1. 20 Apr, 2017 6 commits
  2. 19 Apr, 2017 5 commits
    • Cong Wang's avatar
      nsfs: mark dentry with DCACHE_RCUACCESS · 073c516f
      Cong Wang authored
      Andrey reported a use-after-free in __ns_get_path():
      
        spin_lock include/linux/spinlock.h:299 [inline]
        lockref_get_not_dead+0x19/0x80 lib/lockref.c:179
        __ns_get_path+0x197/0x860 fs/nsfs.c:66
        open_related_ns+0xda/0x200 fs/nsfs.c:143
        sock_ioctl+0x39d/0x440 net/socket.c:1001
        vfs_ioctl fs/ioctl.c:45 [inline]
        do_vfs_ioctl+0x1bf/0x1780 fs/ioctl.c:685
        SYSC_ioctl fs/ioctl.c:700 [inline]
        SyS_ioctl+0x8f/0xc0 fs/ioctl.c:691
      
      We are under rcu read lock protection at that point:
      
              rcu_read_lock();
              d = atomic_long_read(&ns->stashed);
              if (!d)
                      goto slow;
              dentry = (struct dentry *)d;
              if (!lockref_get_not_dead(&dentry->d_lockref))
                      goto slow;
              rcu_read_unlock();
      
      but don't use a proper RCU API on the free path, therefore a parallel
      __d_free() could free it at the same time.  We need to mark the stashed
      dentry with DCACHE_RCUACCESS so that __d_free() will be called after all
      readers leave RCU.
      
      Fixes: e149ed2b ("take the targets of /proc/*/ns/* symlinks to separate fs")
      Cc: Alexander Viro <viro@zeniv.linux.org.uk>
      Cc: Andrew Morton <akpm@linux-foundation.org>
      Reported-by: default avatarAndrey Konovalov <andreyknvl@google.com>
      Signed-off-by: default avatarCong Wang <xiyou.wangcong@gmail.com>
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      073c516f
    • Michal Hocko's avatar
      mm: make mm_percpu_wq non freezable · 80d136e1
      Michal Hocko authored
      Geert has reported a freeze during PM resume and some additional
      debugging has shown that the device_resume worker cannot make a forward
      progress because it waits for an event which is stuck waiting in
      drain_all_pages:
      
        INFO: task kworker/u4:0:5 blocked for more than 120 seconds.
              Not tainted 4.11.0-rc7-koelsch-00029-g005882e5-dirty #3476
        "echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message.
        kworker/u4:0    D    0     5      2 0x00000000
        Workqueue: events_unbound async_run_entry_fn
          __schedule
          schedule
          schedule_timeout
          wait_for_common
          dpm_wait_for_superior
          device_resume
          async_resume
          async_run_entry_fn
          process_one_work
          worker_thread
          kthread
        [...]
        bash            D    0  1703   1694 0x00000000
          __schedule
          schedule
          schedule_timeout
          wait_for_common
          flush_work
          drain_all_pages
          start_isolate_page_range
          alloc_contig_range
          cma_alloc
          __alloc_from_contiguous
          cma_allocator_alloc
          __dma_alloc
          arm_dma_alloc
          sh_eth_ring_init
          sh_eth_open
          sh_eth_resume
          dpm_run_callback
          device_resume
          dpm_resume
          dpm_resume_end
          suspend_devices_and_enter
          pm_suspend
          state_store
          kernfs_fop_write
          __vfs_write
          vfs_write
          SyS_write
        [...]
        Showing busy workqueues and worker pools:
        [...]
        workqueue mm_percpu_wq: flags=0xc
          pwq 2: cpus=1 node=0 flags=0x0 nice=0 active=0/0
            delayed: drain_local_pages_wq, vmstat_update
          pwq 0: cpus=0 node=0 flags=0x0 nice=0 active=0/0
            delayed: drain_local_pages_wq BAR(1703), vmstat_update
      
      Tetsuo has properly noted that mm_percpu_wq is created as WQ_FREEZABLE
      so it is frozen this early during resume so we are effectively
      deadlocked.  Fix this by dropping WQ_FREEZABLE when creating
      mm_percpu_wq.  We really want to have it operational all the time.
      
      Fixes: ce612879 ("mm: move pcp and lru-pcp draining into single wq")
      Reported-and-tested-by: default avatarGeert Uytterhoeven <geert@linux-m68k.org>
      Debugged-by: default avatarTetsuo Handa <penguin-kernel@i-love.sakura.ne.jp>
      Signed-off-by: default avatarMichal Hocko <mhocko@suse.com>
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      80d136e1
    • Linus Torvalds's avatar
      Merge tag 'backlight-for-v4.11' of git://git.linaro.org/people/daniel.thompson/linux · c4bac97b
      Linus Torvalds authored
      Pull backlight fix from Daniel Thompson:
       "Normally pull requests for backlight come from Lee Jones (and will
        continue to do so) but the bug fixed here is annoying for few people
        so I'm providing a little holiday cover.
      
        Fix a single bug in the PWM backlight driver and make it play nice
        with a wider range of GPIO devices. This bug is a regression and was
        independently discovered by Geert Uytterhoevan and Paul Kocialkowski
        (and is tested by both)"
      
      * tag 'backlight-for-v4.11' of git://git.linaro.org/people/daniel.thompson/linux:
        backlight: pwm_bl: Fix GPIO out for unimplemented .get_direction()
      c4bac97b
    • Geert Uytterhoeven's avatar
      backlight: pwm_bl: Fix GPIO out for unimplemented .get_direction() · 892c7788
      Geert Uytterhoeven authored
      Commit 7613c922 ("backlight: pwm_bl: Move the checks for initial
      power state to a separate function") not just moved some code, but made
      slight changes in semantics.
      
      If a gpiochip doesn't implement the optional .get_direction() callback,
      gpiod_get_direction always returns -EINVAL, which is never equal to
      GPIOF_DIR_IN, leading to the GPIO not being configured for output.
      
      To avoid this, invert the test and check for not GPIOF_DIR_OUT instead,
      like the original code did.
      
      This restores the display on r8a7740/armadillo.
      
      Fixes: 7613c922 ("backlight: pwm_bl: Move the checks for initial power state to a separate function")
      Signed-off-by: default avatarGeert Uytterhoeven <geert+renesas@glider.be>
      Reviewed-by: default avatarPeter Ujfalusi <peter.ujfalusi@ti.com>
      Acked-by: default avatarPhilipp Zabel <p.zabel@pengutronix.de>
      Acked-by: default avatarDaniel Thompson <daniel.thompson@linaro.org>
      Signed-off-by: default avatarDaniel Thompson <daniel.thompson@linaro.org>
      892c7788
    • Jason Gerecke's avatar
      HID: wacom: Treat HID_DG_TOOLSERIALNUMBER as unsigned · 286f3f47
      Jason Gerecke authored
      Because HID_DG_TOOLSERIALNUMBER doesn't first cast the value recieved from HID
      to an unsigned type, sign-extension rules can cause the value of
      wacom_wac->serial[0] to inadvertently wind up with all 32 of its highest bits
      set if the highest bit of "value" was set.
      
      This can cause problems for Tablet PC devices which use AES sensors and the
      xf86-input-wacom userspace driver. It is not uncommon for AES sensors to send a
      serial number of '0' while the pen is entering or leaving proximity. The
      xf86-input-wacom driver ignores events with a serial number of '0' since it
      cannot match them up to an in-use tool.  To ensure the xf86-input-wacom driver
      does not ignore the final out-of-proximity event, the kernel does not send
      MSC_SERIAL events when the value of wacom_wac->serial[0] is '0'. If the highest
      bit of HID_DG_TOOLSERIALNUMBER is set by an in-prox pen which later leaves
      proximity and sends a '0' for HID_DG_TOOLSERIALNUMBER, then only the lowest 32
      bits of wacom_wac->serial[0] are actually cleared, causing the kernel to send
      an MSC_SERIAL event. Since the 'input_event' function takes an 'int' as
      argument, only those lowest (now-cleared) 32 bits of wacom_wac->serial[0] are
      sent to userspace, causing xf86-input-wacom to ignore the event. If the event
      was the final out-of-prox event, then xf86-input-wacom may remain in a state
      where it believes the pen is in proximity and refuses to allow other devices
      under its control (e.g. the touchscreen) to move the cursor.
      
      It should be noted that EMR devices and devices which use both the
      HID_DG_TOOLSERIALNUMBER and WACOM_HID_WD_SERIALHI usages (in that order) would
      be immune to this issue. It appears only AES devices are affected.
      
      Fixes: f85c9dc6 ("HID: wacom: generic: Support tool ID and additional tool types")
      Cc: stable@vger.kernel.org
      Signed-off-by: default avatarJason Gerecke <jason.gerecke@wacom.com>
      Acked-by: default avatarBenjamin Tissoires <benjamin.tissoires@redhat.com>
      Signed-off-by: default avatarJiri Kosina <jkosina@suse.cz>
      286f3f47
  3. 18 Apr, 2017 12 commits
    • Linus Torvalds's avatar
      Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/sparc · 005882e5
      Linus Torvalds authored
      Pull sparc fixes from David Miller:
       "Two Sparc bug fixes from Daniel Jordan and Nitin Gupta"
      
      * git://git.kernel.org/pub/scm/linux/kernel/git/davem/sparc:
        sparc64: Fix hugepage page table free
        sparc64: Use LOCKDEP_SMALL, not PROVE_LOCKING_SMALL
      005882e5
    • Linus Torvalds's avatar
      Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net · 40d9018e
      Linus Torvalds authored
      Pull networking fixes from David Miller:
      
       1) BPF tail call handling bug fixes from Daniel Borkmann.
      
       2) Fix allowance of too many rx queues in sfc driver, from Bert
          Kenward.
      
       3) Non-loopback ipv6 packets claiming src of ::1 should be dropped,
          from Florian Westphal.
      
       4) Statistics requests on KSZ9031 can crash, fix from Grygorii
          Strashko.
      
       5) TX ring handling fixes in mediatek driver, from Sean Wang.
      
       6) ip_ra_control can deadlock, fix lock acquisition ordering to fix,
          from Cong WANG.
      
       7) Fix use after free in ip_recv_error(), from Willem de Buijn.
      
      * git://git.kernel.org/pub/scm/linux/kernel/git/davem/net:
        bpf: fix checking xdp_adjust_head on tail calls
        bpf: fix cb access in socket filter programs on tail calls
        ipv6: drop non loopback packets claiming to originate from ::1
        net: ethernet: mediatek: fix inconsistency of port number carried in TXD
        net: ethernet: mediatek: fix inconsistency between TXD and the used buffer
        net: phy: micrel: fix crash when statistic requested for KSZ9031 phy
        net: vrf: Fix setting NLM_F_EXCL flag when adding l3mdev rule
        net: thunderx: Fix set_max_bgx_per_node for 81xx rgx
        net-timestamp: avoid use-after-free in ip_recv_error
        ipv4: fix a deadlock in ip_ra_control
        sfc: limit the number of receive queues
      40d9018e
    • Nitin Gupta's avatar
      sparc64: Fix hugepage page table free · 544f8f93
      Nitin Gupta authored
      Make sure the start adderess is aligned to PMD_SIZE
      boundary when freeing page table backing a hugepage
      region. The issue was causing segfaults when a region
      backed by 64K pages was unmapped since such a region
      is in general not PMD_SIZE aligned.
      Signed-off-by: default avatarNitin Gupta <nitin.m.gupta@oracle.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      544f8f93
    • Daniel Jordan's avatar
      sparc64: Use LOCKDEP_SMALL, not PROVE_LOCKING_SMALL · 395102db
      Daniel Jordan authored
      CONFIG_PROVE_LOCKING_SMALL shrinks the memory usage of lockdep so the
      kernel text, data, and bss fit in the required 32MB limit, but this
      option is not set for every config that enables lockdep.
      
      A 4.10 kernel fails to boot with the console output
      
          Kernel: Using 8 locked TLB entries for main kernel image.
          hypervisor_tlb_lock[2000000:0:8000000071c007c3:1]: errors with f
          Program terminated
      
      with these config options
      
          CONFIG_LOCKDEP=y
          CONFIG_LOCK_STAT=y
          CONFIG_PROVE_LOCKING=n
      
      To fix, rename CONFIG_PROVE_LOCKING_SMALL to CONFIG_LOCKDEP_SMALL, and
      enable this option with CONFIG_LOCKDEP=y so we get the reduced memory
      usage every time lockdep is turned on.
      
      Tested that CONFIG_LOCKDEP_SMALL is set to 'y' if and only if
      CONFIG_LOCKDEP is set to 'y'.  When other lockdep-related config options
      that select CONFIG_LOCKDEP are enabled (e.g. CONFIG_LOCK_STAT or
      CONFIG_PROVE_LOCKING), verified that CONFIG_LOCKDEP_SMALL is also
      enabled.
      
      Fixes: e6b5f1be ("config: Adding the new config parameter CONFIG_PROVE_LOCKING_SMALL for sparc")
      Signed-off-by: default avatarDaniel Jordan <daniel.m.jordan@oracle.com>
      Reviewed-by: default avatarBabu Moger <babu.moger@oracle.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      395102db
    • Linus Torvalds's avatar
      Merge tag 'trace-v4.11-rc5-4' of git://git.kernel.org/pub/scm/linux/kernel/git/rostedt/linux-trace · fb5e2154
      Linus Torvalds authored
      Pull ftrace testcase update from Steven Rostedt:
       "While testing my development branch, without the fix for the pid use
        after free bug, the selftest that Namhyung added triggers it. I
        figured it would be good to add the test for the bug after the fix,
        such that it does not exist without the fix.
      
        I added another patch that lets the test only test part of the pid
        filtering, and ignores the function-fork (filtering on children as
        well) if the function-fork feature does not exist. This feature is
        added by Namhyung just before he added this test. But since the test
        tests both with and without the feature, it would be good to let it
        not fail if the feature does not exist"
      
      * tag 'trace-v4.11-rc5-4' of git://git.kernel.org/pub/scm/linux/kernel/git/rostedt/linux-trace:
        selftests: ftrace: Add check for function-fork before running pid filter test
        selftests: ftrace: Add a testcase for function PID filter
      fb5e2154
    • Steven Rostedt (VMware)'s avatar
      selftests: ftrace: Add check for function-fork before running pid filter test · 9ed19c76
      Steven Rostedt (VMware) authored
      Have the func-filter-pid test check for the function-fork option before
      testing it. It can still test the pid filtering, but will stop before
      testing the function-fork option for children inheriting the pids.
      This allows the test to be added before the function-fork feature, but after
      a bug fix that triggers one of the bugs the test can cause.
      
      Cc: Namhyung Kim <namhyung@kernel.org>
      Cc: Shuah Khan <shuahkh@osg.samsung.com>
      Signed-off-by: default avatarSteven Rostedt (VMware) <rostedt@goodmis.org>
      9ed19c76
    • Linus Torvalds's avatar
      Merge tag 'trace-v4.11-rc5-3' of git://git.kernel.org/pub/scm/linux/kernel/git/rostedt/linux-trace · 0bad6d7e
      Linus Torvalds authored
      Pull ftrace fix from Steven Rostedt:
       "Namhyung Kim discovered a use after free bug. It has to do with adding
        a pid filter to function tracing in an instance, and then freeing the
        instance"
      
      * tag 'trace-v4.11-rc5-3' of git://git.kernel.org/pub/scm/linux/kernel/git/rostedt/linux-trace:
        ftrace: Fix function pid filter on instances
      0bad6d7e
    • Linus Torvalds's avatar
      Merge branch 'linus' of git://git.kernel.org/pub/scm/linux/kernel/git/herbert/crypto-2.6 · 5ee4c5a9
      Linus Torvalds authored
      Pull crypto fixes from Herbert Xu:
       "This fixes the following problems:
      
         - regression in new XTS/LRW code when used with async crypto
      
         - long-standing bug in ahash API when used with certain algos
      
         - bogus memory dereference in async algif_aead with certain algos"
      
      * 'linus' of git://git.kernel.org/pub/scm/linux/kernel/git/herbert/crypto-2.6:
        crypto: algif_aead - Fix bogus request dereference in completion function
        crypto: ahash - Fix EINPROGRESS notification callback
        crypto: lrw - Fix use-after-free on EINPROGRESS
        crypto: xts - Fix use-after-free on EINPROGRESS
      5ee4c5a9
    • Namhyung Kim's avatar
      selftests: ftrace: Add a testcase for function PID filter · 093be89a
      Namhyung Kim authored
      Like event pid filtering test, add function pid filtering test with the
      new "function-fork" option.  It also tests it on an instance directory
      so that it can verify the bug related pid filtering on instances.
      
      Link: http://lkml.kernel.org/r/20170417024430.21194-5-namhyung@kernel.org
      
      Cc: Ingo Molnar <mingo@kernel.org>
      Cc: Masami Hiramatsu <mhiramat@kernel.org>
      Cc: Shuah Khan <shuahkh@osg.samsung.com>
      Signed-off-by: default avatarNamhyung Kim <namhyung@kernel.org>
      Signed-off-by: default avatarSteven Rostedt (VMware) <rostedt@goodmis.org>
      093be89a
    • Eric Biggers's avatar
      KEYS: fix keyctl_set_reqkey_keyring() to not leak thread keyrings · c9f838d1
      Eric Biggers authored
      This fixes CVE-2017-7472.
      
      Running the following program as an unprivileged user exhausts kernel
      memory by leaking thread keyrings:
      
      	#include <keyutils.h>
      
      	int main()
      	{
      		for (;;)
      			keyctl_set_reqkey_keyring(KEY_REQKEY_DEFL_THREAD_KEYRING);
      	}
      
      Fix it by only creating a new thread keyring if there wasn't one before.
      To make things more consistent, make install_thread_keyring_to_cred()
      and install_process_keyring_to_cred() both return 0 if the corresponding
      keyring is already present.
      
      Fixes: d84f4f99 ("CRED: Inaugurate COW credentials")
      Cc: stable@vger.kernel.org # 2.6.29+
      Signed-off-by: default avatarEric Biggers <ebiggers@google.com>
      Signed-off-by: default avatarDavid Howells <dhowells@redhat.com>
      c9f838d1
    • David Howells's avatar
      KEYS: Change the name of the dead type to ".dead" to prevent user access · c1644fe0
      David Howells authored
      This fixes CVE-2017-6951.
      
      Userspace should not be able to do things with the "dead" key type as it
      doesn't have some of the helper functions set upon it that the kernel
      needs.  Attempting to use it may cause the kernel to crash.
      
      Fix this by changing the name of the type to ".dead" so that it's rejected
      up front on userspace syscalls by key_get_type_from_user().
      
      Though this doesn't seem to affect recent kernels, it does affect older
      ones, certainly those prior to:
      
      	commit c06cfb08
      	Author: David Howells <dhowells@redhat.com>
      	Date:   Tue Sep 16 17:36:06 2014 +0100
      	KEYS: Remove key_type::match in favour of overriding default by match_preparse
      
      which went in before 3.18-rc1.
      Signed-off-by: default avatarDavid Howells <dhowells@redhat.com>
      cc: stable@vger.kernel.org
      c1644fe0
    • David Howells's avatar
      KEYS: Disallow keyrings beginning with '.' to be joined as session keyrings · ee8f844e
      David Howells authored
      This fixes CVE-2016-9604.
      
      Keyrings whose name begin with a '.' are special internal keyrings and so
      userspace isn't allowed to create keyrings by this name to prevent
      shadowing.  However, the patch that added the guard didn't fix
      KEYCTL_JOIN_SESSION_KEYRING.  Not only can that create dot-named keyrings,
      it can also subscribe to them as a session keyring if they grant SEARCH
      permission to the user.
      
      This, for example, allows a root process to set .builtin_trusted_keys as
      its session keyring, at which point it has full access because now the
      possessor permissions are added.  This permits root to add extra public
      keys, thereby bypassing module verification.
      
      This also affects kexec and IMA.
      
      This can be tested by (as root):
      
      	keyctl session .builtin_trusted_keys
      	keyctl add user a a @s
      	keyctl list @s
      
      which on my test box gives me:
      
      	2 keys in keyring:
      	180010936: ---lswrv     0     0 asymmetric: Build time autogenerated kernel key: ae3d4a31b82daa8e1a75b49dc2bba949fd992a05
      	801382539: --alswrv     0     0 user: a
      
      
      Fix this by rejecting names beginning with a '.' in the keyctl.
      Signed-off-by: default avatarDavid Howells <dhowells@redhat.com>
      Acked-by: default avatarMimi Zohar <zohar@linux.vnet.ibm.com>
      cc: linux-ima-devel@lists.sourceforge.net
      cc: stable@vger.kernel.org
      ee8f844e
  4. 17 Apr, 2017 17 commits
    • Linus Torvalds's avatar
      Merge branch 'parisc-4.11-5' of git://git.kernel.org/pub/scm/linux/kernel/git/deller/parisc-linux · 20bb78f6
      Linus Torvalds authored
      Pull parisc fix from Helge Deller:
       "One patch which fixes get_user() for 64-bit values on 32-bit kernels.
      
        Up to now we lost the upper 32-bits of the returned 64-bit value"
      
      * 'parisc-4.11-5' of git://git.kernel.org/pub/scm/linux/kernel/git/deller/parisc-linux:
        parisc: Fix get_user() for 64-bit value on 32-bit kernel
      20bb78f6
    • Sachin Prabhu's avatar
      cifs: Do not send echoes before Negotiate is complete · 62a6cfdd
      Sachin Prabhu authored
      commit 4fcd1813 ("Fix reconnect to not defer smb3 session reconnect
      long after socket reconnect") added support for Negotiate requests to
      be initiated by echo calls.
      
      To avoid delays in calling echo after a reconnect, I added the patch
      introduced by the commit b8c60012 ("Call echo service immediately
      after socket reconnect").
      
      This has however caused a regression with cifs shares which do not have
      support for echo calls to trigger Negotiate requests. On connections
      which need to call Negotiation, the echo calls trigger an error which
      triggers a reconnect which in turn triggers another echo call. This
      results in a loop which is only broken when an operation is performed on
      the cifs share. For an idle share, it can DOS a server.
      
      The patch uses the smb_operation can_echo() for cifs so that it is
      called only if connection has been already been setup.
      
      kernel bz: 194531
      Signed-off-by: default avatarSachin Prabhu <sprabhu@redhat.com>
      Tested-by: default avatarJonathan Liu <net147@gmail.com>
      Acked-by: default avatarPavel Shilovsky <pshilov@microsoft.com>
      CC: Stable <stable@vger.kernel.org>
      Signed-off-by: default avatarSteve French <smfrench@gmail.com>
      62a6cfdd
    • Namhyung Kim's avatar
      ftrace: Fix function pid filter on instances · d879d0b8
      Namhyung Kim authored
      When function tracer has a pid filter, it adds a probe to sched_switch
      to track if current task can be ignored.  The probe checks the
      ftrace_ignore_pid from current tr to filter tasks.  But it misses to
      delete the probe when removing an instance so that it can cause a crash
      due to the invalid tr pointer (use-after-free).
      
      This is easily reproducible with the following:
      
        # cd /sys/kernel/debug/tracing
        # mkdir instances/buggy
        # echo $$ > instances/buggy/set_ftrace_pid
        # rmdir instances/buggy
      
        ============================================================================
        BUG: KASAN: use-after-free in ftrace_filter_pid_sched_switch_probe+0x3d/0x90
        Read of size 8 by task kworker/0:1/17
        CPU: 0 PID: 17 Comm: kworker/0:1 Tainted: G    B           4.11.0-rc3  #198
        Call Trace:
         dump_stack+0x68/0x9f
         kasan_object_err+0x21/0x70
         kasan_report.part.1+0x22b/0x500
         ? ftrace_filter_pid_sched_switch_probe+0x3d/0x90
         kasan_report+0x25/0x30
         __asan_load8+0x5e/0x70
         ftrace_filter_pid_sched_switch_probe+0x3d/0x90
         ? fpid_start+0x130/0x130
         __schedule+0x571/0xce0
         ...
      
      To fix it, use ftrace_clear_pids() to unregister the probe.  As
      instance_rmdir() already updated ftrace codes, it can just free the
      filter safely.
      
      Link: http://lkml.kernel.org/r/20170417024430.21194-2-namhyung@kernel.org
      
      Fixes: 0c8916c3 ("tracing: Add rmdir to remove multibuffer instances")
      Cc: Ingo Molnar <mingo@kernel.org>
      Cc: stable@vger.kernel.org
      Reviewed-by: default avatarMasami Hiramatsu <mhiramat@kernel.org>
      Signed-off-by: default avatarNamhyung Kim <namhyung@kernel.org>
      Signed-off-by: default avatarSteven Rostedt (VMware) <rostedt@goodmis.org>
      d879d0b8
    • David S. Miller's avatar
      Merge branch 'bpf-fixes' · acf167f3
      David S. Miller authored
      Daniel Borkmann says:
      
      ====================
      Two BPF fixes
      
      The set fixes cb_access and xdp_adjust_head bits in struct bpf_prog,
      that are used for requirement checks on the program rather than f.e.
      heuristics. Thus, for tail calls, we cannot make any assumptions and
      are forced to set them.
      ====================
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      acf167f3
    • Daniel Borkmann's avatar
      bpf: fix checking xdp_adjust_head on tail calls · c2002f98
      Daniel Borkmann authored
      Commit 17bedab2 ("bpf: xdp: Allow head adjustment in XDP prog")
      added the xdp_adjust_head bit to the BPF prog in order to tell drivers
      that the program that is to be attached requires support for the XDP
      bpf_xdp_adjust_head() helper such that drivers not supporting this
      helper can reject the program. There are also drivers that do support
      the helper, but need to check for xdp_adjust_head bit in order to move
      packet metadata prepended by the firmware away for making headroom.
      
      For these cases, the current check for xdp_adjust_head bit is insufficient
      since there can be cases where the program itself does not use the
      bpf_xdp_adjust_head() helper, but tail calls into another program that
      uses bpf_xdp_adjust_head(). As such, the xdp_adjust_head bit is still
      set to 0. Since the first program has no control over which program it
      calls into, we need to assume that bpf_xdp_adjust_head() helper is used
      upon tail calls. Thus, for the very same reasons in cb_access, set the
      xdp_adjust_head bit to 1 when the main program uses tail calls.
      
      Fixes: 17bedab2 ("bpf: xdp: Allow head adjustment in XDP prog")
      Signed-off-by: default avatarDaniel Borkmann <daniel@iogearbox.net>
      Acked-by: default avatarAlexei Starovoitov <ast@kernel.org>
      Cc: Martin KaFai Lau <kafai@fb.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      c2002f98
    • Daniel Borkmann's avatar
      bpf: fix cb access in socket filter programs on tail calls · 6b1bb01b
      Daniel Borkmann authored
      Commit ff936a04 ("bpf: fix cb access in socket filter programs")
      added a fix for socket filter programs such that in i) AF_PACKET the
      20 bytes of skb->cb[] area gets zeroed before use in order to not leak
      data, and ii) socket filter programs attached to TCP/UDP sockets need
      to save/restore these 20 bytes since they are also used by protocol
      layers at that time.
      
      The problem is that bpf_prog_run_save_cb() and bpf_prog_run_clear_cb()
      only look at the actual attached program to determine whether to zero
      or save/restore the skb->cb[] parts. There can be cases where the
      actual attached program does not access the skb->cb[], but the program
      tail calls into another program which does access this area. In such
      a case, the zero or save/restore is currently not performed.
      
      Since the programs we tail call into are unknown at verification time
      and can dynamically change, we need to assume that whenever the attached
      program performs a tail call, that later programs could access the
      skb->cb[], and therefore we need to always set cb_access to 1.
      
      Fixes: ff936a04 ("bpf: fix cb access in socket filter programs")
      Signed-off-by: default avatarDaniel Borkmann <daniel@iogearbox.net>
      Acked-by: default avatarAlexei Starovoitov <ast@kernel.org>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      6b1bb01b
    • Florian Westphal's avatar
      ipv6: drop non loopback packets claiming to originate from ::1 · 0aa8c13e
      Florian Westphal authored
      We lack a saddr check for ::1. This causes security issues e.g. with acls
      permitting connections from ::1 because of assumption that these originate
      from local machine.
      
      Assuming a source address of ::1 is local seems reasonable.
      RFC4291 doesn't allow such a source address either, so drop such packets.
      Reported-by: default avatarEric Dumazet <edumazet@google.com>
      Signed-off-by: default avatarFlorian Westphal <fw@strlen.de>
      Acked-by: default avatarEric Dumazet <edumazet@google.com>
      Acked-by: default avatarHannes Frederic Sowa <hannes@stressinduktion.org>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      0aa8c13e
    • Stephen Boyd's avatar
      Merge tag 'sunxi-clk-fixes-for-4.11-2-bis' of... · e7590308
      Stephen Boyd authored
      Merge tag 'sunxi-clk-fixes-for-4.11-2-bis' of https://git.kernel.org/pub/scm/linux/kernel/git/sunxi/linux into clk-fixes
      
      Pull Allwinner clock fixes for 4.11 from Maxime Ripard:
      
      Two build errors fixes for the sunxi-ng drivers.
      
      The two other patches fix random CPU crashes happening on the A33 since
      CPUFreq has been enabled in 4.11.
      
      * tag 'sunxi-clk-fixes-for-4.11-2-bis' of https://git.kernel.org/pub/scm/linux/kernel/git/sunxi/linux:
        clk: sunxi-ng: a33: gate then ungate PLL CPU clk after rate change
        clk: sunxi-ng: Add clk notifier to gate then ungate PLL clocks
        clk: sunxi-ng: fix build failure in ccu-sun9i-a80 driver
        clk: sunxi-ng: fix build error without CONFIG_RESET_CONTROLLER
      e7590308
    • David S. Miller's avatar
      Merge branch 'mediatek-tx-bugs' · 71947f0f
      David S. Miller authored
      Sean Wang says:
      
      ====================
      mediatek: Fix crash caused by reporting inconsistent skb->len to BQL
      
      Changes since v1:
      - fix inconsistent enumeration which easily causes the potential bug
      
      The series fixes kernel BUG caused by inconsistent SKB length reported
      into BQL. The reason for inconsistent length comes from hardware BUG which
      results in different port number carried on the TXD within the lifecycle of
      SKB. So patch 2) is proposed for use a software way to track which port
      the SKB involving instead of hardware way. And patch 1) is given for another
      issue I found which causes TXD and SKB inconsistency that is not expected
      in the initial logic, so it is also being corrected it in the series.
      
      The log for the kernel BUG caused by the issue is posted as below.
      
      [  120.825955] kernel BUG at ... lib/dynamic_queue_limits.c:26!
      [  120.837684] Internal error: Oops - BUG: 0 [#1] SMP ARM
      [  120.842778] Modules linked in:
      [  120.845811] CPU: 0 PID: 0 Comm: swapper/0 Not tainted 4.11.0-rc1-191576-gdbcef47 #35
      [  120.853488] Hardware name: Mediatek Cortex-A7 (Device Tree)
      [  120.859012] task: c1007480 task.stack: c1000000
      [  120.863510] PC is at dql_completed+0x108/0x17c
      [  120.867915] LR is at 0x46
      [  120.870512] pc : [<c03c19c8>]    lr : [<00000046>]    psr: 80000113
      [  120.870512] sp : c1001d58  ip : c1001d80  fp : c1001d7c
      [  120.881895] r10: 0000003e  r9 : df6b3400  r8 : 0ed86506
      [  120.887075] r7 : 00000001  r6 : 00000001  r5 : 0ed8654c  r4 : df0135d8
      [  120.893546] r3 : 00000001  r2 : df016800  r1 : 0000fece  r0 : df6b3480
      [  120.900018] Flags: Nzcv  IRQs on  FIQs on  Mode SVC_32  ISA ARM  Segment none
      [  120.907093] Control: 10c5387d  Table: 9e27806a  DAC: 00000051
      [  120.912789] Process swapper/0 (pid: 0, stack limit = 0xc1000218)
      [  120.918744] Stack: (0xc1001d58 to 0xc1002000)
      
      ....
      
      121.085331] 1fc0: 00000000 c0a52a28 00000000 c10855d4 c1003c58 c0a52a24 c100885c 8000406a
      [  121.093444] 1fe0: 410fc073 00000000 00000000 c1001ff8 8000807c c0a009cc 00000000 00000000
      [  121.101575] [<c03c19c8>] (dql_completed) from [<c04cb010>] (mtk_napi_tx+0x1d0/0x37c)
      [  121.109263] [<c04cb010>] (mtk_napi_tx) from [<c05e28cc>] (net_rx_action+0x24c/0x3b8)
      [  121.116951] [<c05e28cc>] (net_rx_action) from [<c010152c>] (__do_softirq+0xe4/0x35c)
      [  121.124638] [<c010152c>] (__do_softirq) from [<c012a624>] (irq_exit+0xe8/0x150)
      [  121.131895] [<c012a624>] (irq_exit) from [<c017750c>] (__handle_domain_irq+0x70/0xc4)
      [  121.139666] [<c017750c>] (__handle_domain_irq) from [<c0101404>] (gic_handle_irq+0x58/0x9c)
      [  121.147953] [<c0101404>] (gic_handle_irq) from [<c010e18c>] (__irq_svc+0x6c/0x90)
      [  121.155373] Exception stack(0xc1001ef8 to 0xc1001f40)
      ====================
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      71947f0f
    • Sean Wang's avatar
      net: ethernet: mediatek: fix inconsistency of port number carried in TXD · 134d2152
      Sean Wang authored
      Fix port inconsistency on TXD due to hardware BUG that would cause
      different port number is carried on the same TXD between tx_map()
      and tx_unmap() with the iperf test. It would cause confusing BQL
      logic which leads to kernel panic when dual GMAC runs concurrently.
      Signed-off-by: default avatarSean Wang <sean.wang@mediatek.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      134d2152
    • Sean Wang's avatar
      net: ethernet: mediatek: fix inconsistency between TXD and the used buffer · 81d2dd09
      Sean Wang authored
      Fix inconsistency between the TXD descriptor and the used buffer that
      would cause unexpected logic at mtk_tx_unmap() during skb housekeeping.
      Signed-off-by: default avatarSean Wang <sean.wang@mediatek.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      81d2dd09
    • Grygorii Strashko's avatar
      net: phy: micrel: fix crash when statistic requested for KSZ9031 phy · bfe72442
      Grygorii Strashko authored
      Now the command:
      	ethtool --phy-statistics eth0
      will cause system crash with meassage "Unable to handle kernel NULL pointer
      dereference at virtual address 00000010" from:
      
       (kszphy_get_stats) from [<c069f1d8>] (ethtool_get_phy_stats+0xd8/0x210)
       (ethtool_get_phy_stats) from [<c06a0738>] (dev_ethtool+0x5b8/0x228c)
       (dev_ethtool) from [<c06b5484>] (dev_ioctl+0x3fc/0x964)
       (dev_ioctl) from [<c0679f7c>] (sock_ioctl+0x170/0x2c0)
       (sock_ioctl) from [<c02419d4>] (do_vfs_ioctl+0xa8/0x95c)
       (do_vfs_ioctl) from [<c02422c4>] (SyS_ioctl+0x3c/0x64)
       (SyS_ioctl) from [<c0107d60>] (ret_fast_syscall+0x0/0x44)
      
      The reason: phy_driver structure for KSZ9031 phy has no .probe() callback
      defined. As result, struct phy_device *phydev->priv pointer will not be
      initializes (null).
      This issue will affect also following phys:
       KSZ8795, KSZ886X, KSZ8873MLL, KSZ9031, KSZ9021, KSZ8061, KS8737
      
      Fix it by:
      - adding .probe() = kszphy_probe() callback to KSZ9031, KSZ9021
      phys. The kszphy_probe() can be re-used as it doesn't do any phy specific
      settings.
      - removing statistic callbacks from other phys (KSZ8795, KSZ886X,
      KSZ8873MLL, KSZ8061, KS8737) as they doesn't have corresponding
      statistic counters.
      
      Fixes: 2b2427d0 ("phy: micrel: Add ethtool statistics counters")
      Signed-off-by: default avatarGrygorii Strashko <grygorii.strashko@ti.com>
      Reviewed-by: default avatarAndrew Lunn <andrew@lunn.ch>
      Reviewed-by: default avatarFlorian Fainelli <f.fainelli@gmail.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      bfe72442
    • David Ahern's avatar
      net: vrf: Fix setting NLM_F_EXCL flag when adding l3mdev rule · 426c87ca
      David Ahern authored
      Only need 1 l3mdev FIB rule. Fix setting NLM_F_EXCL in the nlmsghdr.
      
      Fixes: 1aa6c4f6 ("net: vrf: Add l3mdev rules on first device create")
      Signed-off-by: default avatarDavid Ahern <dsa@cumulusnetworks.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      426c87ca
    • George Cherian's avatar
      net: thunderx: Fix set_max_bgx_per_node for 81xx rgx · b47a57a2
      George Cherian authored
      Add the PCI_SUBSYS_DEVID_81XX_RGX and use the same to set
      the max bgx per node count.
      
      This fixes the issue intoduced by following commit
      78aacb6f net: thunderx: Fix invalid mac addresses for node1 interfaces
      With this commit the max_bgx_per_node for 81xx is set as 2 instead of 3
      because of which num_vfs is always calculated as zero.
      Signed-off-by: default avatarGeorge Cherian <george.cherian@cavium.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      b47a57a2
    • Willem de Bruijn's avatar
      net-timestamp: avoid use-after-free in ip_recv_error · 1862d620
      Willem de Bruijn authored
      Syzkaller reported a use-after-free in ip_recv_error at line
      
          info->ipi_ifindex = skb->dev->ifindex;
      
      This function is called on dequeue from the error queue, at which
      point the device pointer may no longer be valid.
      
      Save ifindex on enqueue in __skb_complete_tx_timestamp, when the
      pointer is valid or NULL. Store it in temporary storage skb->cb.
      
      It is safe to reference skb->dev here, as called from device drivers
      or dev_queue_xmit. The exception is when called from tcp_ack_tstamp;
      in that case it is NULL and ifindex is set to 0 (invalid).
      
      Do not return a pktinfo cmsg if ifindex is 0. This maintains the
      current behavior of not returning a cmsg if skb->dev was NULL.
      
      On dequeue, the ipv4 path will cast from sock_exterr_skb to
      in_pktinfo. Both have ifindex as their first element, so no explicit
      conversion is needed. This is by design, introduced in commit
      0b922b7a ("net: original ingress device index in PKTINFO"). For
      ipv6 ip6_datagram_support_cmsg converts to in6_pktinfo.
      
      Fixes: 829ae9d6 ("net-timestamp: allow reading recv cmsg on errqueue with origin tstamp")
      Reported-by: default avatarAndrey Konovalov <andreyknvl@google.com>
      Signed-off-by: default avatarWillem de Bruijn <willemb@google.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      1862d620
    • WANG Cong's avatar
      ipv4: fix a deadlock in ip_ra_control · 1215e51e
      WANG Cong authored
      Similar to commit 87e9f031
      ("ipv4: fix a potential deadlock in mcast getsockopt() path"),
      there is a deadlock scenario for IP_ROUTER_ALERT too:
      
             CPU0                    CPU1
             ----                    ----
        lock(rtnl_mutex);
                                     lock(sk_lock-AF_INET);
                                     lock(rtnl_mutex);
        lock(sk_lock-AF_INET);
      
      Fix this by always locking RTNL first on all setsockopt() paths.
      
      Note, after this patch ip_ra_lock is no longer needed either.
      Reported-by: default avatarDmitry Vyukov <dvyukov@google.com>
      Tested-by: default avatarAndrey Konovalov <andreyknvl@google.com>
      Signed-off-by: default avatarCong Wang <xiyou.wangcong@gmail.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      1215e51e
    • Bert Kenward's avatar
      sfc: limit the number of receive queues · 271a8b42
      Bert Kenward authored
      The number of rx queues is determined by the rss_cpus parameter
      or the cpu topology. If that is higher than EFX_MAX_RX_QUEUES the
      driver can corrupt state.
      
      Fixes: 8ceee660 ("New driver "sfc" for Solarstorm SFC4000 controller.")
      Signed-off-by: default avatarBert Kenward <bkenward@solarflare.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      271a8b42