1. 05 Feb, 2020 15 commits
    • Eric Dumazet's avatar
      bonding/alb: properly access headers in bond_alb_xmit() · 38f88c45
      Eric Dumazet authored
      syzbot managed to send an IPX packet through bond_alb_xmit()
      and af_packet and triggered a use-after-free.
      
      First, bond_alb_xmit() was using ipx_hdr() helper to reach
      the IPX header, but ipx_hdr() was using the transport offset
      instead of the network offset. In the particular syzbot
      report transport offset was 0xFFFF
      
      This patch removes ipx_hdr() since it was only (mis)used from bonding.
      
      Then we need to make sure IPv4/IPv6/IPX headers are pulled
      in skb->head before dereferencing anything.
      
      BUG: KASAN: use-after-free in bond_alb_xmit+0x153a/0x1590 drivers/net/bonding/bond_alb.c:1452
      Read of size 2 at addr ffff8801ce56dfff by task syz-executor.2/18108
       (if (ipx_hdr(skb)->ipx_checksum != IPX_NO_CHECKSUM) ...)
      
      Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
      Call Trace:
       [<ffffffff8441fc42>] __dump_stack lib/dump_stack.c:17 [inline]
       [<ffffffff8441fc42>] dump_stack+0x14d/0x20b lib/dump_stack.c:53
       [<ffffffff81a7dec4>] print_address_description+0x6f/0x20b mm/kasan/report.c:282
       [<ffffffff81a7e0ec>] kasan_report_error mm/kasan/report.c:380 [inline]
       [<ffffffff81a7e0ec>] kasan_report mm/kasan/report.c:438 [inline]
       [<ffffffff81a7e0ec>] kasan_report.cold+0x8c/0x2a0 mm/kasan/report.c:422
       [<ffffffff81a7dc4f>] __asan_report_load_n_noabort+0xf/0x20 mm/kasan/report.c:469
       [<ffffffff82c8c00a>] bond_alb_xmit+0x153a/0x1590 drivers/net/bonding/bond_alb.c:1452
       [<ffffffff82c60c74>] __bond_start_xmit drivers/net/bonding/bond_main.c:4199 [inline]
       [<ffffffff82c60c74>] bond_start_xmit+0x4f4/0x1570 drivers/net/bonding/bond_main.c:4224
       [<ffffffff83baa558>] __netdev_start_xmit include/linux/netdevice.h:4525 [inline]
       [<ffffffff83baa558>] netdev_start_xmit include/linux/netdevice.h:4539 [inline]
       [<ffffffff83baa558>] xmit_one net/core/dev.c:3611 [inline]
       [<ffffffff83baa558>] dev_hard_start_xmit+0x168/0x910 net/core/dev.c:3627
       [<ffffffff83bacf35>] __dev_queue_xmit+0x1f55/0x33b0 net/core/dev.c:4238
       [<ffffffff83bae3a8>] dev_queue_xmit+0x18/0x20 net/core/dev.c:4278
       [<ffffffff84339189>] packet_snd net/packet/af_packet.c:3226 [inline]
       [<ffffffff84339189>] packet_sendmsg+0x4919/0x70b0 net/packet/af_packet.c:3252
       [<ffffffff83b1ac0c>] sock_sendmsg_nosec net/socket.c:673 [inline]
       [<ffffffff83b1ac0c>] sock_sendmsg+0x12c/0x160 net/socket.c:684
       [<ffffffff83b1f5a2>] __sys_sendto+0x262/0x380 net/socket.c:1996
       [<ffffffff83b1f700>] SYSC_sendto net/socket.c:2008 [inline]
       [<ffffffff83b1f700>] SyS_sendto+0x40/0x60 net/socket.c:2004
      
      Fixes: 1da177e4 ("Linux-2.6.12-rc2")
      Signed-off-by: default avatarEric Dumazet <edumazet@google.com>
      Reported-by: default avatarsyzbot <syzkaller@googlegroups.com>
      Cc: Jay Vosburgh <j.vosburgh@gmail.com>
      Cc: Veaceslav Falico <vfalico@gmail.com>
      Cc: Andy Gospodarek <andy@greyhouse.net>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      38f88c45
    • Jacob Keller's avatar
      devlink: report 0 after hitting end in region read · d5b90e99
      Jacob Keller authored
      commit fdd41ec2 ("devlink: Return right error code in case of errors
      for region read") modified the region read code to report errors
      properly in unexpected cases.
      
      In the case where the start_offset and ret_offset match, it unilaterally
      converted this into an error. This causes an issue for the "dump"
      version of the command. In this case, the devlink region dump will
      always report an invalid argument:
      
      000000000000ffd0 ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
      000000000000ffe0 ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
      devlink answers: Invalid argument
      000000000000fff0 ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
      
      This occurs because the expected flow for the dump is to return 0 after
      there is no further data.
      
      The simplest fix would be to stop converting the error code to -EINVAL
      if start_offset == ret_offset. However, avoid unnecessary work by
      checking for when start_offset is larger than the region size and
      returning 0 upfront.
      
      Fixes: fdd41ec2 ("devlink: Return right error code in case of errors for region read")
      Signed-off-by: default avatarJacob Keller <jacob.e.keller@intel.com>
      Acked-by: default avatarJiri Pirko <jiri@mellanox.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      d5b90e99
    • Moritz Fischer's avatar
      net: ethernet: dec: tulip: Fix length mask in receive length calculation · 33e2b32b
      Moritz Fischer authored
      The receive frame length calculation uses a wrong mask to calculate the
      length of the received frames.
      
      Per spec table 4-1 the length is contained in the FL (Frame Length)
      field in bits 30:16.
      
      This didn't show up as an issue so far since frames were limited to
      1500 bytes which falls within the 11 bit window.
      Signed-off-by: default avatarMoritz Fischer <mdf@kernel.org>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      33e2b32b
    • David S. Miller's avatar
      Merge branch 'wg-fixes' · 7bb77d4b
      David S. Miller authored
      Jason A. Donenfeld says:
      
      ====================
      wireguard fixes for 5.6-rc1
      
      Here are fixes for WireGuard before 5.6-rc1 is tagged. It includes:
      
      1) A fix for a UaF (caused by kmalloc failing during a very small
         allocation) that syzkaller found, from Eric Dumazet.
      
      2) A fix for a deadlock that syzkaller found, along with an additional
         selftest to ensure that the bug fix remains correct, from me.
      
      3) Two little fixes/cleanups to the selftests from Krzysztof Kozlowski
         and me.
      ====================
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      7bb77d4b
    • Jason A. Donenfeld's avatar
      wireguard: selftests: tie socket waiting to target pid · 88f404a9
      Jason A. Donenfeld authored
      Without this, we wind up proceeding too early sometimes when the
      previous process has just used the same listening port. So, we tie the
      listening socket query to the specific pid we're interested in.
      Signed-off-by: default avatarJason A. Donenfeld <Jason@zx2c4.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      88f404a9
    • Krzysztof Kozlowski's avatar
      wireguard: selftests: cleanup CONFIG_ENABLE_WARN_DEPRECATED · 4a2ef721
      Krzysztof Kozlowski authored
      CONFIG_ENABLE_WARN_DEPRECATED is gone since commit 771c0353
      ("deprecate the '__deprecated' attribute warnings entirely and for
      good").
      Signed-off-by: default avatarKrzysztof Kozlowski <krzk@kernel.org>
      Signed-off-by: default avatarJason A. Donenfeld <Jason@zx2c4.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      4a2ef721
    • Jason A. Donenfeld's avatar
      wireguard: selftests: ensure non-addition of peers with failed precomputation · f9398acb
      Jason A. Donenfeld authored
      Ensure that peers with low order points are ignored, both in the case
      where we already have a device private key and in the case where we do
      not. This adds points that naturally give a zero output.
      Signed-off-by: default avatarJason A. Donenfeld <Jason@zx2c4.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      f9398acb
    • Jason A. Donenfeld's avatar
      wireguard: noise: reject peers with low order public keys · ec31c267
      Jason A. Donenfeld authored
      Our static-static calculation returns a failure if the public key is of
      low order. We check for this when peers are added, and don't allow them
      to be added if they're low order, except in the case where we haven't
      yet been given a private key. In that case, we would defer the removal
      of the peer until we're given a private key, since at that point we're
      doing new static-static calculations which incur failures we can act on.
      This meant, however, that we wound up removing peers rather late in the
      configuration flow.
      
      Syzkaller points out that peer_remove calls flush_workqueue, which in
      turn might then wait for sending a handshake initiation to complete.
      Since handshake initiation needs the static identity lock, holding the
      static identity lock while calling peer_remove can result in a rare
      deadlock. We have precisely this case in this situation of late-stage
      peer removal based on an invalid public key. We can't drop the lock when
      removing, because then incoming handshakes might interact with a bogus
      static-static calculation.
      
      While the band-aid patch for this would involve breaking up the peer
      removal into two steps like wg_peer_remove_all does, in order to solve
      the locking issue, there's actually a much more elegant way of fixing
      this:
      
      If the static-static calculation succeeds with one private key, it
      *must* succeed with all others, because all 32-byte strings map to valid
      private keys, thanks to clamping. That means we can get rid of this
      silly dance and locking headaches of removing peers late in the
      configuration flow, and instead just reject them early on, regardless of
      whether the device has yet been assigned a private key. For the case
      where the device doesn't yet have a private key, we safely use zeros
      just for the purposes of checking for low order points by way of
      checking the output of the calculation.
      
      The following PoC will trigger the deadlock:
      
      ip link add wg0 type wireguard
      ip addr add 10.0.0.1/24 dev wg0
      ip link set wg0 up
      ping -f 10.0.0.2 &
      while true; do
              wg set wg0 private-key /dev/null peer AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA= allowed-ips 10.0.0.0/24 endpoint 10.0.0.3:1234
              wg set wg0 private-key <(echo AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=)
      done
      
      [    0.949105] ======================================================
      [    0.949550] WARNING: possible circular locking dependency detected
      [    0.950143] 5.5.0-debug+ #18 Not tainted
      [    0.950431] ------------------------------------------------------
      [    0.950959] wg/89 is trying to acquire lock:
      [    0.951252] ffff8880333e2128 ((wq_completion)wg-kex-wg0){+.+.}, at: flush_workqueue+0xe3/0x12f0
      [    0.951865]
      [    0.951865] but task is already holding lock:
      [    0.952280] ffff888032819bc0 (&wg->static_identity.lock){++++}, at: wg_set_device+0x95d/0xcc0
      [    0.953011]
      [    0.953011] which lock already depends on the new lock.
      [    0.953011]
      [    0.953651]
      [    0.953651] the existing dependency chain (in reverse order) is:
      [    0.954292]
      [    0.954292] -> #2 (&wg->static_identity.lock){++++}:
      [    0.954804]        lock_acquire+0x127/0x350
      [    0.955133]        down_read+0x83/0x410
      [    0.955428]        wg_noise_handshake_create_initiation+0x97/0x700
      [    0.955885]        wg_packet_send_handshake_initiation+0x13a/0x280
      [    0.956401]        wg_packet_handshake_send_worker+0x10/0x20
      [    0.956841]        process_one_work+0x806/0x1500
      [    0.957167]        worker_thread+0x8c/0xcb0
      [    0.957549]        kthread+0x2ee/0x3b0
      [    0.957792]        ret_from_fork+0x24/0x30
      [    0.958234]
      [    0.958234] -> #1 ((work_completion)(&peer->transmit_handshake_work)){+.+.}:
      [    0.958808]        lock_acquire+0x127/0x350
      [    0.959075]        process_one_work+0x7ab/0x1500
      [    0.959369]        worker_thread+0x8c/0xcb0
      [    0.959639]        kthread+0x2ee/0x3b0
      [    0.959896]        ret_from_fork+0x24/0x30
      [    0.960346]
      [    0.960346] -> #0 ((wq_completion)wg-kex-wg0){+.+.}:
      [    0.960945]        check_prev_add+0x167/0x1e20
      [    0.961351]        __lock_acquire+0x2012/0x3170
      [    0.961725]        lock_acquire+0x127/0x350
      [    0.961990]        flush_workqueue+0x106/0x12f0
      [    0.962280]        peer_remove_after_dead+0x160/0x220
      [    0.962600]        wg_set_device+0xa24/0xcc0
      [    0.962994]        genl_rcv_msg+0x52f/0xe90
      [    0.963298]        netlink_rcv_skb+0x111/0x320
      [    0.963618]        genl_rcv+0x1f/0x30
      [    0.963853]        netlink_unicast+0x3f6/0x610
      [    0.964245]        netlink_sendmsg+0x700/0xb80
      [    0.964586]        __sys_sendto+0x1dd/0x2c0
      [    0.964854]        __x64_sys_sendto+0xd8/0x1b0
      [    0.965141]        do_syscall_64+0x90/0xd9a
      [    0.965408]        entry_SYSCALL_64_after_hwframe+0x49/0xbe
      [    0.965769]
      [    0.965769] other info that might help us debug this:
      [    0.965769]
      [    0.966337] Chain exists of:
      [    0.966337]   (wq_completion)wg-kex-wg0 --> (work_completion)(&peer->transmit_handshake_work) --> &wg->static_identity.lock
      [    0.966337]
      [    0.967417]  Possible unsafe locking scenario:
      [    0.967417]
      [    0.967836]        CPU0                    CPU1
      [    0.968155]        ----                    ----
      [    0.968497]   lock(&wg->static_identity.lock);
      [    0.968779]                                lock((work_completion)(&peer->transmit_handshake_work));
      [    0.969345]                                lock(&wg->static_identity.lock);
      [    0.969809]   lock((wq_completion)wg-kex-wg0);
      [    0.970146]
      [    0.970146]  *** DEADLOCK ***
      [    0.970146]
      [    0.970531] 5 locks held by wg/89:
      [    0.970908]  #0: ffffffff827433c8 (cb_lock){++++}, at: genl_rcv+0x10/0x30
      [    0.971400]  #1: ffffffff82743480 (genl_mutex){+.+.}, at: genl_rcv_msg+0x642/0xe90
      [    0.971924]  #2: ffffffff827160c0 (rtnl_mutex){+.+.}, at: wg_set_device+0x9f/0xcc0
      [    0.972488]  #3: ffff888032819de0 (&wg->device_update_lock){+.+.}, at: wg_set_device+0xb0/0xcc0
      [    0.973095]  #4: ffff888032819bc0 (&wg->static_identity.lock){++++}, at: wg_set_device+0x95d/0xcc0
      [    0.973653]
      [    0.973653] stack backtrace:
      [    0.973932] CPU: 1 PID: 89 Comm: wg Not tainted 5.5.0-debug+ #18
      [    0.974476] Call Trace:
      [    0.974638]  dump_stack+0x97/0xe0
      [    0.974869]  check_noncircular+0x312/0x3e0
      [    0.975132]  ? print_circular_bug+0x1f0/0x1f0
      [    0.975410]  ? __kernel_text_address+0x9/0x30
      [    0.975727]  ? unwind_get_return_address+0x51/0x90
      [    0.976024]  check_prev_add+0x167/0x1e20
      [    0.976367]  ? graph_lock+0x70/0x160
      [    0.976682]  __lock_acquire+0x2012/0x3170
      [    0.976998]  ? register_lock_class+0x1140/0x1140
      [    0.977323]  lock_acquire+0x127/0x350
      [    0.977627]  ? flush_workqueue+0xe3/0x12f0
      [    0.977890]  flush_workqueue+0x106/0x12f0
      [    0.978147]  ? flush_workqueue+0xe3/0x12f0
      [    0.978410]  ? find_held_lock+0x2c/0x110
      [    0.978662]  ? lock_downgrade+0x6e0/0x6e0
      [    0.978919]  ? queue_rcu_work+0x60/0x60
      [    0.979166]  ? netif_napi_del+0x151/0x3b0
      [    0.979501]  ? peer_remove_after_dead+0x160/0x220
      [    0.979871]  peer_remove_after_dead+0x160/0x220
      [    0.980232]  wg_set_device+0xa24/0xcc0
      [    0.980516]  ? deref_stack_reg+0x8e/0xc0
      [    0.980801]  ? set_peer+0xe10/0xe10
      [    0.981040]  ? __ww_mutex_check_waiters+0x150/0x150
      [    0.981430]  ? __nla_validate_parse+0x163/0x270
      [    0.981719]  ? genl_family_rcv_msg_attrs_parse+0x13f/0x310
      [    0.982078]  genl_rcv_msg+0x52f/0xe90
      [    0.982348]  ? genl_family_rcv_msg_attrs_parse+0x310/0x310
      [    0.982690]  ? register_lock_class+0x1140/0x1140
      [    0.983049]  netlink_rcv_skb+0x111/0x320
      [    0.983298]  ? genl_family_rcv_msg_attrs_parse+0x310/0x310
      [    0.983645]  ? netlink_ack+0x880/0x880
      [    0.983888]  genl_rcv+0x1f/0x30
      [    0.984168]  netlink_unicast+0x3f6/0x610
      [    0.984443]  ? netlink_detachskb+0x60/0x60
      [    0.984729]  ? find_held_lock+0x2c/0x110
      [    0.984976]  netlink_sendmsg+0x700/0xb80
      [    0.985220]  ? netlink_broadcast_filtered+0xa60/0xa60
      [    0.985533]  __sys_sendto+0x1dd/0x2c0
      [    0.985763]  ? __x64_sys_getpeername+0xb0/0xb0
      [    0.986039]  ? sockfd_lookup_light+0x17/0x160
      [    0.986397]  ? __sys_recvmsg+0x8c/0xf0
      [    0.986711]  ? __sys_recvmsg_sock+0xd0/0xd0
      [    0.987018]  __x64_sys_sendto+0xd8/0x1b0
      [    0.987283]  ? lockdep_hardirqs_on+0x39b/0x5a0
      [    0.987666]  do_syscall_64+0x90/0xd9a
      [    0.987903]  entry_SYSCALL_64_after_hwframe+0x49/0xbe
      [    0.988223] RIP: 0033:0x7fe77c12003e
      [    0.988508] Code: c3 8b 07 85 c0 75 24 49 89 fb 48 89 f0 48 89 d7 48 89 ce 4c 89 c2 4d 89 ca 4c 8b 44 24 08 4c 8b 4c 24 10 4c 4
      [    0.989666] RSP: 002b:00007fffada2ed58 EFLAGS: 00000246 ORIG_RAX: 000000000000002c
      [    0.990137] RAX: ffffffffffffffda RBX: 00007fe77c159d48 RCX: 00007fe77c12003e
      [    0.990583] RDX: 0000000000000040 RSI: 000055fd1d38e020 RDI: 0000000000000004
      [    0.991091] RBP: 000055fd1d38e020 R08: 000055fd1cb63358 R09: 000000000000000c
      [    0.991568] R10: 0000000000000000 R11: 0000000000000246 R12: 000000000000002c
      [    0.992014] R13: 0000000000000004 R14: 000055fd1d38e020 R15: 0000000000000001
      Signed-off-by: default avatarJason A. Donenfeld <Jason@zx2c4.com>
      Reported-by: default avatarsyzbot <syzkaller@googlegroups.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      ec31c267
    • Eric Dumazet's avatar
      wireguard: allowedips: fix use-after-free in root_remove_peer_lists · 9981159f
      Eric Dumazet authored
      In the unlikely case a new node could not be allocated, we need to
      remove @newnode from @peer->allowedips_list before freeing it.
      
      syzbot reported:
      
      BUG: KASAN: use-after-free in __list_del_entry_valid+0xdc/0xf5 lib/list_debug.c:54
      Read of size 8 at addr ffff88809881a538 by task syz-executor.4/30133
      
      CPU: 0 PID: 30133 Comm: syz-executor.4 Not tainted 5.5.0-syzkaller #0
      Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
      Call Trace:
       __dump_stack lib/dump_stack.c:77 [inline]
       dump_stack+0x197/0x210 lib/dump_stack.c:118
       print_address_description.constprop.0.cold+0xd4/0x30b mm/kasan/report.c:374
       __kasan_report.cold+0x1b/0x32 mm/kasan/report.c:506
       kasan_report+0x12/0x20 mm/kasan/common.c:639
       __asan_report_load8_noabort+0x14/0x20 mm/kasan/generic_report.c:135
       __list_del_entry_valid+0xdc/0xf5 lib/list_debug.c:54
       __list_del_entry include/linux/list.h:132 [inline]
       list_del include/linux/list.h:146 [inline]
       root_remove_peer_lists+0x24f/0x4b0 drivers/net/wireguard/allowedips.c:65
       wg_allowedips_free+0x232/0x390 drivers/net/wireguard/allowedips.c:300
       wg_peer_remove_all+0xd5/0x620 drivers/net/wireguard/peer.c:187
       wg_set_device+0xd01/0x1350 drivers/net/wireguard/netlink.c:542
       genl_family_rcv_msg_doit net/netlink/genetlink.c:672 [inline]
       genl_family_rcv_msg net/netlink/genetlink.c:717 [inline]
       genl_rcv_msg+0x67d/0xea0 net/netlink/genetlink.c:734
       netlink_rcv_skb+0x177/0x450 net/netlink/af_netlink.c:2477
       genl_rcv+0x29/0x40 net/netlink/genetlink.c:745
       netlink_unicast_kernel net/netlink/af_netlink.c:1302 [inline]
       netlink_unicast+0x59e/0x7e0 net/netlink/af_netlink.c:1328
       netlink_sendmsg+0x91c/0xea0 net/netlink/af_netlink.c:1917
       sock_sendmsg_nosec net/socket.c:652 [inline]
       sock_sendmsg+0xd7/0x130 net/socket.c:672
       ____sys_sendmsg+0x753/0x880 net/socket.c:2343
       ___sys_sendmsg+0x100/0x170 net/socket.c:2397
       __sys_sendmsg+0x105/0x1d0 net/socket.c:2430
       __do_sys_sendmsg net/socket.c:2439 [inline]
       __se_sys_sendmsg net/socket.c:2437 [inline]
       __x64_sys_sendmsg+0x78/0xb0 net/socket.c:2437
       do_syscall_64+0xfa/0x790 arch/x86/entry/common.c:294
       entry_SYSCALL_64_after_hwframe+0x49/0xbe
      RIP: 0033:0x45b399
      Code: ad b6 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 7b b6 fb ff c3 66 2e 0f 1f 84 00 00 00 00
      RSP: 002b:00007f99a9bcdc78 EFLAGS: 00000246 ORIG_RAX: 000000000000002e
      RAX: ffffffffffffffda RBX: 00007f99a9bce6d4 RCX: 000000000045b399
      RDX: 0000000000000000 RSI: 0000000020001340 RDI: 0000000000000003
      RBP: 000000000075bf20 R08: 0000000000000000 R09: 0000000000000000
      R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000004
      R13: 00000000000009ba R14: 00000000004cb2b8 R15: 0000000000000009
      
      Allocated by task 30103:
       save_stack+0x23/0x90 mm/kasan/common.c:72
       set_track mm/kasan/common.c:80 [inline]
       __kasan_kmalloc mm/kasan/common.c:513 [inline]
       __kasan_kmalloc.constprop.0+0xcf/0xe0 mm/kasan/common.c:486
       kasan_kmalloc+0x9/0x10 mm/kasan/common.c:527
       kmem_cache_alloc_trace+0x158/0x790 mm/slab.c:3551
       kmalloc include/linux/slab.h:556 [inline]
       kzalloc include/linux/slab.h:670 [inline]
       add+0x70a/0x1970 drivers/net/wireguard/allowedips.c:236
       wg_allowedips_insert_v4+0xf6/0x160 drivers/net/wireguard/allowedips.c:320
       set_allowedip drivers/net/wireguard/netlink.c:343 [inline]
       set_peer+0xfb9/0x1150 drivers/net/wireguard/netlink.c:468
       wg_set_device+0xbd4/0x1350 drivers/net/wireguard/netlink.c:591
       genl_family_rcv_msg_doit net/netlink/genetlink.c:672 [inline]
       genl_family_rcv_msg net/netlink/genetlink.c:717 [inline]
       genl_rcv_msg+0x67d/0xea0 net/netlink/genetlink.c:734
       netlink_rcv_skb+0x177/0x450 net/netlink/af_netlink.c:2477
       genl_rcv+0x29/0x40 net/netlink/genetlink.c:745
       netlink_unicast_kernel net/netlink/af_netlink.c:1302 [inline]
       netlink_unicast+0x59e/0x7e0 net/netlink/af_netlink.c:1328
       netlink_sendmsg+0x91c/0xea0 net/netlink/af_netlink.c:1917
       sock_sendmsg_nosec net/socket.c:652 [inline]
       sock_sendmsg+0xd7/0x130 net/socket.c:672
       ____sys_sendmsg+0x753/0x880 net/socket.c:2343
       ___sys_sendmsg+0x100/0x170 net/socket.c:2397
       __sys_sendmsg+0x105/0x1d0 net/socket.c:2430
       __do_sys_sendmsg net/socket.c:2439 [inline]
       __se_sys_sendmsg net/socket.c:2437 [inline]
       __x64_sys_sendmsg+0x78/0xb0 net/socket.c:2437
       do_syscall_64+0xfa/0x790 arch/x86/entry/common.c:294
       entry_SYSCALL_64_after_hwframe+0x49/0xbe
      
      Freed by task 30103:
       save_stack+0x23/0x90 mm/kasan/common.c:72
       set_track mm/kasan/common.c:80 [inline]
       kasan_set_free_info mm/kasan/common.c:335 [inline]
       __kasan_slab_free+0x102/0x150 mm/kasan/common.c:474
       kasan_slab_free+0xe/0x10 mm/kasan/common.c:483
       __cache_free mm/slab.c:3426 [inline]
       kfree+0x10a/0x2c0 mm/slab.c:3757
       add+0x12d2/0x1970 drivers/net/wireguard/allowedips.c:266
       wg_allowedips_insert_v4+0xf6/0x160 drivers/net/wireguard/allowedips.c:320
       set_allowedip drivers/net/wireguard/netlink.c:343 [inline]
       set_peer+0xfb9/0x1150 drivers/net/wireguard/netlink.c:468
       wg_set_device+0xbd4/0x1350 drivers/net/wireguard/netlink.c:591
       genl_family_rcv_msg_doit net/netlink/genetlink.c:672 [inline]
       genl_family_rcv_msg net/netlink/genetlink.c:717 [inline]
       genl_rcv_msg+0x67d/0xea0 net/netlink/genetlink.c:734
       netlink_rcv_skb+0x177/0x450 net/netlink/af_netlink.c:2477
       genl_rcv+0x29/0x40 net/netlink/genetlink.c:745
       netlink_unicast_kernel net/netlink/af_netlink.c:1302 [inline]
       netlink_unicast+0x59e/0x7e0 net/netlink/af_netlink.c:1328
       netlink_sendmsg+0x91c/0xea0 net/netlink/af_netlink.c:1917
       sock_sendmsg_nosec net/socket.c:652 [inline]
       sock_sendmsg+0xd7/0x130 net/socket.c:672
       ____sys_sendmsg+0x753/0x880 net/socket.c:2343
       ___sys_sendmsg+0x100/0x170 net/socket.c:2397
       __sys_sendmsg+0x105/0x1d0 net/socket.c:2430
       __do_sys_sendmsg net/socket.c:2439 [inline]
       __se_sys_sendmsg net/socket.c:2437 [inline]
       __x64_sys_sendmsg+0x78/0xb0 net/socket.c:2437
       do_syscall_64+0xfa/0x790 arch/x86/entry/common.c:294
       entry_SYSCALL_64_after_hwframe+0x49/0xbe
      
      The buggy address belongs to the object at ffff88809881a500
       which belongs to the cache kmalloc-64 of size 64
      The buggy address is located 56 bytes inside of
       64-byte region [ffff88809881a500, ffff88809881a540)
      The buggy address belongs to the page:
      page:ffffea0002620680 refcount:1 mapcount:0 mapping:ffff8880aa400380 index:0x0
      raw: 00fffe0000000200 ffffea000250b748 ffffea000254bac8 ffff8880aa400380
      raw: 0000000000000000 ffff88809881a000 0000000100000020 0000000000000000
      page dumped because: kasan: bad access detected
      
      Memory state around the buggy address:
       ffff88809881a400: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc
       ffff88809881a480: 00 00 00 00 00 fc fc fc fc fc fc fc fc fc fc fc
      >ffff88809881a500: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc
                                              ^
       ffff88809881a580: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc
       ffff88809881a600: 00 00 00 00 00 00 fc fc fc fc fc fc fc fc fc fc
      
      Fixes: e7096c13 ("net: WireGuard secure network tunnel")
      Signed-off-by: default avatarEric Dumazet <edumazet@google.com>
      Reported-by: default avatarsyzbot <syzkaller@googlegroups.com>
      Cc: Jason A. Donenfeld <Jason@zx2c4.com>
      Cc: wireguard@lists.zx2c4.com
      Signed-off-by: default avatarJason A. Donenfeld <Jason@zx2c4.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      9981159f
    • Cong Wang's avatar
      net_sched: fix a resource leak in tcindex_set_parms() · 52b5ae50
      Cong Wang authored
      Jakub noticed there is a potential resource leak in
      tcindex_set_parms(): when tcindex_filter_result_init() fails
      and it jumps to 'errout1' which doesn't release the memory
      and resources allocated by tcindex_alloc_perfect_hash().
      
      We should just jump to 'errout_alloc' which calls
      tcindex_free_perfect_hash().
      
      Fixes: b9a24bb7 ("net_sched: properly handle failure case of tcf_exts_init()")
      Reported-by: default avatarJakub Kicinski <kuba@kernel.org>
      Cc: Jamal Hadi Salim <jhs@mojatatu.com>
      Cc: Jiri Pirko <jiri@resnulli.us>
      Signed-off-by: default avatarCong Wang <xiyou.wangcong@gmail.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      52b5ae50
    • Florian Westphal's avatar
      mptcp: fix use-after-free on tcp fallback · 2c22c06c
      Florian Westphal authored
      When an mptcp socket connects to a tcp peer or when a middlebox interferes
      with tcp options, mptcp needs to fall back to plain tcp.
      Problem is that mptcp is trying to be too clever in this case:
      
      It attempts to close the mptcp meta sk and transparently replace it with
      the (only) subflow tcp sk.
      
      Unfortunately, this is racy -- the socket is already exposed to userspace.
      Any parallel calls to send/recv/setsockopt etc. can cause use-after-free:
      
      BUG: KASAN: use-after-free in atomic_try_cmpxchg include/asm-generic/atomic-instrumented.h:693 [inline]
      CPU: 1 PID: 2083 Comm: syz-executor.1 Not tainted 5.5.0 #2
       atomic_try_cmpxchg include/asm-generic/atomic-instrumented.h:693 [inline]
       queued_spin_lock include/asm-generic/qspinlock.h:78 [inline]
       do_raw_spin_lock include/linux/spinlock.h:181 [inline]
       __raw_spin_lock_bh include/linux/spinlock_api_smp.h:136 [inline]
       _raw_spin_lock_bh+0x71/0xd0 kernel/locking/spinlock.c:175
       spin_lock_bh include/linux/spinlock.h:343 [inline]
       __lock_sock+0x105/0x190 net/core/sock.c:2414
       lock_sock_nested+0x10f/0x140 net/core/sock.c:2938
       lock_sock include/net/sock.h:1516 [inline]
       mptcp_setsockopt+0x2f/0x1f0 net/mptcp/protocol.c:800
       __sys_setsockopt+0x152/0x240 net/socket.c:2130
       __do_sys_setsockopt net/socket.c:2146 [inline]
       __se_sys_setsockopt net/socket.c:2143 [inline]
       __x64_sys_setsockopt+0xba/0x150 net/socket.c:2143
       do_syscall_64+0xb7/0x3d0 arch/x86/entry/common.c:294
       entry_SYSCALL_64_after_hwframe+0x44/0xa9
      
      While the use-after-free can be resolved, there is another problem:
      sock->ops and sock->sk assignments are not atomic, i.e. we may get calls
      into mptcp functions with sock->sk already pointing at the subflow socket,
      or calls into tcp functions with a mptcp meta sk.
      
      Remove the fallback code and call the relevant functions for the (only)
      subflow in case the mptcp socket is connected to tcp peer.
      Reported-by: default avatarChristoph Paasch <cpaasch@apple.com>
      Diagnosed-by: default avatarPaolo Abeni <pabeni@redhat.com>
      Signed-off-by: default avatarFlorian Westphal <fw@strlen.de>
      Reviewed-by: default avatarMat Martineau <mathew.j.martineau@linux.intel.com>
      Tested-by: default avatarChristoph Paasch <cpaasch@apple.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      2c22c06c
    • Andy Shevchenko's avatar
      8b7a07c7
    • Andy Shevchenko's avatar
      net: dsa: b53: Platform data shan't include kernel.h · e22e0790
      Andy Shevchenko authored
      Replace with appropriate types.h.
      Signed-off-by: default avatarAndy Shevchenko <andriy.shevchenko@linux.intel.com>
      Reviewed-by: default avatarFlorian Fainelli <f.fainelli@gmail.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      e22e0790
    • kbuild test robot's avatar
      netdevsim: fix ptr_ret.cocci warnings · 34611e69
      kbuild test robot authored
      drivers/net/netdevsim/dev.c:937:1-3: WARNING: PTR_ERR_OR_ZERO can be used
      
       Use PTR_ERR_OR_ZERO rather than if(IS_ERR(...)) + PTR_ERR
      
      Generated by: scripts/coccinelle/api/ptr_ret.cocci
      
      Fixes: 6556ff32 ("netdevsim: use IS_ERR instead of IS_ERR_OR_NULL for debugfs")
      CC: Taehee Yoo <ap420073@gmail.com>
      Signed-off-by: default avatarkbuild test robot <lkp@intel.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      34611e69
    • Thomas Bogendoerfer's avatar
      net: sgi: ioc3-eth: Remove leftover free_irq() · 9784e619
      Thomas Bogendoerfer authored
      Commit 0ce5ebd2 ("mfd: ioc3: Add driver for SGI IOC3 chip") moved
      request_irq() from ioc3_open into probe function, but forgot to remove
      free_irq() from ioc3_close.
      
      Fixes: 0ce5ebd2 ("mfd: ioc3: Add driver for SGI IOC3 chip")
      Signed-off-by: default avatarThomas Bogendoerfer <tbogendoerfer@suse.de>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      9784e619
  2. 04 Feb, 2020 25 commits
    • Linus Torvalds's avatar
      Merge git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net · 33b40134
      Linus Torvalds authored
      Pull networking fixes from David Miller:
      
       1) Use after free in rxrpc_put_local(), from David Howells.
      
       2) Fix 64-bit division error in mlxsw, from Nathan Chancellor.
      
       3) Make sure we clear various bits of TCP state in response to
          tcp_disconnect(). From Eric Dumazet.
      
       4) Fix netlink attribute policy in cls_rsvp, from Eric Dumazet.
      
       5) txtimer must be deleted in stmmac suspend(), from Nicolin Chen.
      
       6) Fix TC queue mapping in bnxt_en driver, from Michael Chan.
      
       7) Various netdevsim fixes from Taehee Yoo (use of uninitialized data,
          snapshot panics, stack out of bounds, etc.)
      
       8) cls_tcindex changes hash table size after allocating the table, fix
          from Cong Wang.
      
       9) Fix regression in the enforcement of session ID uniqueness in l2tp.
          We only have to enforce uniqueness for IP based tunnels not UDP
          ones. From Ridge Kennedy.
      
      * git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net: (46 commits)
        gtp: use __GFP_NOWARN to avoid memalloc warning
        l2tp: Allow duplicate session creation with UDP
        r8152: Add MAC passthrough support to new device
        net_sched: fix an OOB access in cls_tcindex
        qed: Remove set but not used variable 'p_link'
        tc-testing: add missing 'nsPlugin' to basic.json
        tc-testing: fix eBPF tests failure on linux fresh clones
        net: hsr: fix possible NULL deref in hsr_handle_frame()
        netdevsim: remove unused sdev code
        netdevsim: use __GFP_NOWARN to avoid memalloc warning
        netdevsim: use IS_ERR instead of IS_ERR_OR_NULL for debugfs
        netdevsim: fix stack-out-of-bounds in nsim_dev_debugfs_init()
        netdevsim: fix panic in nsim_dev_take_snapshot_write()
        netdevsim: disable devlink reload when resources are being used
        netdevsim: fix using uninitialized resources
        bnxt_en: Fix TC queue mapping.
        bnxt_en: Fix logic that disables Bus Master during firmware reset.
        bnxt_en: Fix RDMA driver failure with SRIOV after firmware reset.
        bnxt_en: Refactor logic to re-enable SRIOV after firmware reset detected.
        net: stmmac: Delete txtimer in suspend()
        ...
      33b40134
    • Linus Torvalds's avatar
      Merge tag 'for-linus' of git://git.armlinux.org.uk/~rmk/linux-arm · d60ddd24
      Linus Torvalds authored
      Pull ARM updates from Russell King:
      
       - decompressor updates
      
       - prevention of out-of-bounds access while stacktracing
      
       - fix a section mismatch warning with free_memmap()
      
       - make kexec depend on MMU to avoid some build errors
      
       - remove swapops stubs
      
      * tag 'for-linus' of git://git.armlinux.org.uk/~rmk/linux-arm:
        ARM: 8954/1: NOMMU: remove stubs for swapops
        ARM: 8952/1: Disable kmemleak on XIP kernels
        ARM: 8951/1: Fix Kexec compilation issue.
        ARM: 8949/1: mm: mark free_memmap as __init
        ARM: 8948/1: Prevent OOB access in stacktrace
        ARM: 8945/1: decompressor: use CONFIG option instead of cc-option
        ARM: 8942/1: Revert "8857/1: efi: enable CP15 DMB instructions before cleaning the cache"
        ARM: 8941/1: decompressor: enable CP15 barrier instructions in v7 cache setup code
      d60ddd24
    • Linus Torvalds's avatar
      Merge tag 'powerpc-5.6-1' of git://git.kernel.org/pub/scm/linux/kernel/git/powerpc/linux · 71c3a888
      Linus Torvalds authored
      Pull powerpc updates from Michael Ellerman:
       "A pretty small batch for us, and apologies for it being a bit late, I
        wanted to sneak Christophe's user_access_begin() series in.
      
        Summary:
      
         - Implement user_access_begin() and friends for our platforms that
           support controlling kernel access to userspace.
      
         - Enable CONFIG_VMAP_STACK on 32-bit Book3S and 8xx.
      
         - Some tweaks to our pseries IOMMU code to allow SVMs ("secure"
           virtual machines) to use the IOMMU.
      
         - Add support for CLOCK_{REALTIME/MONOTONIC}_COARSE to the 32-bit
           VDSO, and some other improvements.
      
         - A series to use the PCI hotplug framework to control opencapi
           card's so that they can be reset and re-read after flashing a new
           FPGA image.
      
        As well as other minor fixes and improvements as usual.
      
        Thanks to: Alastair D'Silva, Alexandre Ghiti, Alexey Kardashevskiy,
        Andrew Donnellan, Aneesh Kumar K.V, Anju T Sudhakar, Bai Yingjie, Chen
        Zhou, Christophe Leroy, Frederic Barrat, Greg Kurz, Jason A.
        Donenfeld, Joel Stanley, Jordan Niethe, Julia Lawall, Krzysztof
        Kozlowski, Laurent Dufour, Laurentiu Tudor, Linus Walleij, Michael
        Bringmann, Nathan Chancellor, Nicholas Piggin, Nick Desaulniers,
        Oliver O'Halloran, Peter Ujfalusi, Pingfan Liu, Ram Pai, Randy Dunlap,
        Russell Currey, Sam Bobroff, Sebastian Andrzej Siewior, Shawn
        Anastasio, Stephen Rothwell, Steve Best, Sukadev Bhattiprolu, Thiago
        Jung Bauermann, Tyrel Datwyler, Vaibhav Jain"
      
      * tag 'powerpc-5.6-1' of git://git.kernel.org/pub/scm/linux/kernel/git/powerpc/linux: (131 commits)
        powerpc: configs: Cleanup old Kconfig options
        powerpc/configs/skiroot: Enable some more hardening options
        powerpc/configs/skiroot: Disable xmon default & enable reboot on panic
        powerpc/configs/skiroot: Enable security features
        powerpc/configs/skiroot: Update for symbol movement only
        powerpc/configs/skiroot: Drop default n CONFIG_CRYPTO_ECHAINIV
        powerpc/configs/skiroot: Drop HID_LOGITECH
        powerpc/configs: Drop NET_VENDOR_HP which moved to staging
        powerpc/configs: NET_CADENCE became NET_VENDOR_CADENCE
        powerpc/configs: Drop CONFIG_QLGE which moved to staging
        powerpc: Do not consider weak unresolved symbol relocations as bad
        powerpc/32s: Fix kasan_early_hash_table() for CONFIG_VMAP_STACK
        powerpc: indent to improve Kconfig readability
        powerpc: Provide initial documentation for PAPR hcalls
        powerpc: Implement user_access_save() and user_access_restore()
        powerpc: Implement user_access_begin and friends
        powerpc/32s: Prepare prevent_user_access() for user_access_end()
        powerpc/32s: Drop NULL addr verification
        powerpc/kuap: Fix set direction in allow/prevent_user_access()
        powerpc/32s: Fix bad_kuap_fault()
        ...
      71c3a888
    • Linus Torvalds's avatar
      Merge tag 'microblaze-v5.6-rc1' of git://git.monstr.eu/linux-2.6-microblaze · 153b5c56
      Linus Torvalds authored
      Pull Microblaze update from Michal Simek:
      
       - enable CMA
      
       - add support for MB v11
      
       - defconfig updates
      
       - minor fixes
      
      * tag 'microblaze-v5.6-rc1' of git://git.monstr.eu/linux-2.6-microblaze:
        microblaze: Add ID for Microblaze v11
        microblaze: Prevent the overflow of the start
        microblaze: Wire CMA allocator
        asm-generic: Make dma-contiguous.h a mandatory include/asm header
        microblaze: Sync defconfig with latest Kconfig layout
        microblaze: defconfig: Disable EXT2 driver and Enable EXT3 & EXT4 drivers
        microblaze: Align comments with register usage
      153b5c56
    • Linus Torvalds's avatar
      Merge tag 'ovl-update-5.6' of git://git.kernel.org/pub/scm/linux/kernel/git/mszeredi/vfs · 7f879e1a
      Linus Torvalds authored
      Pull overlayfs update from Miklos Szeredi:
      
       - Try to preserve holes in sparse files when copying up, thus saving
         disk space and improving performance.
      
       - Fix a performance regression introduced in v4.19 by preserving
         asynchronicity of IO when fowarding to underlying layers. Add VFS
         helpers to submit async iocbs.
      
       - Fix a regression in lseek(2) introduced in v4.19 that breaks >2G
         seeks on 32bit kernels.
      
       - Fix a corner case where st_ino/st_dev was not preserved across copy
         up.
      
       - Miscellaneous fixes and cleanups.
      
      * tag 'ovl-update-5.6' of git://git.kernel.org/pub/scm/linux/kernel/git/mszeredi/vfs:
        ovl: fix lseek overflow on 32bit
        ovl: add splice file read write helper
        ovl: implement async IO routines
        vfs: add vfs_iocb_iter_[read|write] helper functions
        ovl: layer is const
        ovl: fix corner case of non-constant st_dev;st_ino
        ovl: fix corner case of conflicting lower layer uuid
        ovl: generalize the lower_fs[] array
        ovl: simplify ovl_same_sb() helper
        ovl: generalize the lower_layers[] array
        ovl: improving copy-up efficiency for big sparse file
        ovl: use ovl_inode_lock in ovl_llseek()
        ovl: use pr_fmt auto generate prefix
        ovl: fix wrong WARN_ON() in ovl_cache_update_ino()
      7f879e1a
    • Taehee Yoo's avatar
      gtp: use __GFP_NOWARN to avoid memalloc warning · bd5cd35b
      Taehee Yoo authored
      gtp hashtable size is received by user-space.
      So, this hashtable size could be too large. If so, kmalloc will internally
      print a warning message.
      This warning message is actually not necessary for the gtp module.
      So, this patch adds __GFP_NOWARN to avoid this message.
      
      Splat looks like:
      [ 2171.200049][ T1860] WARNING: CPU: 1 PID: 1860 at mm/page_alloc.c:4713 __alloc_pages_nodemask+0x2f3/0x740
      [ 2171.238885][ T1860] Modules linked in: gtp veth openvswitch nsh nf_conncount nf_nat nf_conntrack nf_defrag_ipv]
      [ 2171.262680][ T1860] CPU: 1 PID: 1860 Comm: gtp-link Not tainted 5.5.0+ #321
      [ 2171.263567][ T1860] Hardware name: innotek GmbH VirtualBox/VirtualBox, BIOS VirtualBox 12/01/2006
      [ 2171.264681][ T1860] RIP: 0010:__alloc_pages_nodemask+0x2f3/0x740
      [ 2171.265332][ T1860] Code: 64 fe ff ff 65 48 8b 04 25 c0 0f 02 00 48 05 f0 12 00 00 41 be 01 00 00 00 49 89 47 0
      [ 2171.267301][ T1860] RSP: 0018:ffff8880b51af1f0 EFLAGS: 00010246
      [ 2171.268320][ T1860] RAX: ffffed1016a35e43 RBX: 0000000000000000 RCX: 0000000000000000
      [ 2171.269517][ T1860] RDX: 0000000000000000 RSI: 000000000000000b RDI: 0000000000000000
      [ 2171.270305][ T1860] RBP: 0000000000040cc0 R08: ffffed1018893109 R09: dffffc0000000000
      [ 2171.275973][ T1860] R10: 0000000000000001 R11: ffffed1018893108 R12: 1ffff11016a35e43
      [ 2171.291039][ T1860] R13: 000000000000000b R14: 000000000000000b R15: 00000000000f4240
      [ 2171.292328][ T1860] FS:  00007f53cbc83740(0000) GS:ffff8880da000000(0000) knlGS:0000000000000000
      [ 2171.293409][ T1860] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
      [ 2171.294586][ T1860] CR2: 000055f540014508 CR3: 00000000b49f2004 CR4: 00000000000606e0
      [ 2171.295424][ T1860] Call Trace:
      [ 2171.295756][ T1860]  ? mark_held_locks+0xa5/0xe0
      [ 2171.296659][ T1860]  ? __alloc_pages_slowpath+0x21b0/0x21b0
      [ 2171.298283][ T1860]  ? gtp_encap_enable_socket+0x13e/0x400 [gtp]
      [ 2171.298962][ T1860]  ? alloc_pages_current+0xc1/0x1a0
      [ 2171.299475][ T1860]  kmalloc_order+0x22/0x80
      [ 2171.299936][ T1860]  kmalloc_order_trace+0x1d/0x140
      [ 2171.300437][ T1860]  __kmalloc+0x302/0x3a0
      [ 2171.300896][ T1860]  gtp_newlink+0x293/0xba0 [gtp]
      [ ... ]
      
      Fixes: 459aa660 ("gtp: add initial driver for datapath of GPRS Tunneling Protocol (GTP-U)")
      Signed-off-by: default avatarTaehee Yoo <ap420073@gmail.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      bd5cd35b
    • Ridge Kennedy's avatar
      l2tp: Allow duplicate session creation with UDP · 0d0d9a38
      Ridge Kennedy authored
      In the past it was possible to create multiple L2TPv3 sessions with the
      same session id as long as the sessions belonged to different tunnels.
      The resulting sessions had issues when used with IP encapsulated tunnels,
      but worked fine with UDP encapsulated ones. Some applications began to
      rely on this behaviour to avoid having to negotiate unique session ids.
      
      Some time ago a change was made to require session ids to be unique across
      all tunnels, breaking the applications making use of this "feature".
      
      This change relaxes the duplicate session id check to allow duplicates
      if both of the colliding sessions belong to UDP encapsulated tunnels.
      
      Fixes: dbdbc73b ("l2tp: fix duplicate session creation")
      Signed-off-by: default avatarRidge Kennedy <ridge.kennedy@alliedtelesis.co.nz>
      Acked-by: default avatarJames Chapman <jchapman@katalix.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      0d0d9a38
    • Kai-Heng Feng's avatar
      r8152: Add MAC passthrough support to new device · b4b771fd
      Kai-Heng Feng authored
      Device 0xa387 also supports MAC passthrough, therefore add it to the
      whitelst.
      
      BugLink: https://bugs.launchpad.net/bugs/1827961/comments/30Signed-off-by: default avatarKai-Heng Feng <kai.heng.feng@canonical.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      b4b771fd
    • Cong Wang's avatar
      net_sched: fix an OOB access in cls_tcindex · 599be01e
      Cong Wang authored
      As Eric noticed, tcindex_alloc_perfect_hash() uses cp->hash
      to compute the size of memory allocation, but cp->hash is
      set again after the allocation, this caused an out-of-bound
      access.
      
      So we have to move all cp->hash initialization and computation
      before the memory allocation. Move cp->mask and cp->shift together
      as cp->hash may need them for computation too.
      
      Reported-and-tested-by: syzbot+35d4dea36c387813ed31@syzkaller.appspotmail.com
      Fixes: 331b7292 ("net: sched: RCU cls_tcindex")
      Cc: Eric Dumazet <eric.dumazet@gmail.com>
      Cc: John Fastabend <john.fastabend@gmail.com>
      Cc: Jamal Hadi Salim <jhs@mojatatu.com>
      Cc: Jiri Pirko <jiri@resnulli.us>
      Cc: Jakub Kicinski <kuba@kernel.org>
      Signed-off-by: default avatarCong Wang <xiyou.wangcong@gmail.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      599be01e
    • Michal Simek's avatar
      microblaze: Add ID for Microblaze v11 · 6aa71ef9
      Michal Simek authored
      List Microblaze v11 from PVR.
      Signed-off-by: default avatarMichal Simek <michal.simek@xilinx.com>
      6aa71ef9
    • Shubhrajyoti Datta's avatar
      microblaze: Prevent the overflow of the start · 061d2c1d
      Shubhrajyoti Datta authored
      In case the start + cache size is more than the max int the
      start overflows.
      Prevent the same.
      Signed-off-by: default avatarShubhrajyoti Datta <shubhrajyoti.datta@xilinx.com>
      Signed-off-by: default avatarMichal Simek <michal.simek@xilinx.com>
      061d2c1d
    • Michal Simek's avatar
      microblaze: Wire CMA allocator · 2602276d
      Michal Simek authored
      Based on commit 04e3543e ("microblaze: use the generic dma coherent
      remap allocator")
      CMA can be easily enabled by calling dma_contiguous_reserve() at the end of
      mmu_init(). High limit is end of lowmem space which is completely unused at
      this point of time.
      Signed-off-by: default avatarMichal Simek <michal.simek@xilinx.com>
      Reviewed-by: default avatarChristoph Hellwig <hch@lst.de>
      2602276d
    • Michal Simek's avatar
      asm-generic: Make dma-contiguous.h a mandatory include/asm header · def3f7ce
      Michal Simek authored
      dma-continuguous.h is generic for all architectures except arm32 which has
      its own version.
      
      Similar change was done for msi.h by commit a1b39bae
      ("asm-generic: Make msi.h a mandatory include/asm header")
      Suggested-by: default avatarChristoph Hellwig <hch@infradead.org>
      Link: https://lore.kernel.org/linux-arm-kernel/20200117080446.GA8980@lst.de/T/#m92bb56b04161057635d4142e1b3b9b6b0a70122eSigned-off-by: default avatarMichal Simek <michal.simek@xilinx.com>
      Reviewed-by: default avatarChristoph Hellwig <hch@lst.de>
      Acked-by: default avatarThomas Gleixner <tglx@linutronix.de>
      Acked-by: default avatarArnd Bergmann <arnd@arndb.de>
      Acked-by: Paul Walmsley <paul.walmsley@sifive.com> # for arch/riscv
      def3f7ce
    • Michal Simek's avatar
      microblaze: Sync defconfig with latest Kconfig layout · 5fefd796
      Michal Simek authored
      Layout was changed by commit 6210b640
      ("kernel-hacking: group sysrq/kgdb/ubsan into 'Generic Kernel Debugging Instruments'")
      Signed-off-by: default avatarMichal Simek <michal.simek@xilinx.com>
      5fefd796
    • Manish Narani's avatar
      microblaze: defconfig: Disable EXT2 driver and Enable EXT3 & EXT4 drivers · 6162cd2b
      Manish Narani authored
      As EXT4 filesystem driver is used for handling EXT2 file systems as
      well. There is no need to enable EXT2 driver. This patch disables EXT2
      and enables EXT3/EXT4 drivers.
      Signed-off-by: default avatarManish Narani <manish.narani@xilinx.com>
      Signed-off-by: default avatarMichal Simek <michal.simek@xilinx.com>
      6162cd2b
    • Linus Torvalds's avatar
      Merge tag 'rproc-v5.6' of git://git.kernel.org/pub/scm/linux/kernel/git/andersson/remoteproc · a45ad71e
      Linus Torvalds authored
      Pull remoteproc updates from Bjorn Andersson:
       "This adds support for the Mediatek MT8183 SCP, modem remoteproc on
        Qualcomm SC7180 platform, audio and sensor remoteprocs on Qualcomm
        MSM8998 and audio, compute, modem and sensor remoteprocs on Qualcomm
        SM8150.
      
        It adds votes for necessary power-domains for all Qualcomm TrustZone
        based remoteproc instances are held, fixes a bug related to remoteproc
        drivers registering before the core has been initialized and does
        clean up the Qualcomm modem remoteproc driver"
      
      * tag 'rproc-v5.6' of git://git.kernel.org/pub/scm/linux/kernel/git/andersson/remoteproc: (21 commits)
        remoteproc: qcom: q6v5-mss: Improve readability of reset_assert
        remoteproc: qcom: q6v5-mss: Use regmap_read_poll_timeout
        remoteproc: qcom: q6v5-mss: Rename boot status timeout
        remoteproc: qcom: q6v5-mss: Improve readability across clk handling
        remoteproc: use struct_size() helper
        remoteproc: Initialize rproc_class before use
        rpmsg: add rpmsg support for mt8183 SCP.
        remoteproc/mediatek: add SCP support for mt8183
        dt-bindings: Add a binding for Mediatek SCP
        remoteproc: mss: q6v5-mss: Add modem support on SC7180
        dt-bindings: remoteproc: qcom: Add Q6V5 Modem PIL binding for SC7180
        remoteproc: qcom: pas: Add MSM8998 ADSP and SLPI support
        dt-bindings: remoteproc: qcom: Add ADSP and SLPI support for MSM8998 SoC
        remoteproc: q6v5-mss: Remove mem clk from the active pool
        remoteproc: qcom: Remove unneeded semicolon
        remoteproc: qcom: pas: Add auto_boot flag
        remoteproc: qcom: pas: Add SM8150 ADSP, CDSP, Modem and SLPI support
        dt-bindings: remoteproc: qcom: SM8150 Add ADSP, CDSP, MPSS and SLPI support
        remoteproc: qcom: pas: Vote for active/proxy power domains
        dt-bindings: remoteproc: qcom: Add power-domain bindings for Q6V5 PAS
        ...
      a45ad71e
    • Linus Torvalds's avatar
      Merge tag 'hwlock-v5.6' of git://git.kernel.org/pub/scm/linux/kernel/git/andersson/remoteproc · 68509798
      Linus Torvalds authored
      Pull hwspinlock updates from Bjorn Andersson:
       "This continues the transition of drivers to device managed resources
        and removal of unnecessary PM runtime integration, with cleanups to
        the SIRF, OMAP and Qualcomm hwspinlock drivers.
      
        It also adds Baolin as reviewer in MAINTAINERS"
      
      * tag 'hwlock-v5.6' of git://git.kernel.org/pub/scm/linux/kernel/git/andersson/remoteproc:
        hwspinlock: sirf: Use devm_hwspin_lock_register() to register hwlock controller
        hwspinlock: sirf: Remove redundant PM runtime functions
        hwspinlock: sirf: Change to use devm_platform_ioremap_resource()
        hwspinlock: omap: Use devm_kzalloc() to allocate memory
        hwspinlock: omap: Change to use devm_platform_ioremap_resource()
        hwspinlock: qcom: Use devm_hwspin_lock_register() to register hwlock controller
        hwspinlock: qcom: Remove redundant PM runtime functions
        hwspinlock: stm32: convert to devm_platform_ioremap_resource
        MAINTAINERS: Add myself as reviewer for the hwspinlock subsystem
      68509798
    • YueHaibing's avatar
      qed: Remove set but not used variable 'p_link' · 83b43045
      YueHaibing authored
      Fixes gcc '-Wunused-but-set-variable' warning:
      
      drivers/net/ethernet/qlogic/qed/qed_cxt.c: In function 'qed_qm_init_pf':
      drivers/net/ethernet/qlogic/qed/qed_cxt.c:1401:29: warning:
       variable 'p_link' set but not used [-Wunused-but-set-variable]
      
      commit 92fae6fb ("qed: FW 8.42.2.0 Queue Manager changes")
      leave behind this unused variable.
      Reported-by: default avatarHulk Robot <hulkci@huawei.com>
      Signed-off-by: default avatarYueHaibing <yuehaibing@huawei.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      83b43045
    • David S. Miller's avatar
      Merge branch 'unbreak-basic-and-bpf-tdc-testcases' · 9afe2322
      David S. Miller authored
      Davide Caratti says:
      
      ====================
      unbreak 'basic' and 'bpf' tdc testcases
      
      - patch 1/2 fixes tdc failures with 'bpf' action on fresch clones of the
        kernel tree
      - patch 2/2 allow running tdc for the 'basic' classifier without tweaking
        tdc_config.py
      ====================
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      9afe2322
    • Davide Caratti's avatar
      tc-testing: add missing 'nsPlugin' to basic.json · e9ed4fa7
      Davide Caratti authored
      since tdc tests for cls_basic need $DEV1, use 'nsPlugin' so that the
      following command can be run without errors:
      
       [root@f31 tc-testing]# ./tdc.py -c basic
      
      Fixes: 4717b053 ("tc-testing: Introduced tdc tests for basic filter")
      Signed-off-by: default avatarDavide Caratti <dcaratti@redhat.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      e9ed4fa7
    • Davide Caratti's avatar
      tc-testing: fix eBPF tests failure on linux fresh clones · 7145fcff
      Davide Caratti authored
      when the following command is done on a fresh clone of the kernel tree,
      
       [root@f31 tc-testing]# ./tdc.py -c bpf
      
      test cases that need to build the eBPF sample program fail systematically,
      because 'buildebpfPlugin' is unable to install the kernel headers (i.e, the
      'khdr' target fails). Pass the correct environment to 'make', in place of
      ENVIR, to allow running these tests.
      
      Fixes: 4c2d39bd ("tc-testing: use a plugin to build eBPF program")
      Signed-off-by: default avatarDavide Caratti <dcaratti@redhat.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      7145fcff
    • Eric Dumazet's avatar
      net: hsr: fix possible NULL deref in hsr_handle_frame() · 2b5b8251
      Eric Dumazet authored
      hsr_port_get_rcu() can return NULL, so we need to be careful.
      
      general protection fault, probably for non-canonical address 0xdffffc0000000006: 0000 [#1] PREEMPT SMP KASAN
      KASAN: null-ptr-deref in range [0x0000000000000030-0x0000000000000037]
      CPU: 1 PID: 10249 Comm: syz-executor.5 Not tainted 5.5.0-syzkaller #0
      Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
      RIP: 0010:__read_once_size include/linux/compiler.h:199 [inline]
      RIP: 0010:hsr_addr_is_self+0x86/0x330 net/hsr/hsr_framereg.c:44
      Code: 04 00 f3 f3 f3 65 48 8b 04 25 28 00 00 00 48 89 45 d0 31 c0 e8 6b ff 94 f9 4c 89 f2 48 b8 00 00 00 00 00 fc ff df 48 c1 ea 03 <80> 3c 02 00 0f 85 75 02 00 00 48 8b 43 30 49 39 c6 49 89 47 c0 0f
      RSP: 0018:ffffc90000da8a90 EFLAGS: 00010206
      RAX: dffffc0000000000 RBX: 0000000000000000 RCX: ffffffff87e0cc33
      RDX: 0000000000000006 RSI: ffffffff87e035d5 RDI: 0000000000000000
      RBP: ffffc90000da8b20 R08: ffff88808e7de040 R09: ffffed1015d2707c
      R10: ffffed1015d2707b R11: ffff8880ae9383db R12: ffff8880a689bc5e
      R13: 1ffff920001b5153 R14: 0000000000000030 R15: ffffc90000da8af8
      FS:  00007fd7a42be700(0000) GS:ffff8880ae900000(0000) knlGS:0000000000000000
      CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
      CR2: 0000001b32338000 CR3: 00000000a928c000 CR4: 00000000001406e0
      DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
      DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
      Call Trace:
       <IRQ>
       hsr_handle_frame+0x1c5/0x630 net/hsr/hsr_slave.c:31
       __netif_receive_skb_core+0xfbc/0x30b0 net/core/dev.c:5099
       __netif_receive_skb_one_core+0xa8/0x1a0 net/core/dev.c:5196
       __netif_receive_skb+0x2c/0x1d0 net/core/dev.c:5312
       process_backlog+0x206/0x750 net/core/dev.c:6144
       napi_poll net/core/dev.c:6582 [inline]
       net_rx_action+0x508/0x1120 net/core/dev.c:6650
       __do_softirq+0x262/0x98c kernel/softirq.c:292
       do_softirq_own_stack+0x2a/0x40 arch/x86/entry/entry_64.S:1082
       </IRQ>
      
      Fixes: c5a75911 ("net/hsr: Use list_head (and rcu) instead of array for slave devices.")
      Signed-off-by: default avatarEric Dumazet <edumazet@google.com>
      Reported-by: default avatarsyzbot <syzkaller@googlegroups.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      2b5b8251
    • Linus Torvalds's avatar
      Merge branch 'akpm' (patches from Andrew) · cc12071f
      Linus Torvalds authored
      Merge more updates from Andrew Morton:
       "The rest of MM and the rest of everything else: hotfixes, ipc, misc,
        procfs, lib, cleanups, arm"
      
      * emailed patches from Andrew Morton <akpm@linux-foundation.org>: (67 commits)
        ARM: dma-api: fix max_pfn off-by-one error in __dma_supported()
        treewide: remove redundant IS_ERR() before error code check
        include/linux/cpumask.h: don't calculate length of the input string
        lib: new testcases for bitmap_parse{_user}
        lib: rework bitmap_parse()
        lib: make bitmap_parse_user a wrapper on bitmap_parse
        lib: add test for bitmap_parse()
        bitops: more BITS_TO_* macros
        lib/string: add strnchrnul()
        proc: convert everything to "struct proc_ops"
        proc: decouple proc from VFS with "struct proc_ops"
        asm-generic/tlb: provide MMU_GATHER_TABLE_FREE
        asm-generic/tlb: rename HAVE_MMU_GATHER_NO_GATHER
        asm-generic/tlb: rename HAVE_MMU_GATHER_PAGE_SIZE
        asm-generic/tlb: rename HAVE_RCU_TABLE_FREE
        asm-generic/tlb: add missing CONFIG symbol
        asm-gemeric/tlb: remove stray function declarations
        asm-generic/tlb: avoid potential double flush
        mm/mmu_gather: invalidate TLB correctly on batch allocation failure and flush
        powerpc/mmu_gather: enable RCU_TABLE_FREE even for !SMP case
        ...
      cc12071f
    • Linus Torvalds's avatar
      Merge tag 'drm-next-2020-02-04' of git://anongit.freedesktop.org/drm/drm · 9717c1ce
      Linus Torvalds authored
      Pull drm ttm/mm updates from Dave Airlie:
       "Thomas Hellstrom has some more changes to the TTM layer that needed a
        patch to the mm subsystem.
      
        This adds a new mm API vmf_insert_mixed_prot to avoid an ugly hack
        that has limitations in the TTM layer"
      
      * tag 'drm-next-2020-02-04' of git://anongit.freedesktop.org/drm/drm:
        mm, drm/ttm: Fix vm page protection handling
        mm: Add a vmf_insert_mixed_prot() function
      9717c1ce
    • Linus Torvalds's avatar
      Merge tag 'tag-chrome-platform-for-v5.6' of... · 79703e01
      Linus Torvalds authored
      Merge tag 'tag-chrome-platform-for-v5.6' of git://git.kernel.org/pub/scm/linux/kernel/git/chrome-platform/linux
      
      Pull chrome platform updates from Benson Leung:
       "CrOS EC:
      
         - Refactoring of some of cros_ec's headers:
      
           include/linux/mfd/cros_ec.h now removed, new cros_ec.h added to
           drivers/platform/chrome which contains shared operations of cros_ec
           transport drivers.
      
         - Response tracing in cros_ec_proto
      
        Wilco EC:
      
         - Fix unregistration order.
      
         - Fix keyboard backlight probing on systems without keyboard
           backlight
      
         - Minor cleanup (newlines in printks, COMPILE_TEST)
      
        Misc:
      
         - chromeos_laptop converted to use i2c_new_scanned_device instead of
           i2c_new_probed_device"
      
      * tag 'tag-chrome-platform-for-v5.6' of git://git.kernel.org/pub/scm/linux/kernel/git/chrome-platform/linux:
        platform/chrome: cros_ec: Match implementation with headers
        platform/chrome: cros_ec: Drop unaligned.h include
        platform/chrome: wilco_ec: Allow wilco to be compiled in COMPILE_TEST
        platform/chrome: wilco_ec: Add newlines to printks
        platform/chrome: wilco_ec: Fix unregistration order
        cros_ec: treewide: Remove 'include/linux/mfd/cros_ec.h'
        platform/chrome: cros_ec_ishtp: Make init_lock static
        platform/chrome: chromeos_laptop: Convert to i2c_new_scanned_device
        platform/chrome: cros_ec_lpc: Use platform_get_irq_optional() for optional IRQs
        platform/chrome: cros_ec_proto: Add response tracing
        platform/chrome: cros_ec_trace: Match trace commands with EC commands
      79703e01