1. 05 Aug, 2020 31 commits
  2. 31 Jul, 2020 9 commits
    • Greg Kroah-Hartman's avatar
      Linux 4.19.136 · 13af6c74
      Greg Kroah-Hartman authored
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      13af6c74
    • Peng Fan's avatar
      regmap: debugfs: check count when read regmap file · 9989c022
      Peng Fan authored
      commit 74edd08a upstream.
      
      When executing the following command, we met kernel dump.
      dmesg -c > /dev/null; cd /sys;
      for i in `ls /sys/kernel/debug/regmap/* -d`; do
      	echo "Checking regmap in $i";
      	cat $i/registers;
      done && grep -ri "0x02d0" *;
      
      It is because the count value is too big, and kmalloc fails. So add an
      upper bound check to allow max size `PAGE_SIZE << (MAX_ORDER - 1)`.
      Signed-off-by: default avatarPeng Fan <peng.fan@nxp.com>
      Link: https://lore.kernel.org/r/1584064687-12964-1-git-send-email-peng.fan@nxp.comSigned-off-by: default avatarMark Brown <broonie@kernel.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      9989c022
    • Weilong Chen's avatar
      rtnetlink: Fix memory(net_device) leak when ->newlink fails · ddb5bba4
      Weilong Chen authored
      [ Upstream commit cebb6975 ]
      
      When vlan_newlink call register_vlan_dev fails, it might return error
      with dev->reg_state = NETREG_UNREGISTERED. The rtnl_newlink should
      free the memory. But currently rtnl_newlink only free the memory which
      state is NETREG_UNINITIALIZED.
      
      BUG: memory leak
      unreferenced object 0xffff8881051de000 (size 4096):
        comm "syz-executor139", pid 560, jiffies 4294745346 (age 32.445s)
        hex dump (first 32 bytes):
          76 6c 61 6e 32 00 00 00 00 00 00 00 00 00 00 00  vlan2...........
          00 45 28 03 81 88 ff ff 00 00 00 00 00 00 00 00  .E(.............
        backtrace:
          [<0000000047527e31>] kmalloc_node include/linux/slab.h:578 [inline]
          [<0000000047527e31>] kvmalloc_node+0x33/0xd0 mm/util.c:574
          [<000000002b59e3bc>] kvmalloc include/linux/mm.h:753 [inline]
          [<000000002b59e3bc>] kvzalloc include/linux/mm.h:761 [inline]
          [<000000002b59e3bc>] alloc_netdev_mqs+0x83/0xd90 net/core/dev.c:9929
          [<000000006076752a>] rtnl_create_link+0x2c0/0xa20 net/core/rtnetlink.c:3067
          [<00000000572b3be5>] __rtnl_newlink+0xc9c/0x1330 net/core/rtnetlink.c:3329
          [<00000000e84ea553>] rtnl_newlink+0x66/0x90 net/core/rtnetlink.c:3397
          [<0000000052c7c0a9>] rtnetlink_rcv_msg+0x540/0x990 net/core/rtnetlink.c:5460
          [<000000004b5cb379>] netlink_rcv_skb+0x12b/0x3a0 net/netlink/af_netlink.c:2469
          [<00000000c71c20d3>] netlink_unicast_kernel net/netlink/af_netlink.c:1303 [inline]
          [<00000000c71c20d3>] netlink_unicast+0x4c6/0x690 net/netlink/af_netlink.c:1329
          [<00000000cca72fa9>] netlink_sendmsg+0x735/0xcc0 net/netlink/af_netlink.c:1918
          [<000000009221ebf7>] sock_sendmsg_nosec net/socket.c:652 [inline]
          [<000000009221ebf7>] sock_sendmsg+0x109/0x140 net/socket.c:672
          [<000000001c30ffe4>] ____sys_sendmsg+0x5f5/0x780 net/socket.c:2352
          [<00000000b71ca6f3>] ___sys_sendmsg+0x11d/0x1a0 net/socket.c:2406
          [<0000000007297384>] __sys_sendmsg+0xeb/0x1b0 net/socket.c:2439
          [<000000000eb29b11>] do_syscall_64+0x56/0xa0 arch/x86/entry/common.c:359
          [<000000006839b4d0>] entry_SYSCALL_64_after_hwframe+0x44/0xa9
      
      Fixes: cb626bf5 ("net-sysfs: Fix reference count leak")
      Reported-by: default avatarHulk Robot <hulkci@huawei.com>
      Signed-off-by: default avatarWeilong Chen <chenweilong@huawei.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      ddb5bba4
    • Kuniyuki Iwashima's avatar
      udp: Improve load balancing for SO_REUSEPORT. · 325ac51b
      Kuniyuki Iwashima authored
      [ Upstream commit efc6b6f6 ]
      
      Currently, SO_REUSEPORT does not work well if connected sockets are in a
      UDP reuseport group.
      
      Then reuseport_has_conns() returns true and the result of
      reuseport_select_sock() is discarded. Also, unconnected sockets have the
      same score, hence only does the first unconnected socket in udp_hslot
      always receive all packets sent to unconnected sockets.
      
      So, the result of reuseport_select_sock() should be used for load
      balancing.
      
      The noteworthy point is that the unconnected sockets placed after
      connected sockets in sock_reuseport.socks will receive more packets than
      others because of the algorithm in reuseport_select_sock().
      
          index | connected | reciprocal_scale | result
          ---------------------------------------------
          0     | no        | 20%              | 40%
          1     | no        | 20%              | 20%
          2     | yes       | 20%              | 0%
          3     | no        | 20%              | 40%
          4     | yes       | 20%              | 0%
      
      If most of the sockets are connected, this can be a problem, but it still
      works better than now.
      
      Fixes: acdcecc6 ("udp: correct reuseport selection with connected sockets")
      CC: Willem de Bruijn <willemb@google.com>
      Reviewed-by: default avatarBenjamin Herrenschmidt <benh@amazon.com>
      Signed-off-by: default avatarKuniyuki Iwashima <kuniyu@amazon.co.jp>
      Acked-by: default avatarWillem de Bruijn <willemb@google.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      325ac51b
    • Kuniyuki Iwashima's avatar
      udp: Copy has_conns in reuseport_grow(). · 0f26f967
      Kuniyuki Iwashima authored
      [ Upstream commit f2b2c55e ]
      
      If an unconnected socket in a UDP reuseport group connect()s, has_conns is
      set to 1. Then, when a packet is received, udp[46]_lib_lookup2() scans all
      sockets in udp_hslot looking for the connected socket with the highest
      score.
      
      However, when the number of sockets bound to the port exceeds max_socks,
      reuseport_grow() resets has_conns to 0. It can cause udp[46]_lib_lookup2()
      to return without scanning all sockets, resulting in that packets sent to
      connected sockets may be distributed to unconnected sockets.
      
      Therefore, reuseport_grow() should copy has_conns.
      
      Fixes: acdcecc6 ("udp: correct reuseport selection with connected sockets")
      CC: Willem de Bruijn <willemb@google.com>
      Reviewed-by: default avatarBenjamin Herrenschmidt <benh@amazon.com>
      Signed-off-by: default avatarKuniyuki Iwashima <kuniyu@amazon.co.jp>
      Acked-by: default avatarWillem de Bruijn <willemb@google.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      0f26f967
    • Xin Long's avatar
      sctp: shrink stream outq when fails to do addstream reconf · f9716767
      Xin Long authored
      [ Upstream commit 3ecdda3e ]
      
      When adding a stream with stream reconf, the new stream firstly is in
      CLOSED state but new out chunks can still be enqueued. Then once gets
      the confirmation from the peer, the state will change to OPEN.
      
      However, if the peer denies, it needs to roll back the stream. But when
      doing that, it only sets the stream outcnt back, and the chunks already
      in the new stream don't get purged. It caused these chunks can still be
      dequeued in sctp_outq_dequeue_data().
      
      As its stream is still in CLOSE, the chunk will be enqueued to the head
      again by sctp_outq_head_data(). This chunk will never be sent out, and
      the chunks after it can never be dequeued. The assoc will be 'hung' in
      a dead loop of sending this chunk.
      
      To fix it, this patch is to purge these chunks already in the new
      stream by calling sctp_stream_shrink_out() when failing to do the
      addstream reconf.
      
      Fixes: 11ae76e6 ("sctp: implement receiver-side procedures for the Reconf Response Parameter")
      Reported-by: default avatarYing Xu <yinxu@redhat.com>
      Signed-off-by: default avatarXin Long <lucien.xin@gmail.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      f9716767
    • Xin Long's avatar
      sctp: shrink stream outq only when new outcnt < old outcnt · f2ee8131
      Xin Long authored
      [ Upstream commit 8f13399d ]
      
      It's not necessary to go list_for_each for outq->out_chunk_list
      when new outcnt >= old outcnt, as no chunk with higher sid than
      new (outcnt - 1) exists in the outqueue.
      
      While at it, also move the list_for_each code in a new function
      sctp_stream_shrink_out(), which will be used in the next patch.
      Signed-off-by: default avatarXin Long <lucien.xin@gmail.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      f2ee8131
    • Dan Carpenter's avatar
      AX.25: Prevent integer overflows in connect and sendmsg · f0965dc9
      Dan Carpenter authored
      [ Upstream commit 17ad73e9 ]
      
      We recently added some bounds checking in ax25_connect() and
      ax25_sendmsg() and we so we removed the AX25_MAX_DIGIS checks because
      they were no longer required.
      
      Unfortunately, I believe they are required to prevent integer overflows
      so I have added them back.
      
      Fixes: 8885bb06 ("AX.25: Prevent out-of-bounds read in ax25_sendmsg()")
      Fixes: 2f2a7ffa ("AX.25: Fix out-of-bounds read in ax25_connect()")
      Signed-off-by: default avatarDan Carpenter <dan.carpenter@oracle.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      f0965dc9
    • Yuchung Cheng's avatar
      tcp: allow at most one TLP probe per flight · 55c73db2
      Yuchung Cheng authored
      [ Upstream commit 76be93fc ]
      
      Previously TLP may send multiple probes of new data in one
      flight. This happens when the sender is cwnd limited. After the
      initial TLP containing new data is sent, the sender receives another
      ACK that acks partial inflight.  It may re-arm another TLP timer
      to send more, if no further ACK returns before the next TLP timeout
      (PTO) expires. The sender may send in theory a large amount of TLP
      until send queue is depleted. This only happens if the sender sees
      such irregular uncommon ACK pattern. But it is generally undesirable
      behavior during congestion especially.
      
      The original TLP design restrict only one TLP probe per inflight as
      published in "Reducing Web Latency: the Virtue of Gentle Aggression",
      SIGCOMM 2013. This patch changes TLP to send at most one probe
      per inflight.
      
      Note that if the sender is app-limited, TLP retransmits old data
      and did not have this issue.
      Signed-off-by: default avatarYuchung Cheng <ycheng@google.com>
      Signed-off-by: default avatarNeal Cardwell <ncardwell@google.com>
      Signed-off-by: default avatarEric Dumazet <edumazet@google.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      55c73db2