1. 13 10月, 2017 2 次提交
  2. 12 10月, 2017 8 次提交
  3. 11 10月, 2017 17 次提交
    • T
      ALSA: caiaq: Fix stray URB at probe error path · 99fee508
      Takashi Iwai 提交于
      caiaq driver doesn't kill the URB properly at its error path during
      the probe, which may lead to a use-after-free error later.  This patch
      addresses it.
      Reported-by: NJohan Hovold <johan@kernel.org>
      Reviewed-by: NJohan Hovold <johan@kernel.org>
      Cc: <stable@vger.kernel.org>
      Signed-off-by: NTakashi Iwai <tiwai@suse.de>
      99fee508
    • A
      HID: hid-elecom: extend to fix descriptor for HUGE trackball · a0933a45
      Alex Manoussakis 提交于
      In addition to DEFT, Elecom introduced a larger trackball called HUGE, in
      both wired (M-HT1URBK) and wireless (M-HT1DRBK) versions. It has the same
      buttons and behavior as the DEFT. This patch adds the two relevant USB IDs
      to enable operation of the three Fn buttons on the top of the device.
      
      Cc: Diego Elio Petteno <flameeyes@flameeyes.eu>
      Signed-off-by: NAlex Manoussakis <amanou@gnu.org>
      Signed-off-by: NJiri Kosina <jkosina@suse.cz>
      a0933a45
    • J
      HID: usbhid: fix out-of-bounds bug · f043bfc9
      Jaejoong Kim 提交于
      The hid descriptor identifies the length and type of subordinate
      descriptors for a device. If the received hid descriptor is smaller than
      the size of the struct hid_descriptor, it is possible to cause
      out-of-bounds.
      
      In addition, if bNumDescriptors of the hid descriptor have an incorrect
      value, this can also cause out-of-bounds while approaching hdesc->desc[n].
      
      So check the size of hid descriptor and bNumDescriptors.
      
      	BUG: KASAN: slab-out-of-bounds in usbhid_parse+0x9b1/0xa20
      	Read of size 1 at addr ffff88006c5f8edf by task kworker/1:2/1261
      
      	CPU: 1 PID: 1261 Comm: kworker/1:2 Not tainted
      	4.14.0-rc1-42251-gebb2c243 #169
      	Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011
      	Workqueue: usb_hub_wq hub_event
      	Call Trace:
      	__dump_stack lib/dump_stack.c:16
      	dump_stack+0x292/0x395 lib/dump_stack.c:52
      	print_address_description+0x78/0x280 mm/kasan/report.c:252
      	kasan_report_error mm/kasan/report.c:351
      	kasan_report+0x22f/0x340 mm/kasan/report.c:409
      	__asan_report_load1_noabort+0x19/0x20 mm/kasan/report.c:427
      	usbhid_parse+0x9b1/0xa20 drivers/hid/usbhid/hid-core.c:1004
      	hid_add_device+0x16b/0xb30 drivers/hid/hid-core.c:2944
      	usbhid_probe+0xc28/0x1100 drivers/hid/usbhid/hid-core.c:1369
      	usb_probe_interface+0x35d/0x8e0 drivers/usb/core/driver.c:361
      	really_probe drivers/base/dd.c:413
      	driver_probe_device+0x610/0xa00 drivers/base/dd.c:557
      	__device_attach_driver+0x230/0x290 drivers/base/dd.c:653
      	bus_for_each_drv+0x161/0x210 drivers/base/bus.c:463
      	__device_attach+0x26e/0x3d0 drivers/base/dd.c:710
      	device_initial_probe+0x1f/0x30 drivers/base/dd.c:757
      	bus_probe_device+0x1eb/0x290 drivers/base/bus.c:523
      	device_add+0xd0b/0x1660 drivers/base/core.c:1835
      	usb_set_configuration+0x104e/0x1870 drivers/usb/core/message.c:1932
      	generic_probe+0x73/0xe0 drivers/usb/core/generic.c:174
      	usb_probe_device+0xaf/0xe0 drivers/usb/core/driver.c:266
      	really_probe drivers/base/dd.c:413
      	driver_probe_device+0x610/0xa00 drivers/base/dd.c:557
      	__device_attach_driver+0x230/0x290 drivers/base/dd.c:653
      	bus_for_each_drv+0x161/0x210 drivers/base/bus.c:463
      	__device_attach+0x26e/0x3d0 drivers/base/dd.c:710
      	device_initial_probe+0x1f/0x30 drivers/base/dd.c:757
      	bus_probe_device+0x1eb/0x290 drivers/base/bus.c:523
      	device_add+0xd0b/0x1660 drivers/base/core.c:1835
      	usb_new_device+0x7b8/0x1020 drivers/usb/core/hub.c:2457
      	hub_port_connect drivers/usb/core/hub.c:4903
      	hub_port_connect_change drivers/usb/core/hub.c:5009
      	port_event drivers/usb/core/hub.c:5115
      	hub_event+0x194d/0x3740 drivers/usb/core/hub.c:5195
      	process_one_work+0xc7f/0x1db0 kernel/workqueue.c:2119
      	worker_thread+0x221/0x1850 kernel/workqueue.c:2253
      	kthread+0x3a1/0x470 kernel/kthread.c:231
      	ret_from_fork+0x2a/0x40 arch/x86/entry/entry_64.S:431
      
      Cc: stable@vger.kernel.org
      Reported-by: NAndrey Konovalov <andreyknvl@google.com>
      Signed-off-by: NJaejoong Kim <climbbb.kim@gmail.com>
      Tested-by: NAndrey Konovalov <andreyknvl@google.com>
      Acked-by: NAlan Stern <stern@rowland.harvard.edu>
      Signed-off-by: NJiri Kosina <jkosina@suse.cz>
      f043bfc9
    • T
      ALSA: seq: Fix use-after-free at creating a port · 71105998
      Takashi Iwai 提交于
      There is a potential race window opened at creating and deleting a
      port via ioctl, as spotted by fuzzing.  snd_seq_create_port() creates
      a port object and returns its pointer, but it doesn't take the
      refcount, thus it can be deleted immediately by another thread.
      Meanwhile, snd_seq_ioctl_create_port() still calls the function
      snd_seq_system_client_ev_port_start() with the created port object
      that is being deleted, and this triggers use-after-free like:
      
       BUG: KASAN: use-after-free in snd_seq_ioctl_create_port+0x504/0x630 [snd_seq] at addr ffff8801f2241cb1
       =============================================================================
       BUG kmalloc-512 (Tainted: G    B          ): kasan: bad access detected
       -----------------------------------------------------------------------------
       INFO: Allocated in snd_seq_create_port+0x94/0x9b0 [snd_seq] age=1 cpu=3 pid=4511
       	___slab_alloc+0x425/0x460
       	__slab_alloc+0x20/0x40
        	kmem_cache_alloc_trace+0x150/0x190
      	snd_seq_create_port+0x94/0x9b0 [snd_seq]
      	snd_seq_ioctl_create_port+0xd1/0x630 [snd_seq]
       	snd_seq_do_ioctl+0x11c/0x190 [snd_seq]
       	snd_seq_ioctl+0x40/0x80 [snd_seq]
       	do_vfs_ioctl+0x54b/0xda0
       	SyS_ioctl+0x79/0x90
       	entry_SYSCALL_64_fastpath+0x16/0x75
       INFO: Freed in port_delete+0x136/0x1a0 [snd_seq] age=1 cpu=2 pid=4717
       	__slab_free+0x204/0x310
       	kfree+0x15f/0x180
       	port_delete+0x136/0x1a0 [snd_seq]
       	snd_seq_delete_port+0x235/0x350 [snd_seq]
       	snd_seq_ioctl_delete_port+0xc8/0x180 [snd_seq]
       	snd_seq_do_ioctl+0x11c/0x190 [snd_seq]
       	snd_seq_ioctl+0x40/0x80 [snd_seq]
       	do_vfs_ioctl+0x54b/0xda0
       	SyS_ioctl+0x79/0x90
       	entry_SYSCALL_64_fastpath+0x16/0x75
       Call Trace:
        [<ffffffff81b03781>] dump_stack+0x63/0x82
        [<ffffffff81531b3b>] print_trailer+0xfb/0x160
        [<ffffffff81536db4>] object_err+0x34/0x40
        [<ffffffff815392d3>] kasan_report.part.2+0x223/0x520
        [<ffffffffa07aadf4>] ? snd_seq_ioctl_create_port+0x504/0x630 [snd_seq]
        [<ffffffff815395fe>] __asan_report_load1_noabort+0x2e/0x30
        [<ffffffffa07aadf4>] snd_seq_ioctl_create_port+0x504/0x630 [snd_seq]
        [<ffffffffa07aa8f0>] ? snd_seq_ioctl_delete_port+0x180/0x180 [snd_seq]
        [<ffffffff8136be50>] ? taskstats_exit+0xbc0/0xbc0
        [<ffffffffa07abc5c>] snd_seq_do_ioctl+0x11c/0x190 [snd_seq]
        [<ffffffffa07abd10>] snd_seq_ioctl+0x40/0x80 [snd_seq]
        [<ffffffff8136d433>] ? acct_account_cputime+0x63/0x80
        [<ffffffff815b515b>] do_vfs_ioctl+0x54b/0xda0
        .....
      
      We may fix this in a few different ways, and in this patch, it's fixed
      simply by taking the refcount properly at snd_seq_create_port() and
      letting the caller unref the object after use.  Also, there is another
      potential use-after-free by sprintf() call in snd_seq_create_port(),
      and this is moved inside the lock.
      
      This fix covers CVE-2017-15265.
      Reported-and-tested-by: NMichael23 Yu <ycqzsy@gmail.com>
      Suggested-by: NLinus Torvalds <torvalds@linux-foundation.org>
      Cc: <stable@vger.kernel.org>
      Signed-off-by: NTakashi Iwai <tiwai@suse.de>
      71105998
    • A
      bio_copy_user_iov(): don't ignore ->iov_offset · 1cfd0ddd
      Al Viro 提交于
      Since "block: support large requests in blk_rq_map_user_iov" we
      started to call it with partially drained iter; that works fine
      on the write side, but reads create a copy of iter for completion
      time.  And that needs to take the possibility of ->iov_iter != 0
      into account...
      
      Cc: stable@vger.kernel.org #v4.5+
      Signed-off-by: NAl Viro <viro@zeniv.linux.org.uk>
      1cfd0ddd
    • A
      more bio_map_user_iov() leak fixes · 2b04e8f6
      Al Viro 提交于
      we need to take care of failure exit as well - pages already
      in bio should be dropped by analogue of bio_unmap_pages(),
      since their refcounts had been bumped only once per reference
      in bio.
      
      Cc: stable@vger.kernel.org
      Signed-off-by: NAl Viro <viro@zeniv.linux.org.uk>
      2b04e8f6
    • V
      fix unbalanced page refcounting in bio_map_user_iov · 95d78c28
      Vitaly Mayatskikh 提交于
      bio_map_user_iov and bio_unmap_user do unbalanced pages refcounting if
      IO vector has small consecutive buffers belonging to the same page.
      bio_add_pc_page merges them into one, but the page reference is never
      dropped.
      
      Cc: stable@vger.kernel.org
      Signed-off-by: NVitaly Mayatskikh <v.mayatskih@gmail.com>
      Signed-off-by: NAl Viro <viro@zeniv.linux.org.uk>
      95d78c28
    • A
      direct-io: Prevent NULL pointer access in submit_page_section · 899f0429
      Andreas Gruenbacher 提交于
      In the code added to function submit_page_section by commit b1058b98,
      sdio->bio can currently be NULL when calling dio_bio_submit.  This then
      leads to a NULL pointer access in dio_bio_submit, so check for a NULL
      bio in submit_page_section before trying to submit it instead.
      
      Fixes xfstest generic/250 on gfs2.
      
      Cc: stable@vger.kernel.org # v3.10+
      Signed-off-by: NAndreas Gruenbacher <agruenba@redhat.com>
      Reviewed-by: NJan Kara <jack@suse.cz>
      Signed-off-by: NAl Viro <viro@zeniv.linux.org.uk>
      899f0429
    • L
      Merge tag 'seccomp-v4.14-rc5' of git://git.kernel.org/pub/scm/linux/kernel/git/kees/linux · a957fd42
      Linus Torvalds 提交于
      Pull seccomp fixlet from Kees Cook:
       "Minor seccomp fix for v4.14-rc5. I debated sending this at all for
        v4.14, but since it fixes a minor issue in the prior fix, which also
        went to -stable, it seemed better to just get all of it cleaned up
        right now.
      
         - fix missed "static" to avoid Sparse warning (Colin King)"
      
      * tag 'seccomp-v4.14-rc5' of git://git.kernel.org/pub/scm/linux/kernel/git/kees/linux:
        seccomp: make function __get_seccomp_filter static
      a957fd42
    • L
      Merge tag 'nfsd-4.14-1' of git://linux-nfs.org/~bfields/linux · f953d248
      Linus Torvalds 提交于
      Pull nfsd fix from Bruce Fields:
       "One fix for a 4.14 regression, and one minor fix to the MAINTAINERs
        file. (I was weirdly flattered by the idea that lots of random people
        suddenly seemed to think Jeff and I were VFS experts. Turns out it was
        just a typo)"
      
      * tag 'nfsd-4.14-1' of git://linux-nfs.org/~bfields/linux:
        nfsd4: define nfsd4_secinfo_no_name_release()
        MAINTAINERS: associate linux/fs.h with VFS instead of file locking
      f953d248
    • C
      seccomp: make function __get_seccomp_filter static · 084f5601
      Colin Ian King 提交于
      The function __get_seccomp_filter is local to the source and does
      not need to be in global scope, so make it static.
      
      Cleans up sparse warning:
      symbol '__get_seccomp_filter' was not declared. Should it be static?
      Signed-off-by: NColin Ian King <colin.king@canonical.com>
      Fixes: 66a733ea ("seccomp: fix the usage of get/put_seccomp_filter() in seccomp_get_filter()")
      Cc: stable@vger.kernel.org
      Signed-off-by: NKees Cook <keescook@chromium.org>
      084f5601
    • A
      remoteproc: qcom: fix RPMSG_QCOM_GLINK_SMEM dependencies · ab759b97
      Arnd Bergmann 提交于
      When RPMSG_QCOM_GLINK_SMEM=m and one driver causes the qcom_common.c file
      to be compiled as built-in, we get a link error:
      
      drivers/remoteproc/qcom_common.o: In function `glink_subdev_remove':
      qcom_common.c:(.text+0x130): undefined reference to `qcom_glink_smem_unregister'
      qcom_common.c:(.text+0x130): relocation truncated to fit: R_AARCH64_CALL26 against undefined symbol `qcom_glink_smem_unregister'
      drivers/remoteproc/qcom_common.o: In function `glink_subdev_probe':
      qcom_common.c:(.text+0x160): undefined reference to `qcom_glink_smem_register'
      qcom_common.c:(.text+0x160): relocation truncated to fit: R_AARCH64_CALL26 against undefined symbol `qcom_glink_smem_register'
      
      Out of the three PIL driver instances, QCOM_ADSP_PIL already has a
      Kconfig dependency to prevent this from happening, but the other two
      do not. This adds the same dependency there.
      
      Fixes: eea07023 ("remoteproc: qcom: adsp: Allow defining GLINK edge")
      Signed-off-by: NArnd Bergmann <arnd@arndb.de>
      Signed-off-by: NBjorn Andersson <bjorn.andersson@linaro.org>
      ab759b97
    • D
      remoteproc: imx_rproc: fix a couple off by one bugs · 68c2d645
      Dan Carpenter 提交于
      The priv->mem[] array has IMX7D_RPROC_MEM_MAX elements so the > should
      be >= to avoid writing one element beyond the end of the array.
      
      Fixes: a0ff4aa6 ("remoteproc: imx_rproc: add a NXP/Freescale imx_rproc driver")
      Signed-off-by: NDan Carpenter <dan.carpenter@oracle.com>
      Signed-off-by: NBjorn Andersson <bjorn.andersson@linaro.org>
      68c2d645
    • D
      rpmsg: glink: Fix memory leak in qcom_glink_alloc_intent() · b775d158
      Dan Carpenter 提交于
      We need to free "intent" and "intent->data" on a couple error paths.
      
      Fixes: 933b45da ("rpmsg: glink: Add support for TX intents")
      Acked-by: NSricharan R <sricharan@codeaurora.org>
      Signed-off-by: NDan Carpenter <dan.carpenter@oracle.com>
      Signed-off-by: NBjorn Andersson <bjorn.andersson@linaro.org>
      b775d158
    • D
      rpmsg: glink: Unlock on error in qcom_glink_request_intent() · 0a7480bd
      Dan Carpenter 提交于
      If qcom_glink_tx() fails, then we need to unlock before returning the
      error code.
      
      Fixes: 27b9c5b6 ("rpmsg: glink: Request for intents when unavailable")
      Acked-by: NSricharan R <sricharan@codeaurora.org>
      Signed-off-by: NDan Carpenter <dan.carpenter@oracle.com>
      Signed-off-by: NBjorn Andersson <bjorn.andersson@linaro.org>
      0a7480bd
    • L
      Merge tag 'f2fs-for-4.14-rc5' of git://git.kernel.org/pub/scm/linux/kernel/git/jaegeuk/f2fs · 7056964a
      Linus Torvalds 提交于
      Pull f2fs fix from Jaegeuk Kim:
       "This contains one bug fix which causes a kernel panic during fstrim
        introduced in 4.14-rc1"
      
      * tag 'f2fs-for-4.14-rc5' of git://git.kernel.org/pub/scm/linux/kernel/git/jaegeuk/f2fs:
        f2fs: fix potential panic during fstrim
      7056964a
    • L
      Merge tag 'linux-kselftest-4.14-rc5-fixes' of... · da93b8c7
      Linus Torvalds 提交于
      Merge tag 'linux-kselftest-4.14-rc5-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/shuah/linux-kselftest
      
      Pull kselftest fixes from Shuah Khan:
      
       - fix for x86: sysret_ss_attrs test build failure preventing the x86
         tests from running
      
       - fix mqueue: fix regression in silencing test run output
      
      * tag 'linux-kselftest-4.14-rc5-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/shuah/linux-kselftest:
        selftests: mqueue: fix regression in silencing output from RUN_TESTS
        selftests: x86: sysret_ss_attrs doesn't build on a PIE build
      da93b8c7
  4. 10 10月, 2017 13 次提交
    • T
      ALSA: usb-audio: Kill stray URB at exiting · 124751d5
      Takashi Iwai 提交于
      USB-audio driver may leave a stray URB for the mixer interrupt when it
      exits by some error during probe.  This leads to a use-after-free
      error as spotted by syzkaller like:
        ==================================================================
        BUG: KASAN: use-after-free in snd_usb_mixer_interrupt+0x604/0x6f0
        Call Trace:
         <IRQ>
         __dump_stack lib/dump_stack.c:16
         dump_stack+0x292/0x395 lib/dump_stack.c:52
         print_address_description+0x78/0x280 mm/kasan/report.c:252
         kasan_report_error mm/kasan/report.c:351
         kasan_report+0x23d/0x350 mm/kasan/report.c:409
         __asan_report_load8_noabort+0x19/0x20 mm/kasan/report.c:430
         snd_usb_mixer_interrupt+0x604/0x6f0 sound/usb/mixer.c:2490
         __usb_hcd_giveback_urb+0x2e0/0x650 drivers/usb/core/hcd.c:1779
         ....
      
        Allocated by task 1484:
         save_stack_trace+0x1b/0x20 arch/x86/kernel/stacktrace.c:59
         save_stack+0x43/0xd0 mm/kasan/kasan.c:447
         set_track mm/kasan/kasan.c:459
         kasan_kmalloc+0xad/0xe0 mm/kasan/kasan.c:551
         kmem_cache_alloc_trace+0x11e/0x2d0 mm/slub.c:2772
         kmalloc ./include/linux/slab.h:493
         kzalloc ./include/linux/slab.h:666
         snd_usb_create_mixer+0x145/0x1010 sound/usb/mixer.c:2540
         create_standard_mixer_quirk+0x58/0x80 sound/usb/quirks.c:516
         snd_usb_create_quirk+0x92/0x100 sound/usb/quirks.c:560
         create_composite_quirk+0x1c4/0x3e0 sound/usb/quirks.c:59
         snd_usb_create_quirk+0x92/0x100 sound/usb/quirks.c:560
         usb_audio_probe+0x1040/0x2c10 sound/usb/card.c:618
         ....
      
        Freed by task 1484:
         save_stack_trace+0x1b/0x20 arch/x86/kernel/stacktrace.c:59
         save_stack+0x43/0xd0 mm/kasan/kasan.c:447
         set_track mm/kasan/kasan.c:459
         kasan_slab_free+0x72/0xc0 mm/kasan/kasan.c:524
         slab_free_hook mm/slub.c:1390
         slab_free_freelist_hook mm/slub.c:1412
         slab_free mm/slub.c:2988
         kfree+0xf6/0x2f0 mm/slub.c:3919
         snd_usb_mixer_free+0x11a/0x160 sound/usb/mixer.c:2244
         snd_usb_mixer_dev_free+0x36/0x50 sound/usb/mixer.c:2250
         __snd_device_free+0x1ff/0x380 sound/core/device.c:91
         snd_device_free_all+0x8f/0xe0 sound/core/device.c:244
         snd_card_do_free sound/core/init.c:461
         release_card_device+0x47/0x170 sound/core/init.c:181
         device_release+0x13f/0x210 drivers/base/core.c:814
         ....
      
      Actually such a URB is killed properly at disconnection when the
      device gets probed successfully, and what we need is to apply it for
      the error-path, too.
      
      In this patch, we apply snd_usb_mixer_disconnect() at releasing.
      Also introduce a new flag, disconnected, to struct usb_mixer_interface
      for not performing the disconnection procedure twice.
      Reported-by: NAndrey Konovalov <andreyknvl@google.com>
      Tested-by: NAndrey Konovalov <andreyknvl@google.com>
      Cc: <stable@vger.kernel.org>
      Signed-off-by: NTakashi Iwai <tiwai@suse.de>
      124751d5
    • L
      Merge branch 'ppc-bundle' (bundle from Michael Ellerman) · 529a86e0
      Linus Torvalds 提交于
      Merge powerpc transactional memory fixes from Michael Ellerman:
       "I figured I'd still send you the commits using a bundle to make sure
        it works in case I need to do it again in future"
      
      This fixes transactional memory state restore for powerpc.
      
      * bundle'd patches from Michael Ellerman:
        powerpc/tm: Fix illegal TM state in signal handler
        powerpc/64s: Use emergency stack for kernel TM Bad Thing program checks
      529a86e0
    • K
      waitid(): Add missing access_ok() checks · 96ca579a
      Kees Cook 提交于
      Adds missing access_ok() checks.
      
      CVE-2017-5123
      Reported-by: NChris Salls <chrissalls5@gmail.com>
      Signed-off-by: NKees Cook <keescook@chromium.org>
      Acked-by: NAl Viro <viro@zeniv.linux.org.uk>
      Fixes: 4c48abe9 ("waitid(): switch copyout of siginfo to unsafe_put_user()")
      Cc: stable@kernel.org # 4.13
      Signed-off-by: NLinus Torvalds <torvalds@linux-foundation.org>
      96ca579a
    • L
      Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net · ff33952e
      Linus Torvalds 提交于
      Pull networking fixes from David Miller:
      
       1) Fix object leak on IPSEC offload failure, from Steffen Klassert.
      
       2) Fix range checks in ipset address range addition operations, from
          Jozsef Kadlecsik.
      
       3) Fix pernet ops unregistration order in ipset, from Florian Westphal.
      
       4) Add missing netlink attribute policy for nl80211 packet pattern
          attrs, from Peng Xu.
      
       5) Fix PPP device destruction race, from Guillaume Nault.
      
       6) Write marks get lost when BPF verifier processes R1=R2 register
          assignments, causing incorrect liveness information and less state
          pruning. Fix from Alexei Starovoitov.
      
       7) Fix blockhole routes so that they are marked dead and therefore not
          cached in sockets, otherwise IPSEC stops working. From Steffen
          Klassert.
      
       8) Fix broadcast handling of UDP socket early demux, from Paolo Abeni.
      
      * git://git.kernel.org/pub/scm/linux/kernel/git/davem/net: (37 commits)
        cdc_ether: flag the u-blox TOBY-L2 and SARA-U2 as wwan
        net: thunderx: mark expected switch fall-throughs in nicvf_main()
        udp: fix bcast packet reception
        netlink: do not set cb_running if dump's start() errs
        ipv4: Fix traffic triggered IPsec connections.
        ipv6: Fix traffic triggered IPsec connections.
        ixgbe: incorrect XDP ring accounting in ethtool tx_frame param
        net: ixgbe: Use new PCI_DEV_FLAGS_NO_RELAXED_ORDERING flag
        Revert commit 1a8b6d76 ("net:add one common config...")
        ixgbe: fix masking of bits read from IXGBE_VXLANCTRL register
        ixgbe: Return error when getting PHY address if PHY access is not supported
        netfilter: xt_bpf: Fix XT_BPF_MODE_FD_PINNED mode of 'xt_bpf_info_v1'
        netfilter: SYNPROXY: skip non-tcp packet in {ipv4, ipv6}_synproxy_hook
        tipc: Unclone message at secondary destination lookup
        tipc: correct initialization of skb list
        gso: fix payload length when gso_size is zero
        mlxsw: spectrum_router: Avoid expensive lookup during route removal
        bpf: fix liveness marking
        doc: Fix typo "8023.ad" in bonding documentation
        ipv6: fix net.ipv6.conf.all.accept_dad behaviour for real
        ...
      ff33952e
    • A
      cdc_ether: flag the u-blox TOBY-L2 and SARA-U2 as wwan · fdfbad32
      Aleksander Morgado 提交于
      The u-blox TOBY-L2 is a LTE Cat 4 module with HSPA+ and 2G fallback.
      This module allows switching to different USB profiles with the
      'AT+UUSBCONF' command, and provides a ECM network interface when the
      'AT+UUSBCONF=2' profile is selected.
      
      The u-blox SARA-U2 is a HSPA module with 2G fallback. The default USB
      configuration includes a ECM network interface.
      
      Both these modules are controlled via AT commands through one of the
      TTYs exposed. Connecting these modules may be done just by activating
      the desired PDP context with 'AT+CGACT=1,<cid>' and then running DHCP
      on the ECM interface.
      Signed-off-by: NAleksander Morgado <aleksander@aleksander.es>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      fdfbad32
    • L
      Merge tag 'nfs-for-4.14-3' of git://git.linux-nfs.org/projects/trondmy/linux-nfs · 68ebe3cb
      Linus Torvalds 提交于
      Pull NFS client bugfixes from Trond Myklebust:
       "Hightlights include:
      
        stable fixes:
         - nfs/filelayout: fix oops when freeing filelayout segment
         - NFS: Fix uninitialized rpc_wait_queue
      
        bugfixes:
         - NFSv4/pnfs: Fix an infinite layoutget loop
         - nfs: RPC_MAX_AUTH_SIZE is in bytes"
      
      * tag 'nfs-for-4.14-3' of git://git.linux-nfs.org/projects/trondmy/linux-nfs:
        NFSv4/pnfs: Fix an infinite layoutget loop
        nfs/filelayout: fix oops when freeing filelayout segment
        sunrpc: remove redundant initialization of sock
        NFS: Fix uninitialized rpc_wait_queue
        NFS: Cleanup error handling in nfs_idmap_request_key()
        nfs: RPC_MAX_AUTH_SIZE is in bytes
      68ebe3cb
    • G
      net: thunderx: mark expected switch fall-throughs in nicvf_main() · 1a2ace56
      Gustavo A. R. Silva 提交于
      In preparation to enabling -Wimplicit-fallthrough, mark switch cases
      where we are expecting to fall through.
      
      Cc: Sunil Goutham <sgoutham@cavium.com>
      Cc: Robert Richter <rric@kernel.org>
      Cc: linux-arm-kernel@lists.infradead.org
      Cc: netdev@vger.kernel.org
      Signed-off-by: NGustavo A. R. Silva <gustavo@embeddedor.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      1a2ace56
    • D
      Merge git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf · fb60bccc
      David S. Miller 提交于
      Pablo Neira Ayuso says:
      
      ====================
      Netfilter/IPVS fixes for net
      
      The following patchset contains Netfilter/IPVS fixes for your net tree,
      they are:
      
      1) Fix packet drops due to incorrect ECN handling in IPVS, from Vadim
         Fedorenko.
      
      2) Fix splat with mark restoration in xt_socket with non-full-sock,
         patch from Subash Abhinov Kasiviswanathan.
      
      3) ipset bogusly bails out when adding IPv4 range containing more than
         2^31 addresses, from Jozsef Kadlecsik.
      
      4) Incorrect pernet unregistration order in ipset, from Florian Westphal.
      
      5) Races between dump and swap in ipset results in BUG_ON splats, from
         Ross Lagerwall.
      
      6) Fix chain renames in nf_tables, from JingPiao Chen.
      
      7) Fix race in pernet codepath with ebtables table registration, from
         Artem Savkov.
      
      8) Memory leak in error path in set name allocation in nf_tables, patch
         from Arvind Yadav.
      
      9) Don't dump chain counters if they are not available, this fixes a
         crash when listing the ruleset.
      
      10) Fix out of bound memory read in strlcpy() in x_tables compat code,
          from Eric Dumazet.
      
      11) Make sure we only process TCP packets in SYNPROXY hooks, patch from
          Lin Zhang.
      
      12) Cannot load rules incrementally anymore after xt_bpf with pinned
          objects, added in revision 1. From Shmulik Ladkani.
      ====================
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      fb60bccc
    • D
      Merge branch '10GbE' of git://git.kernel.org/pub/scm/linux/kernel/git/jkirsher/net-queue · 5766cd68
      David S. Miller 提交于
      Jeff Kirsher says:
      
      ====================
      Intel Wired LAN Driver Updates 2017-10-09
      
      This series contains updates to ixgbe and arch/Kconfig.
      
      Mark fixes a case where PHY register access is not supported and we were
      returning a PHY address, when we should have been returning -EOPNOTSUPP.
      
      Sabrina Dubroca fixes the use of a logical "and" when it should have been
      the bitwise "and" operator.
      
      Ding Tianhong reverts the commit that added the Kconfig bool option
      ARCH_WANT_RELAX_ORDER, since there is now a new flag
      PCI_DEV_FLAGS_NO_RELAXED_ORDERING that has been added to indicate that
      Relaxed Ordering Attributes should not be used for Transaction Layer
      Packets.  Then follows up with making the needed changes to ixgbe to
      use the new PCI_DEV_FLAGS_NO_RELAXED_ORDERING flag.
      
      John Fastabend fixes an issue in the ring accounting when the transmit
      ring parameters are changed via ethtool when an XDP program is attached.
      ====================
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      5766cd68
    • P
      udp: fix bcast packet reception · 996b44fc
      Paolo Abeni 提交于
      The commit bc044e8d ("udp: perform source validation for
      mcast early demux") does not take into account that broadcast packets
      lands in the same code path and they need different checks for the
      source address - notably, zero source address are valid for bcast
      and invalid for mcast.
      
      As a result, 2nd and later broadcast packets with 0 source address
      landing to the same socket are dropped. This breaks dhcp servers.
      
      Since we don't have stringent performance requirements for ingress
      broadcast traffic, fix it by disabling UDP early demux such traffic.
      Reported-by: NHannes Frederic Sowa <hannes@stressinduktion.org>
      Fixes: bc044e8d ("udp: perform source validation for mcast early demux")
      Signed-off-by: NPaolo Abeni <pabeni@redhat.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      996b44fc
    • J
      netlink: do not set cb_running if dump's start() errs · 41c87425
      Jason A. Donenfeld 提交于
      It turns out that multiple places can call netlink_dump(), which means
      it's still possible to dereference partially initialized values in
      dump() that were the result of a faulty returned start().
      
      This fixes the issue by calling start() _before_ setting cb_running to
      true, so that there's no chance at all of hitting the dump() function
      through any indirect paths.
      
      It also moves the call to start() to be when the mutex is held. This has
      the nice side effect of serializing invocations to start(), which is
      likely desirable anyway. It also prevents any possible other races that
      might come out of this logic.
      
      In testing this with several different pieces of tricky code to trigger
      these issues, this commit fixes all avenues that I'm aware of.
      Signed-off-by: NJason A. Donenfeld <Jason@zx2c4.com>
      Cc: Johannes Berg <johannes@sipsolutions.net>
      Reviewed-by: NJohannes Berg <johannes@sipsolutions.net>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      41c87425
    • D
      Merge tag 'mac80211-for-davem-2017-10-09' of... · 6df4d17c
      David S. Miller 提交于
      Merge tag 'mac80211-for-davem-2017-10-09' of git://git.kernel.org/pub/scm/linux/kernel/git/jberg/mac80211
      
      Johannes Berg says:
      
      ====================
      pull-request: mac80211 2017-10-09
      
      The QCA folks found another netlink problem - we were missing validation
      of some attributes. It's not super problematic since one can only read a
      few bytes beyond the message (and that memory must exist), but here's the
      fix for it.
      
      I thought perhaps we can make nla_parse_nested() require a policy, but
      given the two-stage validation/parsing in regular netlink that won't work.
      
      Please pull and let me know if there's any problem.
      ====================
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      6df4d17c
    • D
      Merge branch 'master' of git://git.kernel.org/pub/scm/linux/kernel/git/klassert/ipsec · 93b03193
      David S. Miller 提交于
      Steffen Klassert says:
      
      ====================
      pull request (net): ipsec 2017-10-09
      
      1) Fix some error paths of the IPsec offloading API.
      
      2) Fix a NULL pointer dereference when IPsec is used
         with vti. From Alexey Kodanev.
      
      3) Don't call xfrm_policy_cache_flush under xfrm_state_lock,
         it triggers several locking warnings. From Artem Savkov.
      
      Please pull or let me know if there are problems.
      ====================
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      93b03193