1. 15 Jun, 2017 9 commits
    • David Howells's avatar
      rxrpc: Fix several cases where a padded len isn't checked in ticket decode · 5f2f9765
      David Howells authored
      This fixes CVE-2017-7482.
      
      When a kerberos 5 ticket is being decoded so that it can be loaded into an
      rxrpc-type key, there are several places in which the length of a
      variable-length field is checked to make sure that it's not going to
      overrun the available data - but the data is padded to the nearest
      four-byte boundary and the code doesn't check for this extra.  This could
      lead to the size-remaining variable wrapping and the data pointer going
      over the end of the buffer.
      
      Fix this by making the various variable-length data checks use the padded
      length.
      Reported-by: default avatar石磊 <shilei-c@360.cn>
      Signed-off-by: default avatarDavid Howells <dhowells@redhat.com>
      Reviewed-by: default avatarMarc Dionne <marc.c.dionne@auristor.com>
      Reviewed-by: default avatarDan Carpenter <dan.carpenter@oracle.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      5f2f9765
    • Xin Long's avatar
      ipv6: fix calling in6_ifa_hold incorrectly for dad work · f8a894b2
      Xin Long authored
      Now when starting the dad work in addrconf_mod_dad_work, if the dad work
      is idle and queued, it needs to hold ifa.
      
      The problem is there's one gap in [1], during which if the pending dad work
      is removed elsewhere. It will miss to hold ifa, but the dad word is still
      idea and queue.
      
              if (!delayed_work_pending(&ifp->dad_work))
                      in6_ifa_hold(ifp);
                          <--------------[1]
              mod_delayed_work(addrconf_wq, &ifp->dad_work, delay);
      
      An use-after-free issue can be caused by this.
      
      Chen Wei found this issue when WARN_ON(!hlist_unhashed(&ifp->addr_lst)) in
      net6_ifa_finish_destroy was hit because of it.
      
      As Hannes' suggestion, this patch is to fix it by holding ifa first in
      addrconf_mod_dad_work, then calling mod_delayed_work and putting ifa if
      the dad_work is already in queue.
      
      Note that this patch did not choose to fix it with:
      
        if (!mod_delayed_work(delay))
                in6_ifa_hold(ifp);
      
      As with it, when delay == 0, dad_work would be scheduled immediately, all
      addrconf_mod_dad_work(0) callings had to be moved under ifp->lock.
      Reported-by: default avatarWei Chen <weichen@redhat.com>
      Suggested-by: default avatarHannes Frederic Sowa <hannes@stressinduktion.org>
      Acked-by: default avatarHannes Frederic Sowa <hannes@stressinduktion.org>
      Signed-off-by: default avatarXin Long <lucien.xin@gmail.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      f8a894b2
    • Linus Torvalds's avatar
      Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net · a090bd4f
      Linus Torvalds authored
      Pull networking fixes from David Miller:
      
       1) The netlink attribute passed in to dev_set_alias() is not
          necessarily NULL terminated, don't use strlcpy() on it. From
          Alexander Potapenko.
      
       2) Fix implementation of atomics in arm64 bpf JIT, from Daniel
          Borkmann.
      
       3) Correct the release of netdevs and driver private data in certain
          circumstances.
      
       4) Sanitize netlink message length properly in decnet, from Mateusz
          Jurczyk.
      
       5) Don't leak kernel data in rtnl_fill_vfinfo() netlink blobs. From
          Yuval Mintz.
      
       6) Hash secret is never initialized in ipv6 ILA translation code, from
          Arnd Bergmann. I guess those clang warnings about unused inline
          functions are useful for something!
      
       7) Fix endian selection in bpf_endian.h, from Daniel Borkmann.
      
       8) Sanitize sockaddr length before dereferncing any fields in AF_UNIX
          and CAIF. From Mateusz Jurczyk.
      
       9) Fix timestamping for GMAC3 chips in stmmac driver, from Mario
          Molitor.
      
      10) Do not leak netdev on dev_alloc_name() errors in mac80211, from
          Johannes Berg.
      
      11) Fix locking in sctp_for_each_endpoint(), from Xin Long.
      
      12) Fix wrong memset size on 32-bit in snmp6, from Christian Perle.
      
      13) Fix use after free in ip_mc_clear_src(), from WANG Cong.
      
      14) Fix regressions caused by ICMP rate limiting changes in 4.11, from
          Jesper Dangaard Brouer.
      
      * git://git.kernel.org/pub/scm/linux/kernel/git/davem/net: (91 commits)
        i40e: Fix a sleep-in-atomic bug
        net: don't global ICMP rate limit packets originating from loopback
        net/act_pedit: fix an error code
        net: update undefined ->ndo_change_mtu() comment
        net_sched: move tcf_lock down after gen_replace_estimator()
        caif: Add sockaddr length check before accessing sa_family in connect handler
        qed: fix dump of context data
        qmi_wwan: new Telewell and Sierra device IDs
        net: phy: Fix MDIO_THUNDER dependencies
        netconsole: Remove duplicate "netconsole: " logging prefix
        igmp: acquire pmc lock for ip_mc_clear_src()
        r8152: give the device version
        net: rps: fix uninitialized symbol warning
        mac80211: don't send SMPS action frame in AP mode when not needed
        mac80211/wpa: use constant time memory comparison for MACs
        mac80211: set bss_info data before configuring the channel
        mac80211: remove 5/10 MHz rate code from station MLME
        mac80211: Fix incorrect condition when checking rx timestamp
        mac80211: don't look at the PM bit of BAR frames
        i40e: fix handling of HW ATR eviction
        ...
      a090bd4f
    • Linus Torvalds's avatar
      Merge branch 'linus' of git://git.kernel.org/pub/scm/linux/kernel/git/herbert/crypto-2.6 · 54ed0f71
      Linus Torvalds authored
      Pull crypto fix from Herbert Xu:
       "This fixes a bug on sparc where we may dereference freed stack memory"
      
      * 'linus' of git://git.kernel.org/pub/scm/linux/kernel/git/herbert/crypto-2.6:
        crypto: Work around deallocated stack frame reference gcc bug on sparc.
      54ed0f71
    • Linus Torvalds's avatar
      Merge tag 'acpi-4.12-rc6' of git://git.kernel.org/pub/scm/linux/kernel/git/rafael/linux-pm · 35e60a6b
      Linus Torvalds authored
      Pull ACPI fixes from Rafael Wysocki:
       "These revert an ACPICA commit from the 4.11 cycle that causes problems
        to happen on some systems and add a protection against possible kernel
        crashes due to table reference counter imbalance.
      
        Specifics:
      
         - Revert a 4.11 ACPICA change that made assumptions which are not
           satisfied on some systems and caused the enumeration of resources
           to fail on them (Rafael Wysocki).
      
         - Add a mechanism to prevent tables from being unmapped prematurely
           due to reference counter overflows (Lv Zheng)"
      
      * tag 'acpi-4.12-rc6' of git://git.kernel.org/pub/scm/linux/kernel/git/rafael/linux-pm:
        ACPICA: Tables: Mechanism to handle late stage acpi_get_table() imbalance
        Revert "ACPICA: Disassembler: Enhance resource descriptor detection"
      35e60a6b
    • Linus Torvalds's avatar
      Merge tag 'pm-4.12-rc6' of git://git.kernel.org/pub/scm/linux/kernel/git/rafael/linux-pm · 92091c43
      Linus Torvalds authored
      Pull power management fixes from Rafael Wysocki:
       "These revert a recent cpufreq schedutil governor change that turned
        out to be problematic and fix a few minor issues in cpufreq, cpuidle
        and the Exynos devfreq drivers.
      
        Specifics:
      
         - Revert a recent cpufreq schedutil governor change that caused some
           systems to behave undesirably (Rafael Wysocki).
      
         - Fix a cpufreq conservative governor issue introduced during the
           3.10 cycle that prevents it from working as expected in some
           situations (Tomasz Wilczyński).
      
         - Fix an error code path in the generic cpuidle driver for DT-based
           systems (Christophe Jaillet).
      
         - Fix three minor issues in devfreq drivers for Exynos (Arvind Yadav,
           Krzysztof Kozlowski)"
      
      * tag 'pm-4.12-rc6' of git://git.kernel.org/pub/scm/linux/kernel/git/rafael/linux-pm:
        cpuidle: dt: Add missing 'of_node_put()'
        cpufreq: conservative: Allow down_threshold to take values from 1 to 10
        Revert "cpufreq: schedutil: Reduce frequencies slower"
        PM / devfreq: exynos-ppmu: Staticize event list
        PM / devfreq: exynos-ppmu: Handle return value of clk_prepare_enable
        PM / devfreq: exynos-nocp: Handle return value of clk_prepare_enable
      92091c43
    • Linus Torvalds's avatar
      Merge branch 'for-4.12/driver-matching-fix' of... · b45edc2d
      Linus Torvalds authored
      Merge branch 'for-4.12/driver-matching-fix' of git://git.kernel.org/pub/scm/linux/kernel/git/jikos/hid
      
      Pull HID fix from Jiri Kosina:
      
       - ifdef-based bandaid for a long-standing issue with HID driver
         matching, avoiding regressions in cases where specific driver is not
         enabled in kernel .config, from Jiri Kosina
      
      * 'for-4.12/driver-matching-fix' of git://git.kernel.org/pub/scm/linux/kernel/git/jikos/hid:
        HID: let generic driver yield control iff specific driver has been enabled
      b45edc2d
    • Linus Torvalds's avatar
      Merge tag 'media/v4.12-3' of git://git.kernel.org/pub/scm/linux/kernel/git/mchehab/linux-media · 906e0c5b
      Linus Torvalds authored
      Pull media fixes from Mauro Carvalho Chehab:
      
       - some build dependency issues at CEC core with randconfigs
      
       - fix an off by one error at vb2
      
       - a race fix at cec core
      
       - driver fixes at tc358743, sir_ir and rainshadow-cec
      
      * tag 'media/v4.12-3' of git://git.kernel.org/pub/scm/linux/kernel/git/mchehab/linux-media:
        [media] media/cec.h: use IS_REACHABLE instead of IS_ENABLED
        [media] cec: race fix: don't return -ENONET in cec_receive()
        [media] sir_ir: infinite loop in interrupt handler
        [media] cec-notifier.h: handle unreachable CONFIG_CEC_CORE
        [media] cec: improve MEDIA_CEC_RC dependencies
        [media] vb2: Fix an off by one error in 'vb2_plane_vaddr'
        [media] rainshadow-cec: Fix missing spin_lock_init()
        [media] tc358743: fix register i2c_rd/wr function fix
      906e0c5b
    • Jia-Ju Bai's avatar
      i40e: Fix a sleep-in-atomic bug · 640f93cc
      Jia-Ju Bai authored
      The driver may sleep under a spin lock, and the function call path is:
      i40e_ndo_set_vf_port_vlan (acquire the lock by spin_lock_bh)
        i40e_vsi_remove_pvid
          i40e_vlan_stripping_disable
            i40e_aq_update_vsi_params
              i40e_asq_send_command
                mutex_lock --> may sleep
      
      To fixed it, the spin lock is released before "i40e_vsi_remove_pvid", and
      the lock is acquired again after this function.
      Signed-off-by: default avatarJia-Ju Bai <baijiaju1990@163.com>
      Tested-by: default avatarAndrew Bowers <andrewx.bowers@intel.com>
      Signed-off-by: default avatarJeff Kirsher <jeffrey.t.kirsher@intel.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      640f93cc
  2. 14 Jun, 2017 6 commits
  3. 13 Jun, 2017 19 commits
  4. 12 Jun, 2017 6 commits
    • Jacob Keller's avatar
      i40e: fix handling of HW ATR eviction · 6964e53f
      Jacob Keller authored
      A recent commit to refactor the driver and remove the hw_disabled_flags
      field accidentally introduced two regressions. First, we overwrote
      pf->flags which removed various key flags including the MSI-X settings.
      
      Additionally, it was intended that we have now two flags,
      HW_ATR_EVICT_CAPABLE and HW_ATR_EVICT_ENABLED, but this was not done,
      and we accidentally were mis-using HW_ATR_EVICT_CAPABLE everywhere.
      
      This patch adds the missing piece, HW_ATR_EVICT_ENABLED, and safely
      updates pf->flags instead of overwriting it.
      
      Without this patch we will have many problems including disabling MSI-X
      support, and we'll attempt to use HW ATR eviction on devices which do
      not support it.
      
      Fixes: 47994c11 ("i40e: remove hw_disabled_flags in favor of using separate flag bits", 2017-04-19)
      Signed-off-by: default avatarJacob Keller <jacob.e.keller@intel.com>
      Tested-by: default avatarAndrew Bowers <andrewx.bowers@intel.com>
      Signed-off-by: default avatarJeff Kirsher <jeffrey.t.kirsher@intel.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      6964e53f
    • Karicheri, Muralidharan's avatar
      hsr: fix incorrect warning · 675c8da0
      Karicheri, Muralidharan authored
      When HSR interface is setup using ip link command, an annoying warning
      appears with the trace as below:-
      
      [  203.019828] hsr_get_node: Non-HSR frame
      [  203.019833] Modules linked in:
      [  203.019848] CPU: 0 PID: 158 Comm: sd-resolve Tainted: G        W       4.12.0-rc3-00052-g9fa6bf70 #2
      [  203.019853] Hardware name: Generic DRA74X (Flattened Device Tree)
      [  203.019869] [<c0110280>] (unwind_backtrace) from [<c010c2f4>] (show_stack+0x10/0x14)
      [  203.019880] [<c010c2f4>] (show_stack) from [<c04b9f64>] (dump_stack+0xac/0xe0)
      [  203.019894] [<c04b9f64>] (dump_stack) from [<c01374e8>] (__warn+0xd8/0x104)
      [  203.019907] [<c01374e8>] (__warn) from [<c0137548>] (warn_slowpath_fmt+0x34/0x44)
      root@am57xx-evm:~# [  203.019921] [<c0137548>] (warn_slowpath_fmt) from [<c081126c>] (hsr_get_node+0x148/0x170)
      [  203.019932] [<c081126c>] (hsr_get_node) from [<c0814240>] (hsr_forward_skb+0x110/0x7c0)
      [  203.019942] [<c0814240>] (hsr_forward_skb) from [<c0811d64>] (hsr_dev_xmit+0x2c/0x34)
      [  203.019954] [<c0811d64>] (hsr_dev_xmit) from [<c06c0828>] (dev_hard_start_xmit+0xc4/0x3bc)
      [  203.019963] [<c06c0828>] (dev_hard_start_xmit) from [<c06c13d8>] (__dev_queue_xmit+0x7c4/0x98c)
      [  203.019974] [<c06c13d8>] (__dev_queue_xmit) from [<c0782f54>] (ip6_finish_output2+0x330/0xc1c)
      [  203.019983] [<c0782f54>] (ip6_finish_output2) from [<c0788f0c>] (ip6_output+0x58/0x454)
      [  203.019994] [<c0788f0c>] (ip6_output) from [<c07b16cc>] (mld_sendpack+0x420/0x744)
      
      As this is an expected path to hsr_get_node() with frame coming from
      the master interface, add a check to ensure packet is not from the
      master port and then warn.
      Signed-off-by: default avatarMurali Karicheri <m-karicheri2@ti.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      675c8da0
    • Christian Perle's avatar
      proc: snmp6: Use correct type in memset · 3500cd73
      Christian Perle authored
      Reading /proc/net/snmp6 yields bogus values on 32 bit kernels.
      Use "u64" instead of "unsigned long" in sizeof().
      
      Fixes: 4a4857b1 ("proc: Reduce cache miss in snmp6_seq_show")
      Signed-off-by: default avatarChristian Perle <christian.perle@secunet.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      3500cd73
    • Rafael J. Wysocki's avatar
      Merge branch 'for-next' of https://git.kernel.org/pub/scm/linux/kernel/git/mzx/devfreq · 74b2c983
      Rafael J. Wysocki authored
      Pull devfreq fixes from MyungJoo Ham.
      
      * 'for-next' of https://git.kernel.org/pub/scm/linux/kernel/git/mzx/devfreq:
        PM / devfreq: exynos-ppmu: Staticize event list
        PM / devfreq: exynos-ppmu: Handle return value of clk_prepare_enable
        PM / devfreq: exynos-nocp: Handle return value of clk_prepare_enable
      74b2c983
    • Christophe Jaillet's avatar
      cpuidle: dt: Add missing 'of_node_put()' · b2cdd8e1
      Christophe Jaillet authored
      'of_node_put()' should be called on pointer returned by
      'of_parse_phandle()' when done. In this function this is done in all path
      except this 'continue', so add it.
      
      Fixes: 97735da0 (drivers: cpuidle: Add status property to ARM idle states)
      Signed-off-by: default avatarChristophe Jaillet <christophe.jaillet@wanadoo.fr>
      Signed-off-by: default avatarRafael J. Wysocki <rafael.j.wysocki@intel.com>
      b2cdd8e1
    • Tomasz Wilczyński's avatar
      cpufreq: conservative: Allow down_threshold to take values from 1 to 10 · b8e11f7d
      Tomasz Wilczyński authored
      Commit 27ed3cd2 (cpufreq: conservative: Fix the logic in frequency
      decrease checking) removed the 10 point substraction when comparing the
      load against down_threshold but did not remove the related limit for the
      down_threshold value.  As a result, down_threshold lower than 11 is not
      allowed even though values from 1 to 10 do work correctly too. The
      comment ("cannot be lower than 11 otherwise freq will not fall") also
      does not apply after removing the substraction.
      
      For this reason, allow down_threshold to take any value from 1 to 99
      and fix the related comment.
      
      Fixes: 27ed3cd2 (cpufreq: conservative: Fix the logic in frequency decrease checking)
      Signed-off-by: default avatarTomasz Wilczyński <twilczynski@naver.com>
      Acked-by: default avatarViresh Kumar <viresh.kumar@linaro.org>
      Cc: 3.10+ <stable@vger.kernel.org> # 3.10+
      Signed-off-by: default avatarRafael J. Wysocki <rafael.j.wysocki@intel.com>
      b8e11f7d