1. 07 Jun, 2017 40 commits
    • Johan Hovold's avatar
      USB: serial: digi_acceleport: fix OOB data sanity check · 7c759899
      Johan Hovold authored
      commit 2d380889 upstream.
      
      Make sure to check for short transfers to avoid underflow in a loop
      condition when parsing the receive buffer.
      
      Also fix an off-by-one error in the incomplete sanity check which could
      lead to invalid data being parsed.
      
      Fixes: 8c209e67 ("USB: make actual_length in struct urb field u32")
      Fixes: 1da177e4 ("Linux-2.6.12-rc2")
      Reviewed-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      Signed-off-by: default avatarJohan Hovold <johan@kernel.org>
      Signed-off-by: default avatarWilly Tarreau <w@1wt.eu>
      7c759899
    • Mikulas Patocka's avatar
      dm: flush queued bios when process blocks to avoid deadlock · cc3d0c26
      Mikulas Patocka authored
      commit d67a5f4b upstream.
      
      Commit df2cb6da ("block: Avoid deadlocks with bio allocation by
      stacking drivers") created a workqueue for every bio set and code
      in bio_alloc_bioset() that tries to resolve some low-memory deadlocks
      by redirecting bios queued on current->bio_list to the workqueue if the
      system is low on memory.  However other deadlocks (see below **) may
      happen, without any low memory condition, because generic_make_request
      is queuing bios to current->bio_list (rather than submitting them).
      
      ** the related dm-snapshot deadlock is detailed here:
      https://www.redhat.com/archives/dm-devel/2016-July/msg00065.html
      
      Fix this deadlock by redirecting any bios on current->bio_list to the
      bio_set's rescue workqueue on every schedule() call.  Consequently,
      when the process blocks on a mutex, the bios queued on
      current->bio_list are dispatched to independent workqueus and they can
      complete without waiting for the mutex to be available.
      
      The structure blk_plug contains an entry cb_list and this list can contain
      arbitrary callback functions that are called when the process blocks.
      To implement this fix DM (ab)uses the onstack plug's cb_list interface
      to get its flush_current_bio_list() called at schedule() time.
      
      This fixes the snapshot deadlock - if the map method blocks,
      flush_current_bio_list() will be called and it redirects bios waiting
      on current->bio_list to appropriate workqueues.
      
      Fixes: https://bugzilla.redhat.com/show_bug.cgi?id=1267650
      Depends-on: df2cb6da ("block: Avoid deadlocks with bio allocation by stacking drivers")
      Signed-off-by: default avatarMikulas Patocka <mpatocka@redhat.com>
      Signed-off-by: default avatarMike Snitzer <snitzer@redhat.com>
      Signed-off-by: default avatarWilly Tarreau <w@1wt.eu>
      cc3d0c26
    • Trond Myklebust's avatar
      nlm: Ensure callback code also checks that the files match · ebd9572e
      Trond Myklebust authored
      commit 251af29c upstream.
      
      It is not sufficient to just check that the lock pids match when
      granting a callback, we also need to ensure that we're granting
      the callback on the right file.
      Reported-by: default avatarPankaj Singh <psingh.ait@gmail.com>
      Fixes: 1da177e4 ("Linux-2.6.12-rc2")
      Signed-off-by: default avatarTrond Myklebust <trond.myklebust@primarydata.com>
      Signed-off-by: default avatarAnna Schumaker <Anna.Schumaker@Netapp.com>
      Signed-off-by: default avatarWilly Tarreau <w@1wt.eu>
      ebd9572e
    • Steven Rostedt (VMware)'s avatar
      ktest: Fix child exit code processing · 5bb7a6c4
      Steven Rostedt (VMware) authored
      commit 32677207 upstream.
      
      The child_exit errno needs to be shifted by 8 bits to compare against the
      return values for the bisect variables.
      
      Fixes: c5dacb88 ("ktest: Allow overriding bisect test results")
      Signed-off-by: default avatarSteven Rostedt (VMware) <rostedt@goodmis.org>
      Signed-off-by: default avatarWilly Tarreau <w@1wt.eu>
      5bb7a6c4
    • Feras Daoud's avatar
      IB/ipoib: Fix deadlock between rmmod and set_mode · 2c318737
      Feras Daoud authored
      commit 0a0007f2 upstream.
      
      When calling set_mode from sys/fs, the call flow locks the sys/fs lock
      first and then tries to lock rtnl_lock (when calling ipoib_set_mod).
      On the other hand, the rmmod call flow takes the rtnl_lock first
      (when calling unregister_netdev) and then tries to take the sys/fs
      lock. Deadlock a->b, b->a.
      
      The problem starts when ipoib_set_mod frees it's rtnl_lck and tries
      to get it after that.
      
          set_mod:
          [<ffffffff8104f2bd>] ? check_preempt_curr+0x6d/0x90
          [<ffffffff814fee8e>] __mutex_lock_slowpath+0x13e/0x180
          [<ffffffff81448655>] ? __rtnl_unlock+0x15/0x20
          [<ffffffff814fed2b>] mutex_lock+0x2b/0x50
          [<ffffffff81448675>] rtnl_lock+0x15/0x20
          [<ffffffffa02ad807>] ipoib_set_mode+0x97/0x160 [ib_ipoib]
          [<ffffffffa02b5f5b>] set_mode+0x3b/0x80 [ib_ipoib]
          [<ffffffff8134b840>] dev_attr_store+0x20/0x30
          [<ffffffff811f0fe5>] sysfs_write_file+0xe5/0x170
          [<ffffffff8117b068>] vfs_write+0xb8/0x1a0
          [<ffffffff8117ba81>] sys_write+0x51/0x90
          [<ffffffff8100b0f2>] system_call_fastpath+0x16/0x1b
      
          rmmod:
          [<ffffffff81279ffc>] ? put_dec+0x10c/0x110
          [<ffffffff8127a2ee>] ? number+0x2ee/0x320
          [<ffffffff814fe6a5>] schedule_timeout+0x215/0x2e0
          [<ffffffff8127cc04>] ? vsnprintf+0x484/0x5f0
          [<ffffffff8127b550>] ? string+0x40/0x100
          [<ffffffff814fe323>] wait_for_common+0x123/0x180
          [<ffffffff81060250>] ? default_wake_function+0x0/0x20
          [<ffffffff8119661e>] ? ifind_fast+0x5e/0xb0
          [<ffffffff814fe43d>] wait_for_completion+0x1d/0x20
          [<ffffffff811f2e68>] sysfs_addrm_finish+0x228/0x270
          [<ffffffff811f2fb3>] sysfs_remove_dir+0xa3/0xf0
          [<ffffffff81273f66>] kobject_del+0x16/0x40
          [<ffffffff8134cd14>] device_del+0x184/0x1e0
          [<ffffffff8144e59b>] netdev_unregister_kobject+0xab/0xc0
          [<ffffffff8143c05e>] rollback_registered+0xae/0x130
          [<ffffffff8143c102>] unregister_netdevice+0x22/0x70
          [<ffffffff8143c16e>] unregister_netdev+0x1e/0x30
          [<ffffffffa02a91b0>] ipoib_remove_one+0xe0/0x120 [ib_ipoib]
          [<ffffffffa01ed95f>] ib_unregister_device+0x4f/0x100 [ib_core]
          [<ffffffffa021f5e1>] mlx4_ib_remove+0x41/0x180 [mlx4_ib]
          [<ffffffffa01ab771>] mlx4_remove_device+0x71/0x90 [mlx4_core]
      
      Fixes: 862096a8 ("IB/ipoib: Add more rtnl_link_ops callbacks")
      Cc: Or Gerlitz <ogerlitz@mellanox.com>
      Signed-off-by: default avatarFeras Daoud <ferasda@mellanox.com>
      Signed-off-by: default avatarErez Shitrit <erezsh@mellanox.com>
      Signed-off-by: default avatarLeon Romanovsky <leon@kernel.org>
      Signed-off-by: default avatarDoug Ledford <dledford@redhat.com>
      Signed-off-by: default avatarWilly Tarreau <w@1wt.eu>
      2c318737
    • Julian Wiedmann's avatar
      s390/qdio: clear DSCI prior to scanning multiple input queues · 8e68a4d1
      Julian Wiedmann authored
      commit 1e4a382f upstream.
      
      For devices with multiple input queues, tiqdio_call_inq_handlers()
      iterates over all input queues and clears the device's DSCI
      during each iteration. If the DSCI is re-armed during one
      of the later iterations, we therefore do not scan the previous
      queues again.
      The re-arming also raises a new adapter interrupt. But its
      handler does not trigger a rescan for the device, as the DSCI
      has already been erroneously cleared.
      This can result in queue stalls on devices with multiple
      input queues.
      
      Fix it by clearing the DSCI just once, prior to scanning the queues.
      
      As the code is moved in front of the loop, we also need to access
      the DSCI directly (ie irq->dsci) instead of going via each queue's
      parent pointer to the same irq. This is not a functional change,
      and a follow-up patch will clean up the other users.
      
      In practice, this bug only affects CQ-enabled HiperSockets devices,
      ie. devices with sysfs-attribute "hsuid" set. Setting a hsuid is
      needed for AF_IUCV socket applications that use HiperSockets
      communication.
      
      Fixes: 104ea556 ("qdio: support asynchronous delivery of storage blocks")
      Reviewed-by: default avatarUrsula Braun <ubraun@linux.vnet.ibm.com>
      Signed-off-by: default avatarJulian Wiedmann <jwi@linux.vnet.ibm.com>
      Signed-off-by: default avatarMartin Schwidefsky <schwidefsky@de.ibm.com>
      Signed-off-by: default avatarWilly Tarreau <w@1wt.eu>
      8e68a4d1
    • J. Bruce Fields's avatar
      NFSv4: fix getacl head length estimation · 58ccba85
      J. Bruce Fields authored
      commit 6682c14b upstream.
      
      Bitmap and attrlen follow immediately after the op reply header.  This
      was an oversight from commit bf118a34.
      
      Consequences of this are just minor efficiency (extra calls to
      xdr_shrink_bufhead).
      
      Fixes: bf118a34 "NFSv4: include bitmap in nfsv4 get acl data"
      Reviewed-by: default avatarKinglong Mee <kinglongmee@gmail.com>
      Signed-off-by: default avatarJ. Bruce Fields <bfields@redhat.com>
      Signed-off-by: default avatarAnna Schumaker <Anna.Schumaker@Netapp.com>
      Signed-off-by: default avatarWilly Tarreau <w@1wt.eu>
      58ccba85
    • Jason Gunthorpe's avatar
      RDMA/core: Fix incorrect structure packing for booleans · e9a1e1cc
      Jason Gunthorpe authored
      commit 55efcfcd upstream.
      
      The RDMA core uses ib_pack() to convert from unpacked CPU structs
      to on-the-wire bitpacked structs.
      
      This process requires that 1 bit fields are declared as u8 in the
      unpacked struct, otherwise the packing process does not read the
      value properly and the packed result is wired to 0. Several
      places wrongly used int.
      
      Crucially this means the kernel has never, set reversible
      correctly in the path record request. It has always asked for
      irreversible paths even if the ULP requests otherwise.
      
      When the kernel is used with a SM that supports this feature, it
      completely breaks communication management if reversible paths are
      not properly requested.
      
      The only reason this ever worked is because opensm ignores the
      reversible bit.
      
      Fixes: 1da177e4 ("Linux-2.6.12-rc2")
      Signed-off-by: default avatarJason Gunthorpe <jgunthorpe@obsidianresearch.com>
      Signed-off-by: default avatarDoug Ledford <dledford@redhat.com>
      Signed-off-by: default avatarWilly Tarreau <w@1wt.eu>
      e9a1e1cc
    • Miklos Szeredi's avatar
      fuse: add missing FR_FORCE · 5beea857
      Miklos Szeredi authored
      commit 2e38bea9 upstream.
      
      fuse_file_put() was missing the "force" flag for the RELEASE request when
      sending synchronously (fuseblk).
      
      If this flag is not set, then a sync request may be interrupted before it
      is dequeued by the userspace filesystem.  In this case the OPEN won't be
      balanced with a RELEASE.
      
      [js] force is a variable, not a bit
      Signed-off-by: default avatarMiklos Szeredi <mszeredi@redhat.com>
      Fixes: 5a18ec17 ("fuse: fix hang of single threaded fuseblk filesystem")
      Signed-off-by: default avatarJiri Slaby <jslaby@suse.cz>
      Signed-off-by: default avatarWilly Tarreau <w@1wt.eu>
      5beea857
    • Christian Lamparter's avatar
      ath9k: use correct OTP register offsets for the AR9340 and AR9550 · f90660e1
      Christian Lamparter authored
      commit c9f1e326 upstream.
      
      This patch fixes the OTP register definitions for the AR934x and AR9550
      WMAC SoC.
      
      Previously, the ath9k driver was unable to initialize the integrated
      WMAC on an Aerohive AP121:
      
      | ath: phy0: timeout (1000 us) on reg 0x30018: 0xbadc0ffe & 0x00000007 != 0x00000004
      | ath: phy0: timeout (1000 us) on reg 0x30018: 0xbadc0ffe & 0x00000007 != 0x00000004
      | ath: phy0: Unable to initialize hardware; initialization status: -5
      | ath9k ar934x_wmac: failed to initialize device
      | ath9k: probe of ar934x_wmac failed with error -5
      
      It turns out that the AR9300_OTP_STATUS and AR9300_OTP_DATA
      definitions contain a typo.
      
      Cc: Gabor Juhos <juhosg@openwrt.org>
      Fixes: add295a4 "ath9k: use correct OTP register offsets for AR9550"
      Signed-off-by: default avatarChristian Lamparter <chunkeey@googlemail.com>
      Signed-off-by: default avatarChris Blake <chrisrblake93@gmail.com>
      Signed-off-by: default avatarKalle Valo <kvalo@qca.qualcomm.com>
      Signed-off-by: default avatarWilly Tarreau <w@1wt.eu>
      f90660e1
    • Raghava Aditya Renukunta's avatar
      scsi: aacraid: Reorder Adapter status check · 63901140
      Raghava Aditya Renukunta authored
      commit c421530b upstream.
      
      The driver currently checks the SELF_TEST_FAILED first and then
      KERNEL_PANIC next. Under error conditions(boot code failure) both
      SELF_TEST_FAILED and KERNEL_PANIC can be set at the same time.
      
      The driver has the capability to reset the controller on an KERNEL_PANIC,
      but not on SELF_TEST_FAILED.
      
      Fixed by first checking KERNEL_PANIC and then the others.
      
      Fixes: e8b12f0f ([SCSI] aacraid: Add new code for PMC-Sierra's SRC base controller family)
      Signed-off-by: default avatarRaghava Aditya Renukunta <RaghavaAditya.Renukunta@microsemi.com>
      Reviewed-by: default avatarDavid Carroll <David.Carroll@microsemi.com>
      Reviewed-by: default avatarJohannes Thumshirn <jthumshirn@suse.de>
      Signed-off-by: default avatarMartin K. Petersen <martin.petersen@oracle.com>
      Signed-off-by: default avatarWilly Tarreau <w@1wt.eu>
      63901140
    • Guennadi Liakhovetski's avatar
      uvcvideo: Fix a wrong macro · 0259f8b8
      Guennadi Liakhovetski authored
      commit 17c341ec upstream.
      
      Don't mix up UVC_BUF_STATE_* and VB2_BUF_STATE_* codes.
      
      Fixes: 6998b6fb ("[media] uvcvideo: Use videobuf2-vmalloc")
      Signed-off-by: default avatarGuennadi Liakhovetski <guennadi.liakhovetski@intel.com>
      Signed-off-by: default avatarLaurent Pinchart <laurent.pinchart@ideasonboard.com>
      Signed-off-by: default avatarMauro Carvalho Chehab <mchehab@s-opensource.com>
      Signed-off-by: default avatarWilly Tarreau <w@1wt.eu>
      0259f8b8
    • Paul Burton's avatar
      MIPS: Handle microMIPS jumps in the same way as MIPS32/MIPS64 jumps · 9dc2420f
      Paul Burton authored
      commit 096a0de4 upstream.
      
      is_jump_ins() checks for plain jump ("j") instructions since commit
      e7438c4b ("MIPS: Fix sibling call handling in get_frame_info") but
      that commit didn't make the same change to the microMIPS code, leaving
      it inconsistent with the MIPS32/MIPS64 code. Handle the microMIPS
      encoding of the jump instruction too such that it behaves consistently.
      Signed-off-by: default avatarPaul Burton <paul.burton@imgtec.com>
      Fixes: e7438c4b ("MIPS: Fix sibling call handling in get_frame_info")
      Cc: Tony Wu <tung7970@gmail.com>
      Cc: linux-mips@linux-mips.org
      Patchwork: https://patchwork.linux-mips.org/patch/14533/Signed-off-by: default avatarRalf Baechle <ralf@linux-mips.org>
      Signed-off-by: default avatarWilly Tarreau <w@1wt.eu>
      9dc2420f
    • Paul Burton's avatar
      MIPS: Calculate microMIPS ra properly when unwinding the stack · 8577fb6b
      Paul Burton authored
      commit bb9bc468 upstream.
      
      get_frame_info() calculates the offset of the return address within a
      stack frame simply by dividing a the bottom 16 bits of the instruction,
      treated as a signed integer, by the size of a long. Whilst this works
      for MIPS32 & MIPS64 ISAs where the sw or sd instructions are used, it's
      incorrect for microMIPS where encodings differ. The result is that we
      typically completely fail to unwind the stack on microMIPS.
      
      Fix this by adjusting is_ra_save_ins() to calculate the return address
      offset, and take into account the various different encodings there in
      the same place as we consider whether an instruction is storing the
      ra/$31 register.
      
      With this we are now able to unwind the stack for kernels targetting the
      microMIPS ISA, for example we can produce:
      
          Call Trace:
          [<80109e1f>] show_stack+0x63/0x7c
          [<8011ea17>] __warn+0x9b/0xac
          [<8011ea45>] warn_slowpath_fmt+0x1d/0x20
          [<8013fe53>] register_console+0x43/0x314
          [<8067c58d>] of_setup_earlycon+0x1dd/0x1ec
          [<8067f63f>] early_init_dt_scan_chosen_stdout+0xe7/0xf8
          [<8066c115>] do_early_param+0x75/0xac
          [<801302f9>] parse_args+0x1dd/0x308
          [<8066c459>] parse_early_options+0x25/0x28
          [<8066c48b>] parse_early_param+0x2f/0x38
          [<8066e8cf>] setup_arch+0x113/0x488
          [<8066c4f3>] start_kernel+0x57/0x328
          ---[ end trace 0000000000000000 ]---
      
      Whereas previously we only produced:
      
          Call Trace:
          [<80109e1f>] show_stack+0x63/0x7c
          ---[ end trace 0000000000000000 ]---
      Signed-off-by: default avatarPaul Burton <paul.burton@imgtec.com>
      Fixes: 34c2f668 ("MIPS: microMIPS: Add unaligned access support.")
      Cc: Leonid Yegoshin <leonid.yegoshin@imgtec.com>
      Cc: linux-mips@linux-mips.org
      Patchwork: https://patchwork.linux-mips.org/patch/14532/Signed-off-by: default avatarRalf Baechle <ralf@linux-mips.org>
      Signed-off-by: default avatarWilly Tarreau <w@1wt.eu>
      8577fb6b
    • Paul Burton's avatar
      MIPS: Fix is_jump_ins() handling of 16b microMIPS instructions · a3e70c33
      Paul Burton authored
      commit 67c75057 upstream.
      
      is_jump_ins() checks 16b instruction fields without verifying that the
      instruction is indeed 16b, as is done by is_ra_save_ins() &
      is_sp_move_ins(). Add the appropriate check.
      Signed-off-by: default avatarPaul Burton <paul.burton@imgtec.com>
      Fixes: 34c2f668 ("MIPS: microMIPS: Add unaligned access support.")
      Cc: Leonid Yegoshin <leonid.yegoshin@imgtec.com>
      Cc: linux-mips@linux-mips.org
      Patchwork: https://patchwork.linux-mips.org/patch/14531/Signed-off-by: default avatarRalf Baechle <ralf@linux-mips.org>
      Signed-off-by: default avatarWilly Tarreau <w@1wt.eu>
      a3e70c33
    • Paul Burton's avatar
      MIPS: Fix get_frame_info() handling of microMIPS function size · 9c01ee59
      Paul Burton authored
      commit b6c7a324 upstream.
      
      get_frame_info() is meant to iterate over up to the first 128
      instructions within a function, but for microMIPS kernels it will not
      reach that many instructions unless the function is 512 bytes long since
      we calculate the maximum number of instructions to check by dividing the
      function length by the 4 byte size of a union mips_instruction. In
      microMIPS kernels this won't do since instructions are variable length.
      
      Fix this by instead checking whether the pointer to the current
      instruction has reached the end of the function, and use max_insns as a
      simple constant to check the number of iterations against.
      Signed-off-by: default avatarPaul Burton <paul.burton@imgtec.com>
      Fixes: 34c2f668 ("MIPS: microMIPS: Add unaligned access support.")
      Cc: Leonid Yegoshin <leonid.yegoshin@imgtec.com>
      Cc: linux-mips@linux-mips.org
      Patchwork: https://patchwork.linux-mips.org/patch/14530/Signed-off-by: default avatarRalf Baechle <ralf@linux-mips.org>
      Signed-off-by: default avatarWilly Tarreau <w@1wt.eu>
      9c01ee59
    • Paul Burton's avatar
      MIPS: Prevent unaligned accesses during stack unwinding · 15d2aa74
      Paul Burton authored
      commit a3552dac upstream.
      
      During stack unwinding we call a number of functions to determine what
      type of instruction we're looking at. The union mips_instruction pointer
      provided to them may be pointing at a 2 byte, but not 4 byte, aligned
      address & we thus cannot directly access the 4 byte wide members of the
      union mips_instruction. To avoid this is_ra_save_ins() copies the
      required half-words of the microMIPS instruction to a correctly aligned
      union mips_instruction on the stack, which it can then access safely.
      The is_jump_ins() & is_sp_move_ins() functions do not correctly perform
      this temporary copy, and instead attempt to directly dereference 4 byte
      fields which may be misaligned and lead to an address exception.
      
      Fix this by copying the instruction halfwords to a temporary union
      mips_instruction in get_frame_info() such that we can provide a 4 byte
      aligned union mips_instruction to the is_*_ins() functions and they do
      not need to deal with misalignment themselves.
      Signed-off-by: default avatarPaul Burton <paul.burton@imgtec.com>
      Fixes: 34c2f668 ("MIPS: microMIPS: Add unaligned access support.")
      Cc: Leonid Yegoshin <leonid.yegoshin@imgtec.com>
      Cc: linux-mips@linux-mips.org
      Patchwork: https://patchwork.linux-mips.org/patch/14529/Signed-off-by: default avatarRalf Baechle <ralf@linux-mips.org>
      Signed-off-by: default avatarWilly Tarreau <w@1wt.eu>
      15d2aa74
    • Paul Burton's avatar
      MIPS: Clear ISA bit correctly in get_frame_info() · 1809a783
      Paul Burton authored
      commit ccaf7caf upstream.
      
      get_frame_info() can be called in microMIPS kernels with the ISA bit
      already clear. For example this happens when unwind_stack_by_address()
      is called because we begin with a PC that has the ISA bit set & subtract
      the (odd) offset from the preceding symbol (which does not have the ISA
      bit set). Since get_frame_info() unconditionally subtracts 1 from the PC
      in microMIPS kernels it incorrectly misaligns the address it then
      attempts to access code at, leading to an address error exception.
      
      Fix this by using msk_isa16_mode() to clear the ISA bit, which allows
      get_frame_info() to function regardless of whether it is provided with a
      PC that has the ISA bit set or not.
      Signed-off-by: default avatarPaul Burton <paul.burton@imgtec.com>
      Fixes: 34c2f668 ("MIPS: microMIPS: Add unaligned access support.")
      Cc: Leonid Yegoshin <leonid.yegoshin@imgtec.com>
      Cc: linux-mips@linux-mips.org
      Patchwork: https://patchwork.linux-mips.org/patch/14528/Signed-off-by: default avatarRalf Baechle <ralf@linux-mips.org>
      Signed-off-by: default avatarWilly Tarreau <w@1wt.eu>
      1809a783
    • James Cowgill's avatar
      MIPS: OCTEON: Fix copy_from_user fault handling for large buffers · e51712a8
      James Cowgill authored
      commit 884b4269 upstream.
      
      If copy_from_user is called with a large buffer (>= 128 bytes) and the
      userspace buffer refers partially to unreadable memory, then it is
      possible for Octeon's copy_from_user to report the wrong number of bytes
      have been copied. In the case where the buffer size is an exact multiple
      of 128 and the fault occurs in the last 64 bytes, copy_from_user will
      report that all the bytes were copied successfully but leave some
      garbage in the destination buffer.
      
      The bug is in the main __copy_user_common loop in octeon-memcpy.S where
      in the middle of the loop, src and dst are incremented by 128 bytes. The
      l_exc_copy fault handler is used after this but that assumes that
      "src < THREAD_BUADDR($28)". This is not the case if src has already been
      incremented.
      
      Fix by adding an extra fault handler which rewinds the src and dst
      pointers 128 bytes before falling though to l_exc_copy.
      
      Thanks to the pwritev test from the strace test suite for originally
      highlighting this bug!
      
      Fixes: 5b3b1688 ("MIPS: Add Cavium OCTEON processor support ...")
      Signed-off-by: default avatarJames Cowgill <James.Cowgill@imgtec.com>
      Acked-by: default avatarDavid Daney <david.daney@cavium.com>
      Reviewed-by: default avatarJames Hogan <james.hogan@imgtec.com>
      Cc: Ralf Baechle <ralf@linux-mips.org>
      Cc: linux-mips@linux-mips.org
      Patchwork: https://patchwork.linux-mips.org/patch/14978/Signed-off-by: default avatarJames Hogan <james.hogan@imgtec.com>
      Signed-off-by: default avatarWilly Tarreau <w@1wt.eu>
      e51712a8
    • Shmulik Ladkani's avatar
      net/sched: em_meta: Fix 'meta vlan' to correctly recognize zero VID frames · beb27bf1
      Shmulik Ladkani authored
      commit d65f2fa6 upstream.
      
      META_COLLECTOR int_vlan_tag() assumes that if the accel tag (vlan_tci)
      is zero, then no vlan accel tag is present.
      
      This is incorrect for zero VID vlan accel packets, making the following
      match fail:
        tc filter add ... basic match 'meta(vlan mask 0xfff eq 0)' ...
      
      Apparently 'int_vlan_tag' was implemented prior VLAN_TAG_PRESENT was
      introduced in 05423b24 "vlan: allow null VLAN ID to be used"
      (and at time introduced, the 'vlan_tx_tag_get' call in em_meta was not
       adapted).
      
      Fix, testing skb_vlan_tag_present instead of testing skb_vlan_tag_get's
      value.
      
      Fixes: 05423b24 ("vlan: allow null VLAN ID to be used")
      Fixes: 1a31f204 ("netsched: Allow meta match on vlan tag on receive")
      Signed-off-by: default avatarShmulik Ladkani <shmulik.ladkani@gmail.com>
      Cc: Eric Dumazet <eric.dumazet@gmail.com>
      Cc: Stephen Hemminger <stephen@networkplumber.org>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarWilly Tarreau <w@1wt.eu>
      beb27bf1
    • Steffen Klassert's avatar
      vti4: Don't count header length twice. · 37fdac58
      Steffen Klassert authored
      commit a3245236 upstream.
      
      We currently count the size of LL_MAX_HEADER and struct iphdr
      twice for vti4 devices, this leads to a wrong device mtu.
      The size of LL_MAX_HEADER and struct iphdr is already counted in
      ip_tunnel_bind_dev(), so don't do it again in vti_tunnel_init().
      
      Fixes: b9959fd3 ("vti: switch to new ip tunnel code")
      Signed-off-by: default avatarSteffen Klassert <steffen.klassert@secunet.com>
      Signed-off-by: default avatarJiri Slaby <jslaby@suse.cz>
      Signed-off-by: default avatarWilly Tarreau <w@1wt.eu>
      37fdac58
    • Daniel Borkmann's avatar
      net: 6lowpan: fix lowpan_header_create non-compression memcpy call · 3ac993d4
      Daniel Borkmann authored
      commit 965801e1 upstream.
      
      In function lowpan_header_create(), we invoke the following code
      construct:
      
        struct ipv6hdr *hdr;
        ...
        hdr = ipv6_hdr(skb);
        ...
        if (...)
          memcpy(hc06_ptr + 1, &hdr->flow_lbl[1], 2);
        else
          memcpy(hc06_ptr, &hdr, 4);
      
      Where the else path of the condition, that is, non-compression
      path, calls memcpy() with a pointer to struct ipv6hdr *hdr as
      source, thus two levels of indirection. This cannot be correct,
      and likely only one level of pointer was intended as source
      buffer for memcpy() here.
      
      Fixes: 44331fe2 ("IEEE802.15.4: 6LoWPAN basic support")
      Signed-off-by: default avatarDaniel Borkmann <dborkman@redhat.com>
      Cc: Alexander Smirnov <alex.bluesman.smirnov@gmail.com>
      Cc: Dmitry Eremin-Solenikov <dbaryshkov@gmail.com>
      Cc: Werner Almesberger <werner@almesberger.net>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarWilly Tarreau <w@1wt.eu>
      3ac993d4
    • Dan Carpenter's avatar
      drm/nv50/disp: min/max are reversed in nv50_crtc_gamma_set() · c4c175db
      Dan Carpenter authored
      commit bdefc8cb upstream.
      
      We should be taking the minimum here instead of the max.  It could lead
      to a buffer overflow.
      
      Fixes: 438d99e3 ('drm/nvd0/disp: initial crtc object implementation')
      Signed-off-by: default avatarDan Carpenter <dan.carpenter@oracle.com>
      
      a/drm/nv50_display.c b/drm/nv50_display.c
      index f8e66c08b11a..4e384a2f99c3 100644
      Signed-off-by: default avatarJiri Slaby <jslaby@suse.cz>
      Signed-off-by: default avatarWilly Tarreau <w@1wt.eu>
      c4c175db
    • Dan Carpenter's avatar
      mfd: pm8921: Potential NULL dereference in pm8921_remove() · dad5635c
      Dan Carpenter authored
      commit d6daef95 upstream.
      
      We assume that "pmic" could be NULL and then dereference it two lines
      later.  I fix this by moving the dereference inside the NULL check.
      
      Fixes: c013f0a5 ('mfd: Add pm8xxx irq support')
      Signed-off-by: default avatarDan Carpenter <dan.carpenter@oracle.com>
      Signed-off-by: default avatarLee Jones <lee.jones@linaro.org>
      Signed-off-by: default avatarJiri Slaby <jslaby@suse.cz>
      Signed-off-by: default avatarWilly Tarreau <w@1wt.eu>
      dad5635c
    • Ben Hutchings's avatar
      ocfs2: do not write error flag to user structure we cannot copy from/to · 511ae3b9
      Ben Hutchings authored
      commit 2b462638 upstream.
      
      If we failed to copy from the structure, writing back the flags leaks 31
      bits of kernel memory (the rest of the ir_flags field).
      
      In any case, if we cannot copy from/to the structure, why should we
      expect putting just the flags to work?
      
      Also make sure ocfs2_info_handle_freeinode() returns the right error
      code if the copy_to_user() fails.
      
      Fixes: ddee5cdb ('Ocfs2: Add new OCFS2_IOC_INFO ioctl for ocfs2 v8.')
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      Cc: Joel Becker <jlbec@evilplan.org>
      Acked-by: default avatarMark Fasheh <mfasheh@suse.com>
      Signed-off-by: default avatarAndrew Morton <akpm@linux-foundation.org>
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      Signed-off-by: default avatarJiri Slaby <jslaby@suse.cz>
      Signed-off-by: default avatarWilly Tarreau <w@1wt.eu>
      511ae3b9
    • Thomas Gleixner's avatar
      goldfish: Sanitize the broken interrupt handler · 7fb0b447
      Thomas Gleixner authored
      commit 6cf18e69 upstream.
      
      This interrupt handler is broken in several ways:
      
        - It loops forever when the op code is not decodeable
      
        - It never returns IRQ_HANDLED because the only way to exit the loop
          returns IRQ_NONE unconditionally.
      
      The whole concept of this is broken. Creating devices in an interrupt
      handler is beyond any point of sanity.
      
      Make it at least behave halfways sane so accidental users do not have to
      deal with a hard to debug lockup.
      
      Fixes: e809c22b ("goldfish: add the goldfish virtual bus")
      Reported-by: default avatarGabriel C <nix.or.die@gmail.com>
      Signed-off-by: default avatarThomas Gleixner <tglx@linutronix.de>
      Acked-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      Signed-off-by: default avatarJiri Slaby <jslaby@suse.cz>
      Signed-off-by: default avatarWilly Tarreau <w@1wt.eu>
      7fb0b447
    • Thomas Gleixner's avatar
      x86/platform/goldfish: Prevent unconditional loading · d3926e19
      Thomas Gleixner authored
      commit 47512cfd upstream.
      
      The goldfish platform code registers the platform device unconditionally
      which causes havoc in several ways if the goldfish_pdev_bus driver is
      enabled:
      
       - Access to the hardcoded physical memory region, which is either not
         available or contains stuff which is completely unrelated.
      
       - Prevents that the interrupt of the serial port can be requested
      
       - In case of a spurious interrupt it goes into a infinite loop in the
         interrupt handler of the pdev_bus driver (which needs to be fixed
         seperately).
      
      Add a 'goldfish' command line option to make the registration opt-in when
      the platform is compiled in.
      
      I'm seriously grumpy about this engineering trainwreck, which has seven
      SOBs from Intel developers for 50 lines of code. And none of them figured
      out that this is broken. Impressive fail!
      
      Fixes: ddd70cf9 ("goldfish: platform device for x86")
      Reported-by: default avatarGabriel C <nix.or.die@gmail.com>
      Signed-off-by: default avatarThomas Gleixner <tglx@linutronix.de>
      Acked-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      Signed-off-by: default avatarJiri Slaby <jslaby@suse.cz>
      Signed-off-by: default avatarWilly Tarreau <w@1wt.eu>
      d3926e19
    • Johan Hovold's avatar
      USB: serial: ark3116: fix register-accessor error handling · 9ce78b1e
      Johan Hovold authored
      commit 9fef37d7 upstream.
      
      The current implementation failed to detect short transfers, something
      which could lead to bits of the uninitialised heap transfer buffer
      leaking to user space.
      
      Fixes: 149fc791 ("USB: ark3116: Setup some basic infrastructure for new ark3116 driver.")
      Fixes: f4c1e8d5 ("USB: ark3116: Make existing functions 16450-aware and add close and release functions.")
      Reviewed-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      Signed-off-by: default avatarJohan Hovold <johan@kernel.org>
      Signed-off-by: default avatarWilly Tarreau <w@1wt.eu>
      9ce78b1e
    • Johan Hovold's avatar
      USB: serial: opticon: fix CTS retrieval at open · 1110205c
      Johan Hovold authored
      commit 2eee0502 upstream.
      
      The opticon driver used a control request at open to trigger a CTS
      status notification to be sent over the bulk-in pipe. When the driver
      was converted to using the generic read implementation, an inverted test
      prevented this request from being sent, something which could lead to
      TIOCMGET reporting an incorrect CTS state.
      Reported-by: default avatarDan Carpenter <dan.carpenter@oracle.com>
      Fixes: 7a6ee2b0 ("USB: opticon: switch to generic read implementation")
      Reviewed-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      Signed-off-by: default avatarJohan Hovold <johan@kernel.org>
      Signed-off-by: default avatarWilly Tarreau <w@1wt.eu>
      1110205c
    • Johan Hovold's avatar
      USB: serial: spcp8x5: fix modem-status handling · 3e642b83
      Johan Hovold authored
      commit 5ed8d410 upstream.
      
      Make sure to detect short control transfers and return zero on success
      when retrieving the modem status.
      
      This fixes the TIOCMGET implementation which since e1ed212d ("USB:
      spcp8x5: add proper modem-status support") has returned TIOCM_LE on
      successful retrieval, and avoids leaking bits from the stack on short
      transfers.
      
      This also fixes the carrier-detect implementation which since the above
      mentioned commit unconditionally has returned true.
      
      Fixes: e1ed212d ("USB: spcp8x5: add proper modem-status support")
      Reviewed-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      Signed-off-by: default avatarJohan Hovold <johan@kernel.org>
      Signed-off-by: default avatarWilly Tarreau <w@1wt.eu>
      3e642b83
    • Johan Hovold's avatar
      USB: serial: ftdi_sio: fix line-status over-reporting · c1514183
      Johan Hovold authored
      commit a6bb1e17 upstream.
      
      FTDI devices use a receive latency timer to periodically empty the
      receive buffer and report modem and line status (also when the buffer is
      empty).
      
      When a break or error condition is detected the corresponding status
      flags will be set on a packet with nonzero data payload and the flags
      are not updated until the break is over or further characters are
      received.
      
      In order to avoid over-reporting break and error conditions, these flags
      must therefore only be processed for packets with payload.
      
      This specifically fixes the case where after an overrun, the error
      condition is continuously reported and NULL-characters inserted until
      further data is received.
      Reported-by: default avatarMichael Walle <michael@walle.cc>
      Fixes: 72fda3ca ("USB: serial: ftd_sio: implement sysrq handling on
      break")
      Fixes: 166ceb69 ("USB: ftdi_sio: clean up line-status handling")
      Signed-off-by: default avatarJohan Hovold <johan@kernel.org>
      Signed-off-by: default avatarWilly Tarreau <w@1wt.eu>
      c1514183
    • Johan Hovold's avatar
      USB: serial: ftdi_sio: fix extreme low-latency setting · af1f7fb6
      Johan Hovold authored
      commit c6dce262 upstream.
      
      Since commit 557aaa7f ("ft232: support the ASYNC_LOW_LATENCY
      flag") the FTDI driver has been using a receive latency-timer value of
      1 ms instead of the device default of 16 ms.
      
      The latency timer is used to periodically empty a non-full receive
      buffer, but a status header is always sent when the timer expires
      including when the buffer is empty. This means that a two-byte bulk
      message is received every millisecond also for an otherwise idle port as
      long as it is open.
      
      Let's restore the pre-2009 behaviour which reduces the rate of the
      status messages to 1/16th (e.g. interrupt frequency drops from 1 kHz to
      62.5 Hz) by not setting ASYNC_LOW_LATENCY by default.
      
      Anyone willing to pay the price for the minimum-latency behaviour should
      set the flag explicitly instead using the TIOCSSERIAL ioctl or a tool
      such as setserial (e.g. setserial /dev/ttyUSB0 low_latency).
      
      Note that since commit 0cbd81a9 ("USB: ftdi_sio: remove
      tty->low_latency") the ASYNC_LOW_LATENCY flag has no other effects but
      to set a minimal latency timer.
      Reported-by: default avatarAntoine Aubert <a.aubert@overkiz.com>
      Fixes: 557aaa7f ("ft232: support the ASYNC_LOW_LATENCY flag")
      Signed-off-by: default avatarJohan Hovold <johan@kernel.org>
      Signed-off-by: default avatarWilly Tarreau <w@1wt.eu>
      af1f7fb6
    • Johan Hovold's avatar
      USB: serial: ftdi_sio: fix modem-status error handling · aa814edb
      Johan Hovold authored
      commit 427c3a95 upstream.
      
      Make sure to detect short responses when fetching the modem status in
      order to avoid parsing uninitialised buffer data and having bits of it
      leak to user space.
      
      Note that we still allow for short 1-byte responses.
      
      Fixes: 1da177e4 ("Linux-2.6.12-rc2")
      Reviewed-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      Signed-off-by: default avatarJohan Hovold <johan@kernel.org>
      Signed-off-by: default avatarWilly Tarreau <w@1wt.eu>
      aa814edb
    • Johan Hovold's avatar
      USB: serial: mos7840: fix another NULL-deref at open · c8c6bd83
      Johan Hovold authored
      commit 5182c2cf upstream.
      
      Fix another NULL-pointer dereference at open should a malicious device
      lack an interrupt-in endpoint.
      
      Note that the driver has a broken check for an interrupt-in endpoint
      which means that an interrupt URB has never even been submitted.
      
      Fixes: 3f542974 ("USB: Moschip 7840 USB-Serial Driver")
      Reviewed-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      Signed-off-by: default avatarJohan Hovold <johan@kernel.org>
      Signed-off-by: default avatarWilly Tarreau <w@1wt.eu>
      c8c6bd83
    • Maxime Jayat's avatar
      net: socket: fix recvmmsg not returning error from sock_error · 0b5240c4
      Maxime Jayat authored
      commit e623a9e9 upstream.
      
      Commit 34b88a68 ("net: Fix use after free in the recvmmsg exit path"),
      changed the exit path of recvmmsg to always return the datagrams
      variable and modified the error paths to set the variable to the error
      code returned by recvmsg if necessary.
      
      However in the case sock_error returned an error, the error code was
      then ignored, and recvmmsg returned 0.
      
      Change the error path of recvmmsg to correctly return the error code
      of sock_error.
      
      The bug was triggered by using recvmmsg on a CAN interface which was
      not up. Linux 4.6 and later return 0 in this case while earlier
      releases returned -ENETDOWN.
      
      Fixes: 34b88a68 ("net: Fix use after free in the recvmmsg exit path")
      Signed-off-by: default avatarMaxime Jayat <maxime.jayat@mobile-devices.fr>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarWilly Tarreau <w@1wt.eu>
      0b5240c4
    • Anoob Soman's avatar
      packet: Do not call fanout_release from atomic contexts · 9aab3592
      Anoob Soman authored
      commit 2bd624b4 upstream.
      
      Commit 66644982 ("packet: call fanout_release, while UNREGISTERING a
      netdev"), unfortunately, introduced the following issues.
      
      1. calling mutex_lock(&fanout_mutex) (fanout_release()) from inside
      rcu_read-side critical section. rcu_read_lock disables preemption, most often,
      which prohibits calling sleeping functions.
      
      [  ] include/linux/rcupdate.h:560 Illegal context switch in RCU read-side critical section!
      [  ]
      [  ] rcu_scheduler_active = 1, debug_locks = 0
      [  ] 4 locks held by ovs-vswitchd/1969:
      [  ]  #0:  (cb_lock){++++++}, at: [<ffffffff8158a6c9>] genl_rcv+0x19/0x40
      [  ]  #1:  (ovs_mutex){+.+.+.}, at: [<ffffffffa04878ca>] ovs_vport_cmd_del+0x4a/0x100 [openvswitch]
      [  ]  #2:  (rtnl_mutex){+.+.+.}, at: [<ffffffff81564157>] rtnl_lock+0x17/0x20
      [  ]  #3:  (rcu_read_lock){......}, at: [<ffffffff81614165>] packet_notifier+0x5/0x3f0
      [  ]
      [  ] Call Trace:
      [  ]  [<ffffffff813770c1>] dump_stack+0x85/0xc4
      [  ]  [<ffffffff810c9077>] lockdep_rcu_suspicious+0x107/0x110
      [  ]  [<ffffffff810a2da7>] ___might_sleep+0x57/0x210
      [  ]  [<ffffffff810a2fd0>] __might_sleep+0x70/0x90
      [  ]  [<ffffffff8162e80c>] mutex_lock_nested+0x3c/0x3a0
      [  ]  [<ffffffff810de93f>] ? vprintk_default+0x1f/0x30
      [  ]  [<ffffffff81186e88>] ? printk+0x4d/0x4f
      [  ]  [<ffffffff816106dd>] fanout_release+0x1d/0xe0
      [  ]  [<ffffffff81614459>] packet_notifier+0x2f9/0x3f0
      
      2. calling mutex_lock(&fanout_mutex) inside spin_lock(&po->bind_lock).
      "sleeping function called from invalid context"
      
      [  ] BUG: sleeping function called from invalid context at kernel/locking/mutex.c:620
      [  ] in_atomic(): 1, irqs_disabled(): 0, pid: 1969, name: ovs-vswitchd
      [  ] INFO: lockdep is turned off.
      [  ] Call Trace:
      [  ]  [<ffffffff813770c1>] dump_stack+0x85/0xc4
      [  ]  [<ffffffff810a2f52>] ___might_sleep+0x202/0x210
      [  ]  [<ffffffff810a2fd0>] __might_sleep+0x70/0x90
      [  ]  [<ffffffff8162e80c>] mutex_lock_nested+0x3c/0x3a0
      [  ]  [<ffffffff816106dd>] fanout_release+0x1d/0xe0
      [  ]  [<ffffffff81614459>] packet_notifier+0x2f9/0x3f0
      
      3. calling dev_remove_pack(&fanout->prot_hook), from inside
      spin_lock(&po->bind_lock) or rcu_read-side critical-section. dev_remove_pack()
      -> synchronize_net(), which might sleep.
      
      [  ] BUG: scheduling while atomic: ovs-vswitchd/1969/0x00000002
      [  ] INFO: lockdep is turned off.
      [  ] Call Trace:
      [  ]  [<ffffffff813770c1>] dump_stack+0x85/0xc4
      [  ]  [<ffffffff81186274>] __schedule_bug+0x64/0x73
      [  ]  [<ffffffff8162b8cb>] __schedule+0x6b/0xd10
      [  ]  [<ffffffff8162c5db>] schedule+0x6b/0x80
      [  ]  [<ffffffff81630b1d>] schedule_timeout+0x38d/0x410
      [  ]  [<ffffffff810ea3fd>] synchronize_sched_expedited+0x53d/0x810
      [  ]  [<ffffffff810ea6de>] synchronize_rcu_expedited+0xe/0x10
      [  ]  [<ffffffff8154eab5>] synchronize_net+0x35/0x50
      [  ]  [<ffffffff8154eae3>] dev_remove_pack+0x13/0x20
      [  ]  [<ffffffff8161077e>] fanout_release+0xbe/0xe0
      [  ]  [<ffffffff81614459>] packet_notifier+0x2f9/0x3f0
      
      4. fanout_release() races with calls from different CPU.
      
      To fix the above problems, remove the call to fanout_release() under
      rcu_read_lock(). Instead, call __dev_remove_pack(&fanout->prot_hook) and
      netdev_run_todo will be happy that &dev->ptype_specific list is empty. In order
      to achieve this, I moved dev_{add,remove}_pack() out of fanout_{add,release} to
      __fanout_{link,unlink}. So, call to {,__}unregister_prot_hook() will make sure
      fanout->prot_hook is removed as well.
      
      [js] no rollover in 3.12
      
      Fixes: 66644982 ("packet: call fanout_release, while UNREGISTERING a netdev")
      Reported-by: default avatarEric Dumazet <edumazet@google.com>
      Signed-off-by: default avatarAnoob Soman <anoob.soman@citrix.com>
      Acked-by: default avatarEric Dumazet <edumazet@google.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarJiri Slaby <jslaby@suse.cz>
      Signed-off-by: default avatarWilly Tarreau <w@1wt.eu>
      9aab3592
    • Eric Dumazet's avatar
      packet: fix races in fanout_add() · 2a272abc
      Eric Dumazet authored
      commit d199fab6 upstream.
      
      Multiple threads can call fanout_add() at the same time.
      
      We need to grab fanout_mutex earlier to avoid races that could
      lead to one thread freeing po->rollover that was set by another thread.
      
      Do the same in fanout_release(), for peace of mind, and to help us
      finding lockdep issues earlier.
      
      [js] no rollover in 3.12
      
      Fixes: dc99f600 ("packet: Add fanout support.")
      Fixes: 0648ab70 ("packet: rollover prepare: per-socket state")
      Signed-off-by: default avatarEric Dumazet <edumazet@google.com>
      Cc: Willem de Bruijn <willemb@google.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarJiri Slaby <jslaby@suse.cz>
      Signed-off-by: default avatarWilly Tarreau <w@1wt.eu>
      2a272abc
    • Eric Dumazet's avatar
      l2tp: do not use udp_ioctl() · 3d753377
      Eric Dumazet authored
      commit 72fb96e7 upstream.
      
      udp_ioctl(), as its name suggests, is used by UDP protocols,
      but is also used by L2TP :(
      
      L2TP should use its own handler, because it really does not
      look the same.
      
      SIOCINQ for instance should not assume UDP checksum or headers.
      
      Thanks to Andrey and syzkaller team for providing the report
      and a nice reproducer.
      
      While crashes only happen on recent kernels (after commit
      7c13f97f ("udp: do fwd memory scheduling on dequeue")), this
      probably needs to be backported to older kernels.
      
      Fixes: 7c13f97f ("udp: do fwd memory scheduling on dequeue")
      Fixes: 85584672 ("udp: Fix udp_poll() and ioctl()")
      Signed-off-by: default avatarEric Dumazet <edumazet@google.com>
      Reported-by: default avatarAndrey Konovalov <andreyknvl@google.com>
      Acked-by: default avatarPaolo Abeni <pabeni@redhat.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarWilly Tarreau <w@1wt.eu>
      3d753377
    • WANG Cong's avatar
      ping: fix a null pointer dereference · c6dfb877
      WANG Cong authored
      commit 73d2c667 upstream.
      
      Andrey reported a kernel crash:
      
        general protection fault: 0000 [#1] SMP KASAN
        Dumping ftrace buffer:
           (ftrace buffer empty)
        Modules linked in:
        CPU: 2 PID: 3880 Comm: syz-executor1 Not tainted 4.10.0-rc6+ #124
        Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011
        task: ffff880060048040 task.stack: ffff880069be8000
        RIP: 0010:ping_v4_push_pending_frames net/ipv4/ping.c:647 [inline]
        RIP: 0010:ping_v4_sendmsg+0x1acd/0x23f0 net/ipv4/ping.c:837
        RSP: 0018:ffff880069bef8b8 EFLAGS: 00010206
        RAX: dffffc0000000000 RBX: ffff880069befb90 RCX: 0000000000000000
        RDX: 0000000000000018 RSI: ffff880069befa30 RDI: 00000000000000c2
        RBP: ffff880069befbb8 R08: 0000000000000008 R09: 0000000000000000
        R10: 0000000000000002 R11: 0000000000000000 R12: ffff880069befab0
        R13: ffff88006c624a80 R14: ffff880069befa70 R15: 0000000000000000
        FS:  00007f6f7c716700(0000) GS:ffff88006de00000(0000) knlGS:0000000000000000
        CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
        CR2: 00000000004a6f28 CR3: 000000003a134000 CR4: 00000000000006e0
        Call Trace:
         inet_sendmsg+0x164/0x5b0 net/ipv4/af_inet.c:744
         sock_sendmsg_nosec net/socket.c:635 [inline]
         sock_sendmsg+0xca/0x110 net/socket.c:645
         SYSC_sendto+0x660/0x810 net/socket.c:1687
         SyS_sendto+0x40/0x50 net/socket.c:1655
         entry_SYSCALL_64_fastpath+0x1f/0xc2
      
      This is because we miss a check for NULL pointer for skb_peek() when
      the queue is empty. Other places already have the same check.
      
      Fixes: c319b4d7 ("net: ipv4: add IPPROTO_ICMP socket kind")
      Reported-by: default avatarAndrey Konovalov <andreyknvl@google.com>
      Tested-by: default avatarAndrey Konovalov <andreyknvl@google.com>
      Signed-off-by: default avatarCong Wang <xiyou.wangcong@gmail.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarWilly Tarreau <w@1wt.eu>
      c6dfb877
    • Eric Dumazet's avatar
      ip6_gre: fix ip6gre_err() invalid reads · a05c8e39
      Eric Dumazet authored
      commit 7892032c upstream.
      
      Andrey Konovalov reported out of bound accesses in ip6gre_err()
      
      If GRE flags contains GRE_KEY, the following expression
      *(((__be32 *)p) + (grehlen / 4) - 1)
      
      accesses data ~40 bytes after the expected point, since
      grehlen includes the size of IPv6 headers.
      
      Let's use a "struct gre_base_hdr *greh" pointer to make this
      code more readable.
      
      p[1] becomes greh->protocol.
      grhlen is the GRE header length.
      
      Fixes: c12b395a ("gre: Support GRE over IPv6")
      Signed-off-by: default avatarEric Dumazet <edumazet@google.com>
      Reported-by: default avatarAndrey Konovalov <andreyknvl@google.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarWilly Tarreau <w@1wt.eu>
      a05c8e39