1. 16 May, 2020 2 commits
    • DENG Qingfang's avatar
      net: dsa: mt7530: fix roaming from DSA user ports · 5e5502e0
      DENG Qingfang authored
      When a client moves from a DSA user port to a software port in a bridge,
      it cannot reach any other clients that connected to the DSA user ports.
      That is because SA learning on the CPU port is disabled, so the switch
      ignores the client's frames from the CPU port and still thinks it is at
      the user port.
      
      Fix it by enabling SA learning on the CPU port.
      
      To prevent the switch from learning from flooding frames from the CPU
      port, set skb->offload_fwd_mark to 1 for unicast and broadcast frames,
      and let the switch flood them instead of trapping to the CPU port.
      Multicast frames still need to be trapped to the CPU port for snooping,
      so set the SA_DIS bit of the MTK tag to 1 when transmitting those frames
      to disable SA learning.
      
      Fixes: b8f126a8 ("net-next: dsa: add dsa support for Mediatek MT7530 switch")
      Signed-off-by: default avatarDENG Qingfang <dqfext@gmail.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      5e5502e0
    • Madhuparna Bhowmik's avatar
      ipv6: Fix suspicious RCU usage warning in ip6mr · b6dd5acd
      Madhuparna Bhowmik authored
      This patch fixes the following warning:
      
      =============================
      WARNING: suspicious RCU usage
      5.7.0-rc4-next-20200507-syzkaller #0 Not tainted
      -----------------------------
      net/ipv6/ip6mr.c:124 RCU-list traversed in non-reader section!!
      
      ipmr_new_table() returns an existing table, but there is no table at
      init. Therefore the condition: either holding rtnl or the list is empty
      is used.
      
      Fixes: d1db275d ("ipv6: ip6mr: support multiple tables")
      Reported-by: default avatarkernel test robot <lkp@intel.com>
      Suggested-by: default avatarJakub Kicinski <kuba@kernel.org>
      Signed-off-by: default avatarMadhuparna Bhowmik <madhuparnabhowmik10@gmail.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      b6dd5acd
  2. 15 May, 2020 22 commits
    • Linus Torvalds's avatar
      Merge git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net · f85c1598
      Linus Torvalds authored
      Pull networking fixes from David Miller:
      
       1) Fix sk_psock reference count leak on receive, from Xiyu Yang.
      
       2) CONFIG_HNS should be invisible, from Geert Uytterhoeven.
      
       3) Don't allow locking route MTUs in ipv6, RFCs actually forbid this,
          from Maciej Żenczykowski.
      
       4) ipv4 route redirect backoff wasn't actually enforced, from Paolo
          Abeni.
      
       5) Fix netprio cgroup v2 leak, from Zefan Li.
      
       6) Fix infinite loop on rmmod in conntrack, from Florian Westphal.
      
       7) Fix tcp SO_RCVLOWAT hangs, from Eric Dumazet.
      
       8) Various bpf probe handling fixes, from Daniel Borkmann.
      
      * git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net: (68 commits)
        selftests: mptcp: pm: rm the right tmp file
        dpaa2-eth: properly handle buffer size restrictions
        bpf: Restrict bpf_trace_printk()'s %s usage and add %pks, %pus specifier
        bpf: Add bpf_probe_read_{user, kernel}_str() to do_refine_retval_range
        bpf: Restrict bpf_probe_read{, str}() only to archs where they work
        MAINTAINERS: Mark networking drivers as Maintained.
        ipmr: Add lockdep expression to ipmr_for_each_table macro
        ipmr: Fix RCU list debugging warning
        drivers: net: hamradio: Fix suspicious RCU usage warning in bpqether.c
        net: phy: broadcom: fix BCM54XX_SHD_SCR3_TRDDAPD value for BCM54810
        tcp: fix error recovery in tcp_zerocopy_receive()
        MAINTAINERS: Add Jakub to networking drivers.
        MAINTAINERS: another add of Karsten Graul for S390 networking
        drivers: ipa: fix typos for ipa_smp2p structure doc
        pppoe: only process PADT targeted at local interfaces
        selftests/bpf: Enforce returning 0 for fentry/fexit programs
        bpf: Enforce returning 0 for fentry/fexit progs
        net: stmmac: fix num_por initialization
        security: Fix the default value of secid_to_secctx hook
        libbpf: Fix register naming in PT_REGS s390 macros
        ...
      f85c1598
    • Linus Torvalds's avatar
      Merge tag 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/rdma/rdma · d5dfe4f1
      Linus Torvalds authored
      Pull rdma fixes from Jason Gunthorpe:
       "A few minor bug fixes for user visible defects, and one regression:
      
         - Various bugs from static checkers and syzkaller
      
         - Add missing error checking in mlx4
      
         - Prevent RTNL lock recursion in i40iw
      
         - Fix segfault in cxgb4 in peer abort cases
      
         - Fix a regression added in 5.7 where the IB_EVENT_DEVICE_FATAL could
           be lost, and wasn't delivered to all the FDs"
      
      * tag 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/rdma/rdma:
        RDMA/uverbs: Move IB_EVENT_DEVICE_FATAL to destroy_uobj
        RDMA/uverbs: Do not discard the IB_EVENT_DEVICE_FATAL event
        RDMA/iw_cxgb4: Fix incorrect function parameters
        RDMA/core: Fix double put of resource
        IB/core: Fix potential NULL pointer dereference in pkey cache
        IB/hfi1: Fix another case where pq is left on waitlist
        IB/i40iw: Remove bogus call to netdev_master_upper_dev_get()
        IB/mlx4: Test return value of calls to ib_get_cached_pkey
        RDMA/rxe: Always return ERR_PTR from rxe_create_mmap_info()
        i40iw: Fix error handling in i40iw_manage_arp_cache()
      d5dfe4f1
    • Linus Torvalds's avatar
      Merge tag 'linux-kselftest-5.7-rc6' of... · ce247296
      Linus Torvalds authored
      Merge tag 'linux-kselftest-5.7-rc6' of git://git.kernel.org/pub/scm/linux/kernel/git/shuah/linux-kselftest
      
      Pull kselftest fixes from Shuah Khan:
      
       - lkdtm runner fixes to prevent dmesg clearing and shellcheck errors
      
       - ftrace test handling when test module doesn't exist
      
       - nsfs test fix to replace zero-length array with flexible-array
      
       - dmabuf-heaps test fix to return clear error value
      
      * tag 'linux-kselftest-5.7-rc6' of git://git.kernel.org/pub/scm/linux/kernel/git/shuah/linux-kselftest:
        selftests/lkdtm: Use grep -E instead of egrep
        selftests/lkdtm: Don't clear dmesg when running tests
        selftests/ftrace: mark irqsoff_tracer.tc test as unresolved if the test module does not exist
        tools/testing: Replace zero-length array with flexible-array
        kselftests: dmabuf-heaps: Fix confused return value on expected error testing
      ce247296
    • Linus Torvalds's avatar
      Merge tag 'riscv-for-linus-5.7-rc6' of git://git.kernel.org/pub/scm/linux/kernel/git/riscv/linux · 67e45621
      Linus Torvalds authored
      Pull RISC-V fixes from Palmer Dabbelt:
       "A handful of build fixes, all found by Huawei's autobuilder.
      
        None of these patches should have any functional impact on kernels
        that build, and they're mostly related to various features
        intermingling with !MMU.
      
        While some of these might be better hoisted to generic code, it seems
        better to have the simple fixes in the meanwhile.
      
        As far as I know these are the only outstanding patches for 5.7"
      
      * tag 'riscv-for-linus-5.7-rc6' of git://git.kernel.org/pub/scm/linux/kernel/git/riscv/linux:
        riscv: mmiowb: Fix implicit declaration of function 'smp_processor_id'
        riscv: pgtable: Fix __kernel_map_pages build error if NOMMU
        riscv: Make SYS_SUPPORTS_HUGETLBFS depends on MMU
        riscv: Disable ARCH_HAS_DEBUG_VIRTUAL if NOMMU
        riscv: Add pgprot_writecombine/device and PAGE_SHARED defination if NOMMU
        riscv: stacktrace: Fix undefined reference to `walk_stackframe'
        riscv: Fix unmet direct dependencies built based on SOC_VIRT
        riscv: perf: RISCV_BASE_PMU should be independent
        riscv: perf_event: Make some funciton static
      67e45621
    • Linus Torvalds's avatar
      Merge tag 'arm64-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/arm64/linux · 01d8a748
      Linus Torvalds authored
      Pull arm64 fix from Catalin Marinas:
       "Fix flush_icache_range() second argument in machine_kexec() to be an
        address rather than size"
      
      * tag 'arm64-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/arm64/linux:
        arm64: fix the flush_icache_range arguments in machine_kexec
      01d8a748
    • David S. Miller's avatar
      Merge git://git.kernel.org/pub/scm/linux/kernel/git/bpf/bpf · 8e138104
      David S. Miller authored
      Alexei Starovoitov says:
      
      ====================
      pull-request: bpf 2020-05-15
      
      The following pull-request contains BPF updates for your *net* tree.
      
      We've added 9 non-merge commits during the last 2 day(s) which contain
      a total of 14 files changed, 137 insertions(+), 43 deletions(-).
      
      The main changes are:
      
      1) Fix secid_to_secctx LSM hook default value, from Anders.
      
      2) Fix bug in mmap of bpf array, from Andrii.
      
      3) Restrict bpf_probe_read to archs where they work, from Daniel.
      
      4) Enforce returning 0 for fentry/fexit progs, from Yonghong.
      ====================
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      8e138104
    • Matthieu Baerts's avatar
      selftests: mptcp: pm: rm the right tmp file · 9a2dbb59
      Matthieu Baerts authored
      "$err" is a variable pointing to a temp file. "$out" is not: only used
      as a local variable in "check()" and representing the output of a
      command line.
      
      Fixes: eedbc685 (selftests: add PM netlink functional tests)
      Signed-off-by: default avatarMatthieu Baerts <matthieu.baerts@tessares.net>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      9a2dbb59
    • Ioana Ciornei's avatar
      dpaa2-eth: properly handle buffer size restrictions · efa6a7d0
      Ioana Ciornei authored
      Depending on the WRIOP version, the buffer size on the RX path must by a
      multiple of 64 or 256. Handle this restriction properly by aligning down
      the buffer size to the necessary value. Also, use the new buffer size
      dynamically computed instead of the compile time one.
      
      Fixes: 27c87486 ("dpaa2-eth: Use a single page per Rx buffer")
      Signed-off-by: default avatarIoana Ciornei <ioana.ciornei@nxp.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      efa6a7d0
    • Linus Torvalds's avatar
      Merge tag 'hwmon-for-v5.7-rc6' of... · 051e6b7e
      Linus Torvalds authored
      Merge tag 'hwmon-for-v5.7-rc6' of git://git.kernel.org/pub/scm/linux/kernel/git/groeck/linux-staging
      
      Pull hwmon fixes from Guenter Roeck:
      
       - Fix ADC access synchronization problem with da9052 driver
      
       - Fix temperature limit and status reporting in nct7904 driver
      
       - Fix drivetemp temperature reporting if SCT is supported but SCT data
         tables are not.
      
      * tag 'hwmon-for-v5.7-rc6' of git://git.kernel.org/pub/scm/linux/kernel/git/groeck/linux-staging:
        hwmon: (da9052) Synchronize access with mfd
        hwmon: (nct7904) Fix incorrect range of temperature limit registers
        hwmon: (nct7904) Read all SMI status registers in probe function
        hwmon: (drivetemp) Fix SCT support if SCT data tables are not supported
      051e6b7e
    • Linus Torvalds's avatar
      Merge tag 'sound-5.7-rc6' of git://git.kernel.org/pub/scm/linux/kernel/git/tiwai/sound · 1742bcd0
      Linus Torvalds authored
      Pull sound fixes from Takashi Iwai:
       "Things look good and calming down; the only change to ALSA core is the
        fix for racy rawmidi buffer accesses spotted by syzkaller, and the
        rest are all small device-specific quirks for HD-audio and USB-audio
        devices"
      
      * tag 'sound-5.7-rc6' of git://git.kernel.org/pub/scm/linux/kernel/git/tiwai/sound:
        ALSA: hda/realtek - Limit int mic boost for Thinkpad T530
        ALSA: hda/realtek - Add COEF workaround for ASUS ZenBook UX431DA
        ALSA: hda/realtek: Enable headset mic of ASUS UX581LV with ALC295
        ALSA: hda/realtek - Enable headset mic of ASUS UX550GE with ALC295
        ALSA: hda/realtek - Enable headset mic of ASUS GL503VM with ALC295
        ALSA: hda/realtek: Add quirk for Samsung Notebook
        ALSA: rawmidi: Fix racy buffer resize under concurrent accesses
        ALSA: usb-audio: add mapping for ASRock TRX40 Creator
        ALSA: hda/realtek - Fix S3 pop noise on Dell Wyse
        Revert "ALSA: hda/realtek: Fix pop noise on ALC225"
        ALSA: firewire-lib: fix 'function sizeof not defined' error of tracepoints format
        ALSA: usb-audio: Add control message quirk delay for Kingston HyperX headset
      1742bcd0
    • Linus Torvalds's avatar
      Merge tag 'drm-fixes-2020-05-15' of git://anongit.freedesktop.org/drm/drm · e7cea790
      Linus Torvalds authored
      Pull drm fixes from Dave Airlie:
       "As mentioned last week an i915 PR came in late, but I left it, so the
        i915 bits of this cover 2 weeks, which is why it's likely a bit larger
        than usual.
      
        Otherwise it's mostly amdgpu fixes, one tegra fix, one meson fix.
      
        i915:
         - Handle idling during i915_gem_evict_something busy loops (Chris)
         - Mark current submissions with a weak-dependency (Chris)
         - Propagate error from completed fences (Chris)
         - Fixes on execlist to avoid GPU hang situation (Chris)
         - Fixes couple deadlocks (Chris)
         - Timeslice preemption fixes (Chris)
         - Fix Display Port interrupt handling on Tiger Lake (Imre)
         - Reduce debug noise around Frame Buffer Compression (Peter)
         - Fix logic around IPC W/a for Coffee Lake and Kaby Lake (Sultan)
         - Avoid dereferencing a dead context (Chris)
      
        tegra:
         - tegra120/4 smmu fixes
      
        amdgpu:
         - Clockgating fixes
         - Fix fbdev with scatter/gather display
         - S4 fix for navi
         - Soft recovery for gfx10
         - Freesync fixes
         - Atomic check cursor fix
         - Add a gfxoff quirk
         - MST fix
      
        amdkfd:
         - Fix GEM reference counting
      
        meson:
         - error code propogation fix"
      
      * tag 'drm-fixes-2020-05-15' of git://anongit.freedesktop.org/drm/drm: (29 commits)
        drm/i915: Handle idling during i915_gem_evict_something busy loops
        drm/meson: pm resume add return errno branch
        drm/amd/amdgpu: Update update_config() logic
        drm/amd/amdgpu: add raven1 part to the gfxoff quirk list
        drm/i915: Mark concurrent submissions with a weak-dependency
        drm/i915: Propagate error from completed fences
        drm/i915/gvt: Fix kernel oops for 3-level ppgtt guest
        drm/i915/gvt: Init DPLL/DDI vreg for virtual display instead of inheritance.
        drm/amd/display: add basic atomic check for cursor plane
        drm/amd/display: Fix vblank and pageflip event handling for FreeSync
        drm/amdgpu: implement soft_recovery for gfx10
        drm/amdgpu: enable hibernate support on Navi1X
        drm/amdgpu: Use GEM obj reference for KFD BOs
        drm/amdgpu: force fbdev into vram
        drm/amd/powerplay: perform PG ungate prior to CG ungate
        drm/amdgpu: drop unnecessary cancel_delayed_work_sync on PG ungate
        drm/amdgpu: disable MGCG/MGLS also on gfx CG ungate
        drm/i915/execlists: Track inflight CCID
        drm/i915/execlists: Avoid reusing the same logical CCID
        drm/i915/gem: Remove object_is_locked assertion from unpin_from_display_plane
        ...
      e7cea790
    • Alexei Starovoitov's avatar
      Merge branch 'restrict-bpf_probe_read' · 59df9f1f
      Alexei Starovoitov authored
      Daniel Borkmann says:
      
      ====================
      Small set of fixes in order to restrict BPF helpers for tracing which are
      broken on archs with overlapping address ranges as per discussion in [0].
      I've targetted this for -bpf tree so they can be routed as fixes. Thanks!
      
      v1 -> v2:
        - switch to reusable %pks, %pus format specifiers (Yonghong)
          - fixate %s on kernel_ds probing for archs with overlapping addr space
      
            [0] https://lore.kernel.org/bpf/CAHk-=wjJKo0GVixYLmqPn-Q22WFu0xHaBSjKEo7e7Yw72y5SPQ@mail.gmail.com/T/
      ====================
      Signed-off-by: default avatarAlexei Starovoitov <ast@kernel.org>
      59df9f1f
    • Daniel Borkmann's avatar
      bpf: Restrict bpf_trace_printk()'s %s usage and add %pks, %pus specifier · b2a5212f
      Daniel Borkmann authored
      Usage of plain %s conversion specifier in bpf_trace_printk() suffers from the
      very same issue as bpf_probe_read{,str}() helpers, that is, it is broken on
      archs with overlapping address ranges.
      
      While the helpers have been addressed through work in 6ae08ae3 ("bpf: Add
      probe_read_{user, kernel} and probe_read_{user, kernel}_str helpers"), we need
      an option for bpf_trace_printk() as well to fix it.
      
      Similarly as with the helpers, force users to make an explicit choice by adding
      %pks and %pus specifier to bpf_trace_printk() which will then pick the corresponding
      strncpy_from_unsafe*() variant to perform the access under KERNEL_DS or USER_DS.
      The %pk* (kernel specifier) and %pu* (user specifier) can later also be extended
      for other objects aside strings that are probed and printed under tracing, and
      reused out of other facilities like bpf_seq_printf() or BTF based type printing.
      
      Existing behavior of %s for current users is still kept working for archs where it
      is not broken and therefore gated through CONFIG_ARCH_HAS_NON_OVERLAPPING_ADDRESS_SPACE.
      For archs not having this property we fall-back to pick probing under KERNEL_DS as
      a sensible default.
      
      Fixes: 8d3b7dce ("bpf: add support for %s specifier to bpf_trace_printk()")
      Reported-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      Reported-by: default avatarChristoph Hellwig <hch@lst.de>
      Signed-off-by: default avatarDaniel Borkmann <daniel@iogearbox.net>
      Signed-off-by: default avatarAlexei Starovoitov <ast@kernel.org>
      Cc: Masami Hiramatsu <mhiramat@kernel.org>
      Cc: Brendan Gregg <brendan.d.gregg@gmail.com>
      Link: https://lore.kernel.org/bpf/20200515101118.6508-4-daniel@iogearbox.net
      b2a5212f
    • Daniel Borkmann's avatar
      bpf: Add bpf_probe_read_{user, kernel}_str() to do_refine_retval_range · 47cc0ed5
      Daniel Borkmann authored
      Given bpf_probe_read{,str}() BPF helpers are now only available under
      CONFIG_ARCH_HAS_NON_OVERLAPPING_ADDRESS_SPACE, we need to add the drop-in
      replacements of bpf_probe_read_{kernel,user}_str() to do_refine_retval_range()
      as well to avoid hitting the same issue as in 849fa506 ("bpf/verifier:
      refine retval R0 state for bpf_get_stack helper").
      Signed-off-by: default avatarDaniel Borkmann <daniel@iogearbox.net>
      Signed-off-by: default avatarAlexei Starovoitov <ast@kernel.org>
      Acked-by: default avatarJohn Fastabend <john.fastabend@gmail.com>
      Acked-by: default avatarYonghong Song <yhs@fb.com>
      Link: https://lore.kernel.org/bpf/20200515101118.6508-3-daniel@iogearbox.net
      47cc0ed5
    • Daniel Borkmann's avatar
      bpf: Restrict bpf_probe_read{, str}() only to archs where they work · 0ebeea8c
      Daniel Borkmann authored
      Given the legacy bpf_probe_read{,str}() BPF helpers are broken on archs
      with overlapping address ranges, we should really take the next step to
      disable them from BPF use there.
      
      To generally fix the situation, we've recently added new helper variants
      bpf_probe_read_{user,kernel}() and bpf_probe_read_{user,kernel}_str().
      For details on them, see 6ae08ae3 ("bpf: Add probe_read_{user, kernel}
      and probe_read_{user,kernel}_str helpers").
      
      Given bpf_probe_read{,str}() have been around for ~5 years by now, there
      are plenty of users at least on x86 still relying on them today, so we
      cannot remove them entirely w/o breaking the BPF tracing ecosystem.
      
      However, their use should be restricted to archs with non-overlapping
      address ranges where they are working in their current form. Therefore,
      move this behind a CONFIG_ARCH_HAS_NON_OVERLAPPING_ADDRESS_SPACE and
      have x86, arm64, arm select it (other archs supporting it can follow-up
      on it as well).
      
      For the remaining archs, they can workaround easily by relying on the
      feature probe from bpftool which spills out defines that can be used out
      of BPF C code to implement the drop-in replacement for old/new kernels
      via: bpftool feature probe macro
      Suggested-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      Signed-off-by: default avatarDaniel Borkmann <daniel@iogearbox.net>
      Signed-off-by: default avatarAlexei Starovoitov <ast@kernel.org>
      Reviewed-by: default avatarMasami Hiramatsu <mhiramat@kernel.org>
      Acked-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      Cc: Brendan Gregg <brendan.d.gregg@gmail.com>
      Cc: Christoph Hellwig <hch@lst.de>
      Link: https://lore.kernel.org/bpf/20200515101118.6508-2-daniel@iogearbox.net
      0ebeea8c
    • Dave Airlie's avatar
      Merge tag 'drm-misc-fixes-2020-05-14' of git://anongit.freedesktop.org/drm/drm-misc into drm-fixes · 1d2a1eb1
      Dave Airlie authored
      Just one meson patch this time to propagate an error code
      Signed-off-by: default avatarDave Airlie <airlied@redhat.com>
      
      From: Maxime Ripard <maxime@cerno.tech>
      Link: https://patchwork.freedesktop.org/patch/msgid/20200514073538.wvdtv5s2mt4wdrdj@gilmour.lan
      1d2a1eb1
    • Dave Airlie's avatar
      Merge tag 'drm-intel-fixes-2020-05-13-1' of... · 27db6f7b
      Dave Airlie authored
      Merge tag 'drm-intel-fixes-2020-05-13-1' of git://anongit.freedesktop.org/drm/drm-intel into drm-fixes
      
      - Handle idling during i915_gem_evict_something busy loops (Chris)
      - Mark current submissions with a weak-dependency (Chris)
      - Propagate errror from completed fences (Chris)
      - Fixes on execlist to avoid GPU hang situation (Chris)
      - Fixes couple deadlocks (Chris)
      - Timeslice preemption fixes (Chris)
      - Fix Display Port interrupt handling on Tiger Lake (Imre)
      - Reduce debug noise around Frame Buffer Compression
      +(Peter)
      - Fix logic around IPC W/a for Coffee Lake and Kaby Lake
      +(Sultan)
      - Avoid dereferencing a dead context (Chris)
      Signed-off-by: default avatarDave Airlie <airlied@redhat.com>
      
      From: Rodrigo Vivi <rodrigo.vivi@intel.com>
      Link: https://patchwork.freedesktop.org/patch/msgid/20200514040235.GA2164266@intel.com
      27db6f7b
    • David S. Miller's avatar
    • Amol Grover's avatar
      ipmr: Add lockdep expression to ipmr_for_each_table macro · 7013908c
      Amol Grover authored
      During the initialization process, ipmr_new_table() is called
      to create new tables which in turn calls ipmr_get_table() which
      traverses net->ipv4.mr_tables without holding the writer lock.
      However, this is safe to do so as no tables exist at this time.
      Hence add a suitable lockdep expression to silence the following
      false-positive warning:
      
      =============================
      WARNING: suspicious RCU usage
      5.7.0-rc3-next-20200428-syzkaller #0 Not tainted
      -----------------------------
      net/ipv4/ipmr.c:136 RCU-list traversed in non-reader section!!
      
      ipmr_get_table+0x130/0x160 net/ipv4/ipmr.c:136
      ipmr_new_table net/ipv4/ipmr.c:403 [inline]
      ipmr_rules_init net/ipv4/ipmr.c:248 [inline]
      ipmr_net_init+0x133/0x430 net/ipv4/ipmr.c:3089
      
      Fixes: f0ad0860 ("ipv4: ipmr: support multiple tables")
      Reported-by: syzbot+1519f497f2f9f08183c6@syzkaller.appspotmail.com
      Suggested-by: default avatarJakub Kicinski <kuba@kernel.org>
      Signed-off-by: default avatarAmol Grover <frextrite@gmail.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      7013908c
    • Amol Grover's avatar
      ipmr: Fix RCU list debugging warning · a14fbcd4
      Amol Grover authored
      ipmr_for_each_table() macro uses list_for_each_entry_rcu()
      for traversing outside of an RCU read side critical section
      but under the protection of rtnl_mutex. Hence, add the
      corresponding lockdep expression to silence the following
      false-positive warning at boot:
      
      [    4.319347] =============================
      [    4.319349] WARNING: suspicious RCU usage
      [    4.319351] 5.5.4-stable #17 Tainted: G            E
      [    4.319352] -----------------------------
      [    4.319354] net/ipv4/ipmr.c:1757 RCU-list traversed in non-reader section!!
      
      Fixes: f0ad0860 ("ipv4: ipmr: support multiple tables")
      Signed-off-by: default avatarAmol Grover <frextrite@gmail.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      a14fbcd4
    • Madhuparna Bhowmik's avatar
      drivers: net: hamradio: Fix suspicious RCU usage warning in bpqether.c · 95f59bf8
      Madhuparna Bhowmik authored
      This patch fixes the following warning:
      =============================
      WARNING: suspicious RCU usage
      5.7.0-rc5-next-20200514-syzkaller #0 Not tainted
      -----------------------------
      drivers/net/hamradio/bpqether.c:149 RCU-list traversed in non-reader section!!
      
      Since rtnl lock is held, pass this cond in list_for_each_entry_rcu().
      
      Reported-by: syzbot+bb82cafc737c002d11ca@syzkaller.appspotmail.com
      Signed-off-by: default avatarMadhuparna Bhowmik <madhuparnabhowmik10@gmail.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      95f59bf8
    • Kevin Lo's avatar
      net: phy: broadcom: fix BCM54XX_SHD_SCR3_TRDDAPD value for BCM54810 · cc8a677a
      Kevin Lo authored
      Set the correct bit when checking for PHY_BRCM_DIS_TXCRXC_NOENRGY on the
      BCM54810 PHY.
      
      Fixes: 0ececcfc ("net: phy: broadcom: Allow BCM54810 to use bcm54xx_adjust_rxrefclk()")
      Signed-off-by: default avatarKevin Lo <kevlo@kevlo.org>
      Reviewed-by: default avatarFlorian Fainelli <f.fainelli@gmail.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      cc8a677a
  3. 14 May, 2020 16 commits
    • Eric Dumazet's avatar
      tcp: fix error recovery in tcp_zerocopy_receive() · e776af60
      Eric Dumazet authored
      If user provides wrong virtual address in TCP_ZEROCOPY_RECEIVE
      operation we want to return -EINVAL error.
      
      But depending on zc->recv_skip_hint content, we might return
      -EIO error if the socket has SOCK_DONE set.
      
      Make sure to return -EINVAL in this case.
      
      BUG: KMSAN: uninit-value in tcp_zerocopy_receive net/ipv4/tcp.c:1833 [inline]
      BUG: KMSAN: uninit-value in do_tcp_getsockopt+0x4494/0x6320 net/ipv4/tcp.c:3685
      CPU: 1 PID: 625 Comm: syz-executor.0 Not tainted 5.7.0-rc4-syzkaller #0
      Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
      Call Trace:
       __dump_stack lib/dump_stack.c:77 [inline]
       dump_stack+0x1c9/0x220 lib/dump_stack.c:118
       kmsan_report+0xf7/0x1e0 mm/kmsan/kmsan_report.c:121
       __msan_warning+0x58/0xa0 mm/kmsan/kmsan_instr.c:215
       tcp_zerocopy_receive net/ipv4/tcp.c:1833 [inline]
       do_tcp_getsockopt+0x4494/0x6320 net/ipv4/tcp.c:3685
       tcp_getsockopt+0xf8/0x1f0 net/ipv4/tcp.c:3728
       sock_common_getsockopt+0x13f/0x180 net/core/sock.c:3131
       __sys_getsockopt+0x533/0x7b0 net/socket.c:2177
       __do_sys_getsockopt net/socket.c:2192 [inline]
       __se_sys_getsockopt+0xe1/0x100 net/socket.c:2189
       __x64_sys_getsockopt+0x62/0x80 net/socket.c:2189
       do_syscall_64+0xb8/0x160 arch/x86/entry/common.c:297
       entry_SYSCALL_64_after_hwframe+0x44/0xa9
      RIP: 0033:0x45c829
      Code: 0d b7 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 db b6 fb ff c3 66 2e 0f 1f 84 00 00 00 00
      RSP: 002b:00007f1deeb72c78 EFLAGS: 00000246 ORIG_RAX: 0000000000000037
      RAX: ffffffffffffffda RBX: 00000000004e01e0 RCX: 000000000045c829
      RDX: 0000000000000023 RSI: 0000000000000006 RDI: 0000000000000009
      RBP: 000000000078bf00 R08: 0000000020000200 R09: 0000000000000000
      R10: 00000000200001c0 R11: 0000000000000246 R12: 00000000ffffffff
      R13: 00000000000001d8 R14: 00000000004d3038 R15: 00007f1deeb736d4
      
      Local variable ----zc@do_tcp_getsockopt created at:
       do_tcp_getsockopt+0x1a74/0x6320 net/ipv4/tcp.c:3670
       do_tcp_getsockopt+0x1a74/0x6320 net/ipv4/tcp.c:3670
      
      Fixes: 05255b82 ("tcp: add TCP_ZEROCOPY_RECEIVE support for zerocopy receive")
      Signed-off-by: default avatarEric Dumazet <edumazet@google.com>
      Reported-by: default avatarsyzbot <syzkaller@googlegroups.com>
      Acked-by: default avatarSoheil Hassas Yeganeh <soheil@google.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      e776af60
    • Linus Torvalds's avatar
      Merge tag 'mmc-v5.7-rc4' of git://git.kernel.org/pub/scm/linux/kernel/git/ulfh/mmc · 1ae7efb3
      Linus Torvalds authored
      Pull MMC fixes from Ulf Hansson:
       "MMC core:
         - Fix a couple of quite severe issues for the CQE request path
      
        MMC host:
         - alcor: Fix a resource leak in the error path for ->probe()
         - sdhci-acpi: Fix the DMA support for the AMD eMMC v5.0 variant
         - sdhci-pci-gli: Fix system resume support for GL975x
         - sdhci-pci-gli: Fix reboot error for GL9750"
      
      * tag 'mmc-v5.7-rc4' of git://git.kernel.org/pub/scm/linux/kernel/git/ulfh/mmc:
        mmc: sdhci-acpi: Add SDHCI_QUIRK2_BROKEN_64_BIT_DMA for AMDI0040
        mmc: block: Fix request completion in the CQE timeout path
        mmc: core: Fix recursive locking issue in CQE recovery path
        mmc: core: Check request type before completing the request
        mmc: sdhci-pci-gli: Fix can not access GL9750 after reboot from Windows 10
        mmc: alcor: Fix a resource leak in the error path for ->probe()
        mmc: sdhci-pci-gli: Fix no irq handler from suspend
      1ae7efb3
    • David S. Miller's avatar
      Merge git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf · 1b54f4fa
      David S. Miller authored
      Pablo Neira Ayuso says:
      
      ====================
      Netfilter fixes for net
      
      The following patchset contains Netfilter fixes for net:
      
      1) Fix gcc-10 compilation warning in nf_conntrack, from Arnd Bergmann.
      
      2) Add NF_FLOW_HW_PENDING to avoid races between stats and deletion
         commands, from Paul Blakey.
      
      3) Remove WQ_MEM_RECLAIM from the offload workqueue, from Roi Dayan.
      
      4) Infinite loop when removing nf_conntrack module, from Florian Westphal.
      
      5) Set NF_FLOW_TEARDOWN bit on expiration to avoid races when refreshing
         the timeout from the software path.
      
      6) Missing nft_set_elem_expired() check in the rbtree, from Phil Sutter.
      ====================
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      1b54f4fa
    • David S. Miller's avatar
      c9e2053d
    • Ursula Braun's avatar
      MAINTAINERS: another add of Karsten Graul for S390 networking · 865e525d
      Ursula Braun authored
      Complete adding of Karsten as maintainer for all S390 networking
      parts in the kernel.
      
      Cc: Julian Wiedmann <jwi@linux.ibm.com>
      Acked-by: default avatarJulian Wiedmann <jwi@linux.ibm.com>
      Signed-off-by: default avatarUrsula Braun <ubraun@linux.ibm.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      865e525d
    • Wang Wenhu's avatar
      drivers: ipa: fix typos for ipa_smp2p structure doc · 16bb1b50
      Wang Wenhu authored
      Remove the duplicate "mutex", and change "Motex" to "Mutex". Also I
      recommend it's easier for understanding to make the "ready-interrupt"
      a bundle for it is a parallel description as "shutdown" which is appended
      after the slash.
      Signed-off-by: default avatarWang Wenhu <wenhu.wang@vivo.com>
      Cc: Alex Elder <elder@kernel.org>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      16bb1b50
    • Guillaume Nault's avatar
      pppoe: only process PADT targeted at local interfaces · b8c15839
      Guillaume Nault authored
      We don't want to disconnect a session because of a stray PADT arriving
      while the interface is in promiscuous mode.
      Furthermore, multicast and broadcast packets make no sense here, so
      only PACKET_HOST is accepted.
      Reported-by: default avatarDavid Balažic <xerces9@gmail.com>
      Fixes: 1da177e4 ("Linux-2.6.12-rc2")
      Signed-off-by: default avatarGuillaume Nault <gnault@redhat.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      b8c15839
    • Yonghong Song's avatar
      selftests/bpf: Enforce returning 0 for fentry/fexit programs · 6d74f64b
      Yonghong Song authored
      There are a few fentry/fexit programs returning non-0.
      The tests with these programs will break with the previous
      patch which enfoced return-0 rules. Fix them properly.
      
      Fixes: ac065870 ("selftests/bpf: Add BPF_PROG, BPF_KPROBE, and BPF_KRETPROBE macros")
      Signed-off-by: default avatarYonghong Song <yhs@fb.com>
      Signed-off-by: default avatarAlexei Starovoitov <ast@kernel.org>
      Acked-by: default avatarAndrii Nakryiko <andriin@fb.com>
      Link: https://lore.kernel.org/bpf/20200514053207.1298479-1-yhs@fb.com
      6d74f64b
    • Yonghong Song's avatar
      bpf: Enforce returning 0 for fentry/fexit progs · e92888c7
      Yonghong Song authored
      Currently, tracing/fentry and tracing/fexit prog
      return values are not enforced. In trampoline codes,
      the fentry/fexit prog return values are ignored.
      Let us enforce it to be 0 to avoid confusion and
      allows potential future extension.
      
      This patch also explicitly added return value
      checking for tracing/raw_tp, tracing/fmod_ret,
      and freplace programs such that these program
      return values can be anything. The purpose are
      two folds:
       1. to make it explicit about return value expectations
          for these programs in verifier.
       2. for tracing prog_type, if a future attach type
          is added, the default is -ENOTSUPP which will
          enforce to specify return value ranges explicitly.
      
      Fixes: fec56f58 ("bpf: Introduce BPF trampoline")
      Signed-off-by: default avatarYonghong Song <yhs@fb.com>
      Signed-off-by: default avatarAlexei Starovoitov <ast@kernel.org>
      Acked-by: default avatarAndrii Nakryiko <andriin@fb.com>
      Link: https://lore.kernel.org/bpf/20200514053206.1298415-1-yhs@fb.com
      e92888c7
    • Vinod Koul's avatar
      net: stmmac: fix num_por initialization · fd4a5177
      Vinod Koul authored
      Driver missed initializing num_por which is one of the por values that
      driver configures to hardware. In order to get these values, add a new
      structure ethqos_emac_driver_data which holds por and num_por values
      and populate that in driver probe.
      
      Fixes: a7c30e62 ("net: stmmac: Add driver for Qualcomm ethqos")
      Reported-by: default avatarRahul Ankushrao Kawadgave <rahulak@qti.qualcomm.com>
      Signed-off-by: default avatarVinod Koul <vkoul@kernel.org>
      Reviewed-by: default avatarAmit Kucheria <amit.kucheria@linaro.org>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      fd4a5177
    • Anders Roxell's avatar
      security: Fix the default value of secid_to_secctx hook · 625236ba
      Anders Roxell authored
      security_secid_to_secctx is called by the bpf_lsm hook and a successful
      return value (i.e 0) implies that the parameter will be consumed by the
      LSM framework. The current behaviour return success when the pointer
      isn't initialized when CONFIG_BPF_LSM is enabled, with the default
      return from kernel/bpf/bpf_lsm.c.
      
      This is the internal error:
      
      [ 1229.341488][ T2659] usercopy: Kernel memory exposure attempt detected from null address (offset 0, size 280)!
      [ 1229.374977][ T2659] ------------[ cut here ]------------
      [ 1229.376813][ T2659] kernel BUG at mm/usercopy.c:99!
      [ 1229.378398][ T2659] Internal error: Oops - BUG: 0 [#1] PREEMPT SMP
      [ 1229.380348][ T2659] Modules linked in:
      [ 1229.381654][ T2659] CPU: 0 PID: 2659 Comm: systemd-journal Tainted: G    B   W         5.7.0-rc5-next-20200511-00019-g864e0c6319b8-dirty #13
      [ 1229.385429][ T2659] Hardware name: linux,dummy-virt (DT)
      [ 1229.387143][ T2659] pstate: 80400005 (Nzcv daif +PAN -UAO BTYPE=--)
      [ 1229.389165][ T2659] pc : usercopy_abort+0xc8/0xcc
      [ 1229.390705][ T2659] lr : usercopy_abort+0xc8/0xcc
      [ 1229.392225][ T2659] sp : ffff000064247450
      [ 1229.393533][ T2659] x29: ffff000064247460 x28: 0000000000000000
      [ 1229.395449][ T2659] x27: 0000000000000118 x26: 0000000000000000
      [ 1229.397384][ T2659] x25: ffffa000127049e0 x24: ffffa000127049e0
      [ 1229.399306][ T2659] x23: ffffa000127048e0 x22: ffffa000127048a0
      [ 1229.401241][ T2659] x21: ffffa00012704b80 x20: ffffa000127049e0
      [ 1229.403163][ T2659] x19: ffffa00012704820 x18: 0000000000000000
      [ 1229.405094][ T2659] x17: 0000000000000000 x16: 0000000000000000
      [ 1229.407008][ T2659] x15: 0000000000000000 x14: 003d090000000000
      [ 1229.408942][ T2659] x13: ffff80000d5b25b2 x12: 1fffe0000d5b25b1
      [ 1229.410859][ T2659] x11: 1fffe0000d5b25b1 x10: ffff80000d5b25b1
      [ 1229.412791][ T2659] x9 : ffffa0001034bee0 x8 : ffff00006ad92d8f
      [ 1229.414707][ T2659] x7 : 0000000000000000 x6 : ffffa00015eacb20
      [ 1229.416642][ T2659] x5 : ffff0000693c8040 x4 : 0000000000000000
      [ 1229.418558][ T2659] x3 : ffffa0001034befc x2 : d57a7483a01c6300
      [ 1229.420610][ T2659] x1 : 0000000000000000 x0 : 0000000000000059
      [ 1229.422526][ T2659] Call trace:
      [ 1229.423631][ T2659]  usercopy_abort+0xc8/0xcc
      [ 1229.425091][ T2659]  __check_object_size+0xdc/0x7d4
      [ 1229.426729][ T2659]  put_cmsg+0xa30/0xa90
      [ 1229.428132][ T2659]  unix_dgram_recvmsg+0x80c/0x930
      [ 1229.429731][ T2659]  sock_recvmsg+0x9c/0xc0
      [ 1229.431123][ T2659]  ____sys_recvmsg+0x1cc/0x5f8
      [ 1229.432663][ T2659]  ___sys_recvmsg+0x100/0x160
      [ 1229.434151][ T2659]  __sys_recvmsg+0x110/0x1a8
      [ 1229.435623][ T2659]  __arm64_sys_recvmsg+0x58/0x70
      [ 1229.437218][ T2659]  el0_svc_common.constprop.1+0x29c/0x340
      [ 1229.438994][ T2659]  do_el0_svc+0xe8/0x108
      [ 1229.440587][ T2659]  el0_svc+0x74/0x88
      [ 1229.441917][ T2659]  el0_sync_handler+0xe4/0x8b4
      [ 1229.443464][ T2659]  el0_sync+0x17c/0x180
      [ 1229.444920][ T2659] Code: aa1703e2 aa1603e1 910a8260 97ecc860 (d4210000)
      [ 1229.447070][ T2659] ---[ end trace 400497d91baeaf51 ]---
      [ 1229.448791][ T2659] Kernel panic - not syncing: Fatal exception
      [ 1229.450692][ T2659] Kernel Offset: disabled
      [ 1229.452061][ T2659] CPU features: 0x240002,20002004
      [ 1229.453647][ T2659] Memory Limit: none
      [ 1229.455015][ T2659] ---[ end Kernel panic - not syncing: Fatal exception ]---
      
      Rework the so the default return value is -EOPNOTSUPP.
      
      There are likely other callbacks such as security_inode_getsecctx() that
      may have the same problem, and that someone that understand the code
      better needs to audit them.
      
      Thank you Arnd for helping me figure out what went wrong.
      
      Fixes: 98e828a0 ("security: Refactor declaration of LSM hooks")
      Signed-off-by: default avatarAnders Roxell <anders.roxell@linaro.org>
      Signed-off-by: default avatarAlexei Starovoitov <ast@kernel.org>
      Acked-by: default avatarJames Morris <jamorris@linux.microsoft.com>
      Cc: Arnd Bergmann <arnd@arndb.de>
      Link: https://lore.kernel.org/bpf/20200512174607.9630-1-anders.roxell@linaro.org
      625236ba
    • Sumanth Korikkar's avatar
      libbpf: Fix register naming in PT_REGS s390 macros · 516d8d49
      Sumanth Korikkar authored
      Fix register naming in PT_REGS s390 macros
      
      Fixes: b8ebce86 ("libbpf: Provide CO-RE variants of PT_REGS macros")
      Signed-off-by: default avatarSumanth Korikkar <sumanthk@linux.ibm.com>
      Signed-off-by: default avatarAlexei Starovoitov <ast@kernel.org>
      Reviewed-by: default avatarJulian Wiedmann <jwi@linux.ibm.com>
      Acked-by: default avatarAndrii Nakryiko <andriin@fb.com>
      Link: https://lore.kernel.org/bpf/20200513154414.29972-1-sumanthk@linux.ibm.com
      516d8d49
    • Andrii Nakryiko's avatar
      bpf: Fix bug in mmap() implementation for BPF array map · 333291ce
      Andrii Nakryiko authored
      mmap() subsystem allows user-space application to memory-map region with
      initial page offset. This wasn't taken into account in initial implementation
      of BPF array memory-mapping. This would result in wrong pages, not taking into
      account requested page shift, being memory-mmaped into user-space. This patch
      fixes this gap and adds a test for such scenario.
      
      Fixes: fc970227 ("bpf: Add mmap() support for BPF_MAP_TYPE_ARRAY")
      Signed-off-by: default avatarAndrii Nakryiko <andriin@fb.com>
      Signed-off-by: default avatarAlexei Starovoitov <ast@kernel.org>
      Acked-by: default avatarYonghong Song <yhs@fb.com>
      Link: https://lore.kernel.org/bpf/20200512235925.3817805-1-andriin@fb.com
      333291ce
    • Matteo Croce's avatar
      samples: bpf: Fix build error · 23ad0466
      Matteo Croce authored
      GCC 10 is very strict about symbol clash, and lwt_len_hist_user contains
      a symbol which clashes with libbpf:
      
      /usr/bin/ld: samples/bpf/lwt_len_hist_user.o:(.bss+0x0): multiple definition of `bpf_log_buf'; samples/bpf/bpf_load.o:(.bss+0x8c0): first defined here
      collect2: error: ld returned 1 exit status
      
      bpf_log_buf here seems to be a leftover, so removing it.
      Signed-off-by: default avatarMatteo Croce <mcroce@redhat.com>
      Signed-off-by: default avatarAlexei Starovoitov <ast@kernel.org>
      Acked-by: default avatarYonghong Song <yhs@fb.com>
      Link: https://lore.kernel.org/bpf/20200511113234.80722-1-mcroce@redhat.com
      23ad0466
    • Linus Torvalds's avatar
      Merge branch 'akpm' (patches from Andrew) · decd6167
      Linus Torvalds authored
      Merge misc fixes from Andrew Morton:
       "7 fixes"
      
      * emailed patches from Andrew Morton <akpm@linux-foundation.org>:
        kasan: add missing functions declarations to kasan.h
        kasan: consistently disable debugging features
        ipc/util.c: sysvipc_find_ipc() incorrectly updates position index
        userfaultfd: fix remap event with MREMAP_DONTUNMAP
        mm/gup: fix fixup_user_fault() on multiple retries
        epoll: call final ep_events_available() check under the lock
        mm, memcg: fix inconsistent oom event behavior
      decd6167
    • Linus Torvalds's avatar
      Merge tag 'for-linus-2020-05-13' of git://git.kernel.org/pub/scm/linux/kernel/git/brauner/linux · 8c1684bb
      Linus Torvalds authored
      Pull thread fix from Christian Brauner:
       "This contains a single fix for all exported legacy fork helpers to
        block accidental access to clone3() features in the upper 32 bits of
        their respective flags arguments.
      
        I got Cced on a glibc issue where someone reported consistent failures
        for the legacy clone() syscall on ppc64le when sign extension was
        performed (since the clone() syscall in glibc exposes the flags
        argument as an int whereas the kernel uses unsigned long).
      
        The legacy clone() syscall is odd in a bunch of ways and here two
        things interact:
      
         - First, legacy clone's flag argument is word-size dependent, i.e.
           it's an unsigned long whereas most system calls with flag arguments
           use int or unsigned int.
      
         - Second, legacy clone() ignores unknown and deprecated flags.
      
        The two of them taken together means that users on 64bit systems can
        pass garbage for the upper 32bit of the clone() syscall since forever
        and things would just work fine.
      
        The following program compiled on a 64bit kernel prior to v5.7-rc1
        will succeed and will fail post v5.7-rc1 with EBADF:
      
          int main(int argc, char *argv[])
          {
                pid_t pid;
      
                /* Note that legacy clone() has different argument ordering on
                 * different architectures so this won't work everywhere.
                 *
                 * Only set the upper 32 bits.
                 */
                pid = syscall(__NR_clone, 0xffffffff00000000 | SIGCHLD,
                              NULL, NULL, NULL, NULL);
                if (pid < 0)
                        exit(EXIT_FAILURE);
                if (pid == 0)
                        exit(EXIT_SUCCESS);
                if (wait(NULL) != pid)
                        exit(EXIT_FAILURE);
      
                exit(EXIT_SUCCESS);
          }
      
        Since legacy clone() couldn't be extended this was not a problem so
        far and nobody really noticed or cared since nothing in the kernel
        ever bothered to look at the upper 32 bits.
      
        But once we introduced clone3() and expanded the flag argument in
        struct clone_args to 64 bit we opened this can of worms. With the
        first flag-based extension to clone3() making use of the upper 32 bits
        of the flag argument we've effectively made it possible for the legacy
        clone() syscall to reach clone3() only flags on accident. The sign
        extension scenario is just the odd corner-case that we needed to
        figure this out.
      
        The reason we just realized this now and not already when we
        introduced CLONE_CLEAR_SIGHAND was that CLONE_INTO_CGROUP assumes that
        a valid cgroup file descriptor has been given - whereas
        CLONE_CLEAR_SIGHAND doesn't need to verify anything. It just silently
        resets the signal handlers to SIG_DFL.
      
        So the sign extension (or the user accidently passing garbage for the
        upper 32 bits) caused the CLONE_INTO_CGROUP bit to be raised and the
        kernel to error out when it didn't find a valid cgroup file
        descriptor.
      
        Note, I'm also capping kernel_thread()'s flag argument mainly because
        none of the new features make sense for kernel_thread() and we
        shouldn't risk them being accidently activated however unlikely. If we
        wanted to, we could even make kernel_thread() yell when an unknown
        flag has been set which it doesn't do right now. But it's not worth
        risking this in a bugfix imho"
      
      * tag 'for-linus-2020-05-13' of git://git.kernel.org/pub/scm/linux/kernel/git/brauner/linux:
        fork: prevent accidental access to clone3 features
      8c1684bb