        net/mlx4_core: Fix error handling when initializing CQ bufs in the driver
        net/mlx4_core: Add masking for a few queries on HCA caps
        sctp: set flow sport from saddr only when it's 0
        sctp: set chunk transport correctly when it's a new asoc
        sctp: improve the events for sctp stream adding
        sctp: improve the events for sctp stream reset
        ip_tunnel: Make none-tunnel-dst tunnel port work with lwtunnel
        ax25: fix possible use-after-free
        sfc: suppress duplicate nvmem partition types in efx_ef10_mtd_probe
        hv_netvsc: fix typos in code comments
        ...
      037222ad
  3. 27 1月, 2019 4 次提交
    • L
      Merge tag '5.0-rc3-smb3-fixes' of git://git.samba.org/sfrench/cifs-2.6 · 7c2614bf
      Linus Torvalds 提交于
      Pull smb3 fixes from Steve French:
       "A set of small smb3 fixes, some fixing various crediting issues
        discovered during xfstest runs, five for stable"
      
      * tag '5.0-rc3-smb3-fixes' of git://git.samba.org/sfrench/cifs-2.6:
        cifs: print CIFSMaxBufSize as part of /proc/fs/cifs/DebugData
        smb3: add credits we receive from oplock/break PDUs
        CIFS: Fix mounts if the client is low on credits
        CIFS: Do not assume one credit for async responses
        CIFS: Fix credit calculations in compound mid callback
        CIFS: Fix credit calculation for encrypted reads with errors
        CIFS: Fix credits calculations for reads with errors
        CIFS: Do not reconnect TCP session in add_credits()
        smb3: Cleanup license mess
        CIFS: Fix possible hang during async MTU reads and writes
        cifs: fix memory leak of an allocated cifs_ntsd structure
      7c2614bf
    • L
      Merge tag 'vfio-v5.0-rc4' of git://github.com/awilliam/linux-vfio · 2580acb2
      Linus Torvalds 提交于
      Pull VFIO fixes from Alex Williamson:
      
       - cleanup licenses in new files (Thomas Gleixner)
      
       - cleanup new compiler warnings (Alexey Kardashevskiy)
      
      * tag 'vfio-v5.0-rc4' of git://github.com/awilliam/linux-vfio:
        vfio-pci/nvlink2: Fix ancient gcc warnings
        vfio/pci: Cleanup license mess
      2580acb2
    • L
      Merge tag 'scsi-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/jejb/scsi · 7930851e
      Linus Torvalds 提交于
      Pull SCSI fixes from James Bottomley:
       "Six fixes, all of which appear to have user visible consequences.
      
        The DMA one is a regression fix from the merge window and of the
        others, four are driver specific and one specific to the target code"
      
      * tag 'scsi-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/jejb/scsi:
        scsi: ufs: Use explicit access size in ufshcd_dump_regs
        scsi: tcmu: fix use after free
        scsi: csiostor: fix NULL pointer dereference in csio_vport_set_state()
        scsi: lpfc: nvmet: avoid hang / use-after-free when destroying targetport
        scsi: lpfc: nvme: avoid hang / use-after-free when destroying localport
        scsi: communicate max segment size to the DMA mapping code
      7930851e
    • L
      Merge tag 'for-linus-20190125' of git://git.kernel.dk/linux-block · 6b8f9159
      Linus Torvalds 提交于
      Pull block fixes from Jens Axboe:
       "A collection of fixes for this release. This contains:
      
         - Silence sparse rightfully complaining about non-static wbt
           functions (Bart)
      
         - Fixes for the zoned comments/ioctl documentation (Damien)
      
         - direct-io fix that's been lingering for a while (Ernesto)
      
         - cgroup writeback fix (Tejun)
      
         - Set of NVMe patches for nvme-rdma/tcp (Sagi, Hannes, Raju)
      
         - Block recursion tracking fix (Ming)
      
         - Fix debugfs command flag naming for a few flags (Jianchao)"
      
      * tag 'for-linus-20190125' of git://git.kernel.dk/linux-block:
        block: Fix comment typo
        uapi: fix ioctl documentation
        blk-wbt: Declare local functions static
        blk-mq: fix the cmd_flag_name array
        nvme-multipath: drop optimization for static ANA group IDs
        nvmet-rdma: fix null dereference under heavy load
        nvme-rdma: rework queue maps handling
        nvme-tcp: fix timeout handler
        nvme-rdma: fix timeout handler
        writeback: synchronize sync(2) against cgroup writeback membership switches
        block: cover another queue enter recursion via BIO_QUEUE_ENTERED
        direct-io: allow direct writes to empty inodes
      6b8f9159
  4. 26 1月, 2019 6 次提交
    • D
      qed: Revert error handling changes. · abfd04f7
      David S. Miller 提交于
      This is new code and not bug fixes.
      
      This reverts all changes added by merge commit
      8fb18be9Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      abfd04f7
    • L
      Merge tag 'mmc-v5.0-rc2' of git://git.kernel.org/pub/scm/linux/kernel/git/ulfh/mmc · ba606975
      Linus Torvalds 提交于
      Pull MMC fixes from Ulf Hansson:
      
       - sdhci-acpi: Fixup build dependency for PCI
      
       - sdhci-omap: Resolve Kconfig warnings on keystone
      
       - sdhci-iproc: Propagate errors from DT parsing
      
       - meson-gx: Fixup IRQ handling in release callback
      
       - meson-gx: Use signal re-sampling to fixup tuning
      
       - dw_mmc-bluefield: Fix the license information
      
      * tag 'mmc-v5.0-rc2' of git://git.kernel.org/pub/scm/linux/kernel/git/ulfh/mmc:
        mmc: dw_mmc-bluefield: : Fix the license information
        mmc: meson-gx: enable signal re-sampling together with tuning
        mmc: sdhci-iproc: handle mmc_of_parse() errors during probe
        mmc: meson-gx: Free irq in release() callback
        mmc: host: Fix Kconfig warnings on keystone_defconfig
        mmc: sdhci-acpi: Make PCI dependency explicit
      ba606975
    • L
      Merge tag 'char-misc-5.0-rc4' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/char-misc · d488bd21
      Linus Torvalds 提交于
      Pull char/misc driver fixes from Greg KH:
       "Here are some small char and misc driver fixes to resolve some
        reported issues, as well as a number of binderfs fixups that were
        found after auditing the filesystem code by Al Viro. As binderfs
        hasn't been in a previous release yet, it's good to get these in now
        before the first users show up.
      
        All of these have been in linux-next for a bit with no reported
        issues"
      
      * tag 'char-misc-5.0-rc4' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/char-misc: (26 commits)
        i3c: master: Fix an error checking typo in 'cdns_i3c_master_probe()'
        binderfs: switch from d_add() to d_instantiate()
        binderfs: drop lock in binderfs_binder_ctl_create
        binderfs: kill_litter_super() before cleanup
        binderfs: rework binderfs_binder_device_create()
        binderfs: rework binderfs_fill_super()
        binderfs: prevent renaming the control dentry
        binderfs: remove outdated comment
        binderfs: use __u32 for device numbers
        binderfs: use correct include guards in header
        misc: pvpanic: fix warning implicit declaration
        char/mwave: fix potential Spectre v1 vulnerability
        misc: ibmvsm: Fix potential NULL pointer dereference
        binderfs: fix error return code in binderfs_fill_super()
        mei: me: add denverton innovation engine device IDs
        mei: me: mark LBG devices as having dma support
        mei: dma: silent the reject message
        binderfs: handle !CONFIG_IPC_NS builds
        binderfs: reserve devices for initial mount
        binderfs: rename header to binderfs.h
        ...
      d488bd21
    • L
      Merge tag 'staging-5.0-rc4' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/staging · 96f18cb8
      Linus Torvalds 提交于
      Pull staging driver fixes from Greg KH:
       "Here are some small staging driver fixes for 5.0-rc4.
      
        They resolve some reported bugs and add a new device id for one
        driver. Nothing major at all, but all good to have.
      
        All of these have been in linux-next for a while with no reported
        issues"
      
      * tag 'staging-5.0-rc4' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/staging:
        staging: android: ion: Support cpu access during dma_buf_detach
        staging: rtl8723bs: Fix build error with Clang when inlining is disabled
        staging: rtl8188eu: Add device code for D-Link DWA-121 rev B1
        staging: vchiq: Fix local event signalling
        Staging: wilc1000: unlock on error in init_chip()
        staging: wilc1000: fix memory leak in wilc_add_rx_gtk
        staging: wilc1000: fix registration frame size
      96f18cb8
    • L
      Merge tag 'tty-5.0-rc4' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/tty · 473721f9
      Linus Torvalds 提交于
      Pull tty/serial driver fixes from Greg KH:
       "Here are a number of small tty core and serial driver fixes for
        5.0-rc4 to resolve some reported issues.
      
        Nothing major, the small serial driver fixes, a tty core fixup for a
        crash that was reported, and some good vt fixes from Nicolas Pitre as
        he seems to be auditing that chunk of code a lot lately.
      
        All of these have been in linux-next for a while with no reported
        issues"
      
      * tag 'tty-5.0-rc4' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/tty:
        serial: fsl_lpuart: fix maximum acceptable baud rate with over-sampling
        tty: serial: qcom_geni_serial: Allow mctrl when flow control is disabled
        tty: Handle problem if line discipline does not have receive_buf
        vgacon: unconfuse vc_origin when using soft scrollback
        vt: invoke notifier on screen size change
        vt: always call notifier with the console lock held
        vt: make vt_console_print() compatible with the unicode screen buffer
        tty/n_hdlc: fix __might_sleep warning
        serial: 8250: Fix serial8250 initialization crash
        uart: Fix crash in uart_write and uart_put_char
      473721f9
    • L
      Merge tag 'usb-5.0-rc4' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/usb · b48cef32
      Linus Torvalds 提交于
      Pull USB/PHY fixes from Greg KH:
       "Here are a number of small USB and PHY driver fixes for 5.0-rc4.
      
        Nothing major at all, just the usual selection of USB gadget bugfixes,
        some new USB serial driver ids, some SPDX fixes, and some PHY driver
        fixes for reported issues.
      
        All of these have been in linux-next for a while with no reported
        issues"
      
      * tag 'usb-5.0-rc4' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/usb:
        USB: serial: keyspan_usa: add proper SPDX lines for .h files
        USB: EHCI: ehci-mv: add MODULE_DEVICE_TABLE
        USB: leds: fix regression in usbport led trigger
        usb: chipidea: fix static checker warning for NULL pointer
        MAINTAINERS: email address update in MAINTAINERS entries
        USB: usbip: delete README file
        USB: serial: pl2303: add new PID to support PL2303TB
        usb: dwc2: gadget: Fix Remote Wakeup interrupt bit clearing
        phy: ath79-usb: Fix the main reset name to match the DT binding
        phy: ath79-usb: Fix the power on error path
        phy: fix build breakage: add PHY_MODE_SATA
        phy: ti: ensure priv is not null before dereferencing it
        USB: serial: ftdi_sio: fix GPIO not working in autosuspend
        usb: gadget: Potential NULL dereference on allocation error
        usb: dwc3: gadget: Fix the uninitialized link_state when udc starts
        usb: dwc3: gadget: Clear req->needs_extra_trb flag on cleanup
        usb: dwc3: gadget: synchronize_irq dwc irq in suspend
        USB: serial: simple: add Motorola Tetra TPG2200 device id
      b48cef32