1. 24 Jan, 2018 1 commit
    • Guillaume Nault's avatar
      pppoe: take ->needed_headroom of lower device into account on xmit · 02612bb0
      Guillaume Nault authored
      In pppoe_sendmsg(), reserving dev->hard_header_len bytes of headroom
      was probably fine before the introduction of ->needed_headroom in
      commit f5184d26 ("net: Allow netdevices to specify needed head/tailroom").
      
      But now, virtual devices typically advertise the size of their overhead
      in dev->needed_headroom, so we must also take it into account in
      skb_reserve().
      Allocation size of skb is also updated to take dev->needed_tailroom
      into account and replace the arbitrary 32 bytes with the real size of
      a PPPoE header.
      
      This issue was discovered by syzbot, who connected a pppoe socket to a
      gre device which had dev->header_ops->create == ipgre_header and
      dev->hard_header_len == 0. Therefore, PPPoE didn't reserve any
      headroom, and dev_hard_header() crashed when ipgre_header() tried to
      prepend its header to skb->data.
      
      skbuff: skb_under_panic: text:000000001d390b3a len:31 put:24
      head:00000000d8ed776f data:000000008150e823 tail:0x7 end:0xc0 dev:gre0
      ------------[ cut here ]------------
      kernel BUG at net/core/skbuff.c:104!
      invalid opcode: 0000 [#1] SMP KASAN
      Dumping ftrace buffer:
          (ftrace buffer empty)
      Modules linked in:
      CPU: 1 PID: 3670 Comm: syzkaller801466 Not tainted
      4.15.0-rc7-next-20180115+ #97
      Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
      Google 01/01/2011
      RIP: 0010:skb_panic+0x162/0x1f0 net/core/skbuff.c:100
      RSP: 0018:ffff8801d9bd7840 EFLAGS: 00010282
      RAX: 0000000000000083 RBX: ffff8801d4f083c0 RCX: 0000000000000000
      RDX: 0000000000000083 RSI: 1ffff1003b37ae92 RDI: ffffed003b37aefc
      RBP: ffff8801d9bd78a8 R08: 1ffff1003b37ae8a R09: 0000000000000000
      R10: 0000000000000001 R11: 0000000000000000 R12: ffffffff86200de0
      R13: ffffffff84a981ad R14: 0000000000000018 R15: ffff8801d2d34180
      FS:  00000000019c4880(0000) GS:ffff8801db300000(0000) knlGS:0000000000000000
      CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
      CR2: 00000000208bc000 CR3: 00000001d9111001 CR4: 00000000001606e0
      DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
      DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
      Call Trace:
        skb_under_panic net/core/skbuff.c:114 [inline]
        skb_push+0xce/0xf0 net/core/skbuff.c:1714
        ipgre_header+0x6d/0x4e0 net/ipv4/ip_gre.c:879
        dev_hard_header include/linux/netdevice.h:2723 [inline]
        pppoe_sendmsg+0x58e/0x8b0 drivers/net/ppp/pppoe.c:890
        sock_sendmsg_nosec net/socket.c:630 [inline]
        sock_sendmsg+0xca/0x110 net/socket.c:640
        sock_write_iter+0x31a/0x5d0 net/socket.c:909
        call_write_iter include/linux/fs.h:1775 [inline]
        do_iter_readv_writev+0x525/0x7f0 fs/read_write.c:653
        do_iter_write+0x154/0x540 fs/read_write.c:932
        vfs_writev+0x18a/0x340 fs/read_write.c:977
        do_writev+0xfc/0x2a0 fs/read_write.c:1012
        SYSC_writev fs/read_write.c:1085 [inline]
        SyS_writev+0x27/0x30 fs/read_write.c:1082
        entry_SYSCALL_64_fastpath+0x29/0xa0
      
      Admittedly PPPoE shouldn't be allowed to run on non Ethernet-like
      interfaces, but reserving space for ->needed_headroom is a more
      fundamental issue that needs to be addressed first.
      
      Same problem exists for __pppoe_xmit(), which also needs to take
      dev->needed_headroom into account in skb_cow_head().
      
      Fixes: f5184d26 ("net: Allow netdevices to specify needed head/tailroom")
      Reported-by: syzbot+ed0838d0fa4c4f2b528e20286e6dc63effc7c14d@syzkaller.appspotmail.com
      Signed-off-by: default avatarGuillaume Nault <g.nault@alphalink.fr>
      Reviewed-by: default avatarXin Long <lucien.xin@gmail.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      02612bb0
  2. 23 Jan, 2018 2 commits
    • Linus Torvalds's avatar
      Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net · a84a8ab9
      Linus Torvalds authored
      Pull networking fixes from David Miller:
      
       1) Fix divide by zero in mlx5, from Talut Batheesh.
      
       2) Guard against invalid GSO packets coming from untrusted guests and
          arriving in qdisc_pkt_len_init(), from Eric Dumazet.
      
       3) Similarly add such protection to the various protocol GSO handlers.
          From Willem de Bruijn.
      
       4) Fix regression added to IGMP source address checking for IGMPv3
          reports, from Felix Feitkau.
      
      * git://git.kernel.org/pub/scm/linux/kernel/git/davem/net:
        tls: Correct length of scatterlist in tls_sw_sendpage
        be2net: restore properly promisc mode after queues reconfiguration
        net: igmp: fix source address check for IGMPv3 reports
        gso: validate gso_type in GSO handlers
        net: qdisc_pkt_len_init() should be more robust
        ibmvnic: Allocate and request vpd in init_resources
        ibmvnic: Revert to previous mtu when unsupported value requested
        ibmvnic: Modify buffer size and number of queues on failover
        rds: tcp: compute m_ack_seq as offset from ->write_seq
        usbnet: silence an unnecessary warning
        cxgb4: fix endianness for vlan value in cxgb4_tc_flower
        cxgb4: set filter type to 1 for ETH_P_IPV6
        net/mlx5e: Fix fixpoint divide exception in mlx5e_am_stats_compare
      a84a8ab9
    • Ben Hutchings's avatar
      nfsd: auth: Fix gid sorting when rootsquash enabled · 19952667
      Ben Hutchings authored
      Commit bdcf0a42 ("kernel: make groups_sort calling a responsibility
      group_info allocators") appears to break nfsd rootsquash in a pretty
      major way.
      
      It adds a call to groups_sort() inside the loop that copies/squashes
      gids, which means the valid gids are sorted along with the following
      garbage.  The net result is that the highest numbered valid gids are
      replaced with any lower-valued garbage gids, possibly including 0.
      
      We should sort only once, after filling in all the gids.
      
      Fixes: bdcf0a42 ("kernel: make groups_sort calling a responsibility ...")
      Signed-off-by: default avatarBen Hutchings <ben.hutchings@codethink.co.uk>
      Acked-by: default avatarJ. Bruce Fields <bfields@redhat.com>
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      19952667
  3. 22 Jan, 2018 18 commits
  4. 21 Jan, 2018 8 commits
    • Talat Batheesh's avatar
      net/mlx5e: Fix fixpoint divide exception in mlx5e_am_stats_compare · e58edaa4
      Talat Batheesh authored
      Helmut reported a bug about division by zero while
      running traffic and doing physical cable pull test.
      
      When the cable unplugged the ppms become zero, so when
      dividing the current ppms by the previous ppms in the
      next dim iteration there is division by zero.
      
      This patch prevent this division for both ppms and epms.
      
      Fixes: c3164d2f ("net/mlx5e: Added BW check for DIM decision mechanism")
      Reported-by: default avatarHelmut Grauer <helmut.grauer@de.ibm.com>
      Signed-off-by: default avatarTalat Batheesh <talatb@mellanox.com>
      Signed-off-by: default avatarSaeed Mahameed <saeedm@mellanox.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      e58edaa4
    • Linus Torvalds's avatar
      Linux 4.15-rc9 · 0c5b9b5d
      Linus Torvalds authored
      0c5b9b5d
    • Linus Torvalds's avatar
      Merge branch 'x86-pti-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip · 55151142
      Linus Torvalds authored
      Pull x86 pti fixes from Thomas Gleixner:
       "A small set of fixes for the meltdown/spectre mitigations:
      
         - Make kprobes aware of retpolines to prevent probes in the retpoline
           thunks.
      
         - Make the machine check exception speculation protected. MCE used to
           issue an indirect call directly from the ASM entry code. Convert
           that to a direct call into a C-function and issue the indirect call
           from there so the compiler can add the retpoline protection,
      
         - Make the vmexit_fill_RSB() assembly less stupid
      
         - Fix a typo in the PTI documentation"
      
      * 'x86-pti-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip:
        x86/retpoline: Optimize inline assembler for vmexit_fill_RSB
        x86/pti: Document fix wrong index
        kprobes/x86: Disable optimizing on the function jumps to indirect thunk
        kprobes/x86: Blacklist indirect thunk functions for kprobes
        retpoline: Introduce start/end markers of indirect thunk
        x86/mce: Make machine check speculation protected
      55151142
    • Linus Torvalds's avatar
      Merge branch 'x86-urgent-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip · 319f1e04
      Linus Torvalds authored
      Pull x86 kexec fix from Thomas Gleixner:
       "A single fix for the WBINVD issue introduced by the SME support which
        causes kexec fails on non AMD/SME capable CPUs. Issue WBINVD only when
        the CPU has SME and avoid doing so in a loop"
      
      [ Side note: this patch fixes the problem, but it isn't entirely clear
        why it is required. The wbinvd should just work regardless, but there
        seems to be some system - as opposed to CPU - issue, since the wbinvd
        causes more problems later in the shutdown sequence, but wbinvd
        instructions while the system is still active are not problematic.
      
        Possibly some SMI or pending machine check issue on the affected system ]
      
      * 'x86-urgent-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip:
        x86/mm: Rework wbinvd, hlt operation in stop_this_cpu()
      319f1e04
    • Linus Torvalds's avatar
      Merge branch 'irq-urgent-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip · 66f81624
      Linus Torvalds authored
      Pull irq fix from Thomas Gleixner:
       "A single fix for the new matrix allocator to prevent vector exhaustion
        by certain network drivers which allocate gazillions of unused vectors
        which cannot be put into reservation mode due to MSI and the lack of
        MSI entry masking.
      
        The fix/workaround is to spread the vectors across CPUs by searching
        the supplied target CPU mask for the CPU with the smallest number of
        allocated vectors"
      
      * 'irq-urgent-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip:
        irq/matrix: Spread interrupts on allocation
      66f81624
    • Linus Torvalds's avatar
      Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/mattst88/alpha · d517bb79
      Linus Torvalds authored
      Pull alpha fixes from Matt Turner:
       "A build fix and a regression fix"
      
      * 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/mattst88/alpha:
        alpha/PCI: Fix noname IRQ level detection
        alpha: extend memset16 to EV6 optimised routines
      d517bb79
    • Laura Abbott's avatar
      x86: Use __nostackprotect for sme_encrypt_kernel · 91cfc88c
      Laura Abbott authored
      Commit bacf6b49 ("x86/mm: Use a struct to reduce parameters for SME
      PGD mapping") moved some parameters into a structure.
      
      The structure was large enough to trigger the stack protection canary in
      sme_encrypt_kernel which doesn't work this early, causing reboots.
      
      Mark sme_encrypt_kernel appropriately to not use the canary.
      
      Fixes: bacf6b49 ("x86/mm: Use a struct to reduce parameters for SME PGD mapping")
      Signed-off-by: default avatarLaura Abbott <labbott@redhat.com>
      Cc: Tom Lendacky <thomas.lendacky@amd.com>
      Cc: Ingo Molnar <mingo@kernel.org>
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      91cfc88c
    • Lorenzo Pieralisi's avatar
      alpha/PCI: Fix noname IRQ level detection · 86be8993
      Lorenzo Pieralisi authored
      The conversion of the alpha architecture PCI host bridge legacy IRQ
      mapping/swizzling to the new PCI host bridge map/swizzle hooks carried
      out through:
      
      commit 0e4c2eeb ("alpha/PCI: Replace pci_fixup_irqs() call with
      host bridge IRQ mapping hooks")
      
      implies that IRQ for devices are now allocated through pci_assign_irq()
      function in pci_device_probe() that is called when a driver matching a
      device is found in order to probe the device through the device driver.
      
      Alpha noname platforms required IRQ level programming to be executed
      in sio_fixup_irq_levels(), that is called in noname_init_pci(), a
      platform hook called within a subsys_initcall.
      
      In noname_init_pci(), present IRQs are detected through
      sio_collect_irq_levels() that check the struct pci_dev->irq number
      to detect if an IRQ has been allocated for the device.
      
      By the time sio_collect_irq_levels() is called, some devices may still
      have not a matching driver loaded to match them (eg loadable module)
      therefore their IRQ allocation is still pending - which means that
      sio_collect_irq_levels() does not programme the correct IRQ level for
      those devices, causing their IRQ handling to be broken when the device
      driver is actually loaded and the device is probed.
      
      Fix the issue by adding code in the noname map_irq() function
      (noname_map_irq()) that, whilst mapping/swizzling the IRQ line, it also
      ensures that the correct IRQ level programming is executed at platform
      level, fixing the issue.
      
      Fixes: 0e4c2eeb ("alpha/PCI: Replace pci_fixup_irqs() call with
      host bridge IRQ mapping hooks")
      Reported-by: default avatarMikulas Patocka <mpatocka@redhat.com>
      Signed-off-by: default avatarLorenzo Pieralisi <lorenzo.pieralisi@arm.com>
      Cc: stable@vger.kernel.org # 4.14
      Cc: Bjorn Helgaas <bhelgaas@google.com>
      Cc: Richard Henderson <rth@twiddle.net>
      Cc: Ivan Kokshaysky <ink@jurassic.park.msu.ru>
      Cc: Mikulas Patocka <mpatocka@redhat.com>
      Cc: Meelis Roos <mroos@linux.ee>
      Signed-off-by: default avatarMatt Turner <mattst88@gmail.com>
      86be8993
  5. 20 Jan, 2018 4 commits
    • Linus Torvalds's avatar
      Merge tag 'for-linus' of git://git.kernel.org/pub/scm/virt/kvm/kvm · 24b61240
      Linus Torvalds authored
      Pull KVM fixes from Radim Krčmář:
       "ARM:
         - fix incorrect huge page mappings on systems using the contiguous
           hint for hugetlbfs
         - support alternative GICv4 init sequence
         - correctly implement the ARM SMCC for HVC and SMC handling
      
        PPC:
         - add KVM IOCTL for reporting vulnerability and workaround status
      
        s390:
         - provide userspace interface for branch prediction changes in
           firmware
      
        x86:
         - use correct macros for bits"
      
      * tag 'for-linus' of git://git.kernel.org/pub/scm/virt/kvm/kvm:
        KVM: s390: wire up bpb feature
        KVM: PPC: Book3S: Provide information about hardware/firmware CVE workarounds
        KVM/x86: Fix wrong macro references of X86_CR0_PG_BIT and X86_CR4_PAE_BIT in kvm_valid_sregs()
        arm64: KVM: Fix SMCCC handling of unimplemented SMC/HVC calls
        KVM: arm64: Fix GICv4 init when called from vgic_its_create
        KVM: arm/arm64: Check pagesize when allocating a hugepage at Stage 2
      24b61240
    • Linus Torvalds's avatar
      Merge tag 'mips_fixes_4.15_2' of git://git.kernel.org/pub/scm/linux/kernel/git/jhogan/mips · e6252e7f
      Linus Torvalds authored
      Pull MIPS fixes from James Hogan:
       "Some final MIPS fixes for 4.15, including important build fixes and a
        MAINTAINERS update:
      
         - Add myself as MIPS co-maintainer.
      
         - Fix various all*config build failures (particularly as a result of
           switching the default MIPS platform to the "generic" platform).
      
         - Fix GCC7 build failures (duplicate const and questionable calls to
           missing __multi3 intrinsic on mips64r6).
      
         - Fix warnings when CPU Idle is enabled (4.14).
      
         - Fix AR7 serial output (since 3.17).
      
         - Fix ralink platform_get_irq error checking (since 3.12)"
      
      * tag 'mips_fixes_4.15_2' of git://git.kernel.org/pub/scm/linux/kernel/git/jhogan/mips:
        MAINTAINERS: Add James as MIPS co-maintainer
        MIPS: Fix undefined reference to physical_memsize
        MIPS: Implement __multi3 for GCC7 MIPS64r6 builds
        MIPS: mm: Fix duplicate "const" on insn_table_MM
        MIPS: CM: Drop WARN_ON(vp != 0)
        MIPS: ralink: Fix platform_get_irq's error checking
        MIPS: Fix CPS SMP NS16550 UART defaults
        MIPS: BCM47XX Avoid compile error with MIPS allnoconfig
        MIPS: RB532: Avoid undefined mac_pton without GENERIC_NET_UTILS
        MIPS: RB532: Avoid undefined early_serial_setup() without SERIAL_8250_CONSOLE
        MIPS: ath25: Avoid undefined early_serial_setup() without SERIAL_8250_CONSOLE
        MIPS: AR7: ensure the port type's FCR value is used
      e6252e7f
    • Christian Borntraeger's avatar
      KVM: s390: wire up bpb feature · 35b3fde6
      Christian Borntraeger authored
      The new firmware interfaces for branch prediction behaviour changes
      are transparently available for the guest. Nevertheless, there is
      new state attached that should be migrated and properly resetted.
      Provide a mechanism for handling reset, migration and VSIE.
      Signed-off-by: default avatarChristian Borntraeger <borntraeger@de.ibm.com>
      Reviewed-by: default avatarDavid Hildenbrand <david@redhat.com>
      Reviewed-by: default avatarCornelia Huck <cohuck@redhat.com>
      [Changed capability number to 152. - Radim]
      Signed-off-by: default avatarRadim Krčmář <rkrcmar@redhat.com>
      35b3fde6
    • Radim Krčmář's avatar
      Merge tag 'kvm-ppc-cve-4.15-2' of git://git.kernel.org/pub/scm/linux/kernel/git/paulus/powerpc · 29d24e3f
      Radim Krčmář authored
      Add PPC KVM ioctl to report vulnerability and workaround status to userspace.
      29d24e3f
  6. 19 Jan, 2018 7 commits