1. 16 Oct, 2020 1 commit
    • David Howells's avatar
      afs: Fix rapid cell addition/removal by not using RCU on cells tree · 92e3cc91
      David Howells authored
      There are a number of problems that are being seen by the rapidly mounting
      and unmounting an afs dynamic root with an explicit cell and volume
      specified (which should probably be rejected, but that's a separate issue):
      
      What the tests are doing is to look up/create a cell record for the name
      given and then tear it down again without actually using it to try to talk
      to a server.  This is repeated endlessly, very fast, and the new cell
      collides with the old one if it's not quick enough to reuse it.
      
      It appears (as suggested by Hillf Danton) that the search through the RB
      tree under a read_seqbegin_or_lock() under RCU conditions isn't safe and
      that it's not blocking the write_seqlock(), despite taking two passes at
      it.  He suggested that the code should take a ref on the cell it's
      attempting to look at - but this shouldn't be necessary until we've
      compared the cell names.  It's possible that I'm missing a barrier
      somewhere.
      
      However, using an RCU search for this is overkill, really - we only need to
      access the cell name in a few places, and they're places where we're may
      end up sleeping anyway.
      
      Fix this by switching to an R/W semaphore instead.
      
      Additionally, draw the down_read() call inside the function (renamed to
      afs_find_cell()) since all the callers were taking the RCU read lock (or
      should've been[*]).
      
      [*] afs_probe_cell_name() should have been, but that doesn't appear to be
      involved in the bug reports.
      
      The symptoms of this look like:
      
      	general protection fault, probably for non-canonical address 0xf27d208691691fdb: 0000 [#1] PREEMPT SMP KASAN
      	KASAN: maybe wild-memory-access in range [0x93e924348b48fed8-0x93e924348b48fedf]
      	...
      	RIP: 0010:strncasecmp lib/string.c:52 [inline]
      	RIP: 0010:strncasecmp+0x5f/0x240 lib/string.c:43
      	 afs_lookup_cell_rcu+0x313/0x720 fs/afs/cell.c:88
      	 afs_lookup_cell+0x2ee/0x1440 fs/afs/cell.c:249
      	 afs_parse_source fs/afs/super.c:290 [inline]
      	...
      
      Fixes: 989782dc ("afs: Overhaul cell database management")
      Reported-by: syzbot+459a5dce0b4cb70fd076@syzkaller.appspotmail.com
      Signed-off-by: default avatarDavid Howells <dhowells@redhat.com>
      cc: Hillf Danton <hdanton@sina.com>
      cc: syzkaller-bugs@googlegroups.com
      92e3cc91
  2. 11 Oct, 2020 10 commits
  3. 10 Oct, 2020 6 commits
    • Linus Torvalds's avatar
      Merge branch 'i2c/for-current' of git://git.kernel.org/pub/scm/linux/kernel/git/wsa/linux · da690031
      Linus Torvalds authored
      Pull i2c fixes from Wolfram Sang:
       "Some more driver bugfixes for I2C. Including a revert - the updated
        series for it will come during the next merge window"
      
      * 'i2c/for-current' of git://git.kernel.org/pub/scm/linux/kernel/git/wsa/linux:
        i2c: owl: Clear NACK and BUS error bits
        Revert "i2c: imx: Fix reset of I2SR_IAL flag"
        i2c: meson: fixup rate calculation with filter delay
        i2c: meson: keep peripheral clock enabled
        i2c: meson: fix clock setting overwrite
        i2c: imx: Fix reset of I2SR_IAL flag
      da690031
    • Vladimir Zapolskiy's avatar
      cifs: Fix incomplete memory allocation on setxattr path · 64b7f674
      Vladimir Zapolskiy authored
      On setxattr() syscall path due to an apprent typo the size of a dynamically
      allocated memory chunk for storing struct smb2_file_full_ea_info object is
      computed incorrectly, to be more precise the first addend is the size of
      a pointer instead of the wanted object size. Coincidentally it makes no
      difference on 64-bit platforms, however on 32-bit targets the following
      memcpy() writes 4 bytes of data outside of the dynamically allocated memory.
      
        =============================================================================
        BUG kmalloc-16 (Not tainted): Redzone overwritten
        -----------------------------------------------------------------------------
      
        Disabling lock debugging due to kernel taint
        INFO: 0x79e69a6f-0x9e5cdecf @offset=368. First byte 0x73 instead of 0xcc
        INFO: Slab 0xd36d2454 objects=85 used=51 fp=0xf7d0fc7a flags=0x35000201
        INFO: Object 0x6f171df3 @offset=352 fp=0x00000000
      
        Redzone 5d4ff02d: cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc  ................
        Object 6f171df3: 00 00 00 00 00 05 06 00 73 6e 72 75 62 00 66 69  ........snrub.fi
        Redzone 79e69a6f: 73 68 32 0a                                      sh2.
        Padding 56254d82: 5a 5a 5a 5a 5a 5a 5a 5a                          ZZZZZZZZ
        CPU: 0 PID: 8196 Comm: attr Tainted: G    B             5.9.0-rc8+ #3
        Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.13.0-1 04/01/2014
        Call Trace:
         dump_stack+0x54/0x6e
         print_trailer+0x12c/0x134
         check_bytes_and_report.cold+0x3e/0x69
         check_object+0x18c/0x250
         free_debug_processing+0xfe/0x230
         __slab_free+0x1c0/0x300
         kfree+0x1d3/0x220
         smb2_set_ea+0x27d/0x540
         cifs_xattr_set+0x57f/0x620
         __vfs_setxattr+0x4e/0x60
         __vfs_setxattr_noperm+0x4e/0x100
         __vfs_setxattr_locked+0xae/0xd0
         vfs_setxattr+0x4e/0xe0
         setxattr+0x12c/0x1a0
         path_setxattr+0xa4/0xc0
         __ia32_sys_lsetxattr+0x1d/0x20
         __do_fast_syscall_32+0x40/0x70
         do_fast_syscall_32+0x29/0x60
         do_SYSENTER_32+0x15/0x20
         entry_SYSENTER_32+0x9f/0xf2
      
      Fixes: 5517554e ("cifs: Add support for writing attributes on SMB2+")
      Signed-off-by: default avatarVladimir Zapolskiy <vladimir@tuxera.com>
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      64b7f674
    • Hugh Dickins's avatar
      mm/khugepaged: fix filemap page_to_pgoff(page) != offset · 033b5d77
      Hugh Dickins authored
      There have been elusive reports of filemap_fault() hitting its
      VM_BUG_ON_PAGE(page_to_pgoff(page) != offset, page) on kernels built
      with CONFIG_READ_ONLY_THP_FOR_FS=y.
      
      Suren has hit it on a kernel with CONFIG_READ_ONLY_THP_FOR_FS=y and
      CONFIG_NUMA is not set: and he has analyzed it down to how khugepaged
      without NUMA reuses the same huge page after collapse_file() failed
      (whereas NUMA targets its allocation to the respective node each time).
      And most of us were usually testing with CONFIG_NUMA=y kernels.
      
      collapse_file(old start)
        new_page = khugepaged_alloc_page(hpage)
        __SetPageLocked(new_page)
        new_page->index = start // hpage->index=old offset
        new_page->mapping = mapping
        xas_store(&xas, new_page)
      
                                filemap_fault
                                  page = find_get_page(mapping, offset)
                                  // if offset falls inside hpage then
                                  // compound_head(page) == hpage
                                  lock_page_maybe_drop_mmap()
                                    __lock_page(page)
      
        // collapse fails
        xas_store(&xas, old page)
        new_page->mapping = NULL
        unlock_page(new_page)
      
      collapse_file(new start)
        new_page = khugepaged_alloc_page(hpage)
        __SetPageLocked(new_page)
        new_page->index = start // hpage->index=new offset
        new_page->mapping = mapping // mapping becomes valid again
      
                                  // since compound_head(page) == hpage
                                  // page_to_pgoff(page) got changed
                                  VM_BUG_ON_PAGE(page_to_pgoff(page) != offset)
      
      An initial patch replaced __SetPageLocked() by lock_page(), which did
      fix the race which Suren illustrates above.  But testing showed that it's
      not good enough: if the racing task's __lock_page() gets delayed long
      after its find_get_page(), then it may follow collapse_file(new start)'s
      successful final unlock_page(), and crash on the same VM_BUG_ON_PAGE.
      
      It could be fixed by relaxing filemap_fault()'s VM_BUG_ON_PAGE to a
      check and retry (as is done for mapping), with similar relaxations in
      find_lock_entry() and pagecache_get_page(): but it's not obvious what
      else might get caught out; and khugepaged non-NUMA appears to be unique
      in exposing a page to page cache, then revoking, without going through
      a full cycle of freeing before reuse.
      
      Instead, non-NUMA khugepaged_prealloc_page() release the old page
      if anyone else has a reference to it (1% of cases when I tested).
      
      Although never reported on huge tmpfs, I believe its find_lock_entry()
      has been at similar risk; but huge tmpfs does not rely on khugepaged
      for its normal working nearly so much as READ_ONLY_THP_FOR_FS does.
      Reported-by: default avatarDenis Lisov <dennis.lissov@gmail.com>
      Bugzilla: https://bugzilla.kernel.org/show_bug.cgi?id=206569
      Link: https://lore.kernel.org/linux-mm/?q=20200219144635.3b7417145de19b65f258c943%40linux-foundation.orgReported-by: default avatarQian Cai <cai@lca.pw>
      Link: https://lore.kernel.org/linux-xfs/?q=20200616013309.GB815%40lca.pwReported-and-analyzed-by: default avatarSuren Baghdasaryan <surenb@google.com>
      Fixes: 87c460a0 ("mm/khugepaged: collapse_shmem() without freezing new_page")
      Signed-off-by: default avatarHugh Dickins <hughd@google.com>
      Cc: stable@vger.kernel.org # v4.9+
      Reviewed-by: default avatarMatthew Wilcox (Oracle) <willy@infradead.org>
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      033b5d77
    • Cristian Ciocaltea's avatar
      i2c: owl: Clear NACK and BUS error bits · f5b3f433
      Cristian Ciocaltea authored
      When the NACK and BUS error bits are set by the hardware, the driver is
      responsible for clearing them by writing "1" into the corresponding
      status registers.
      
      Hence perform the necessary operations in owl_i2c_interrupt().
      
      Fixes: d211e62a ("i2c: Add Actions Semiconductor Owl family S900 I2C driver")
      Reported-by: default avatarManivannan Sadhasivam <manivannan.sadhasivam@linaro.org>
      Signed-off-by: default avatarCristian Ciocaltea <cristian.ciocaltea@gmail.com>
      Signed-off-by: default avatarWolfram Sang <wsa@kernel.org>
      f5b3f433
    • Wolfram Sang's avatar
      Revert "i2c: imx: Fix reset of I2SR_IAL flag" · 5a02e7c4
      Wolfram Sang authored
      This reverts commit fa4d3055. An updated
      version was sent. So, revert this version and give the new version more
      time for testing.
      Signed-off-by: default avatarWolfram Sang <wsa@kernel.org>
      5a02e7c4
    • Linus Torvalds's avatar
      Merge tag 'spi-fix-v5.9-rc8' of git://git.kernel.org/pub/scm/linux/kernel/git/broonie/spi · 6f2f486d
      Linus Torvalds authored
      Pull spi fix from Mark Brown:
       "One last minute fix for v5.9 which has been causing crashes in test
        systems with the fsl-dspi driver when they hit deferred probe (and
        which I probably let cook in next a bit longer than is ideal).
      
        And an update to MAINTAINERS reflecting Serge's extensive and
        detailed recent work on the DesignWare driver"
      
      * tag 'spi-fix-v5.9-rc8' of git://git.kernel.org/pub/scm/linux/kernel/git/broonie/spi:
        MAINTAINERS: Add maintainer of DW APB SSI driver
        spi: fsl-dspi: fix NULL pointer dereference
      6f2f486d
  4. 09 Oct, 2020 9 commits
  5. 08 Oct, 2020 14 commits
    • Sebastian Reichel's avatar
      power: supply: sbs-battery: chromebook workaround for PEC · e3f2396b
      Sebastian Reichel authored
      Looks like the I2C tunnel implementation from Chromebook's
      embedded controller does not handle PEC correctly. Fix this
      by disabling PEC for batteries behind those I2C tunnels as
      a workaround.
      
      Note, that some Chromebooks actually have been reported to
      have working PEC support (with I2C tunnel). Since the problem
      has not yet been fully understood this simply reverts all
      Chromebooks to not use PEC for now.
      Reported-by: default avatar"Milan P. Stanić" <mps@arvanta.net>
      Reported-by: default avatarVicente Bergas <vicencb@gmail.com>
      CC: Enric Balletbo i Serra <enric.balletbo@collabora.com>
      Fixes: 7222bd60 ("power: supply: sbs-battery: add PEC support")
      Tested-by: default avatarVicente Bergas <vicencb@gmail.com>
      Tested-by: default avatar"Milan P. Stanić" <mps@arvanta.net>
      Signed-off-by: default avatarSebastian Reichel <sebastian.reichel@collabora.com>
      e3f2396b
    • Linus Torvalds's avatar
      Merge tag 'for_linus' of git://git.kernel.org/pub/scm/linux/kernel/git/mst/vhost · 3fdd47c3
      Linus Torvalds authored
      Pull vhost fixes from Michael Tsirkin:
       "Some last minute vhost,vdpa fixes.
      
        The last two of them haven't been in next but they do seem kind of
        obvious, very small and safe, fix bugs reported in the field, and they
        are both in a new mlx5 vdpa driver, so it's not like we can introduce
        regressions"
      
      * tag 'for_linus' of git://git.kernel.org/pub/scm/linux/kernel/git/mst/vhost:
        vdpa/mlx5: Fix dependency on MLX5_CORE
        vdpa/mlx5: should keep avail_index despite device status
        vhost-vdpa: fix page pinning leakage in error path
        vhost-vdpa: fix vhost_vdpa_map() on error condition
        vhost: Don't call log_access_ok() when using IOTLB
        vhost: Use vhost_get_used_size() in vhost_vring_set_addr()
        vhost: Don't call access_ok() when using IOTLB
        vhost vdpa: fix vhost_vdpa_open error handling
      3fdd47c3
    • Yongqiang Sun's avatar
      drm/amd/display: Change ABM config init interface · 33c8256b
      Yongqiang Sun authored
      [Why & How]
      change abm config init interface to support multiple ABMs.
      Signed-off-by: default avatarYongqiang Sun <yongqiang.sun@amd.com>
      Reviewed-by: default avatarChris Park <Chris.Park@amd.com>
      Acked-by: default avatarRodrigo Siqueira <Rodrigo.Siqueira@amd.com>
      Signed-off-by: default avatarAlex Deucher <alexander.deucher@amd.com>
      33c8256b
    • Linus Torvalds's avatar
      Merge git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net · 6288c1d8
      Linus Torvalds authored
      Pull networking fixes from Jakub Kicinski:
       "One more set of fixes from the networking tree:
      
         - add missing input validation in nl80211_del_key(), preventing
           out-of-bounds access
      
         - last minute fix / improvement of a MRP netlink (uAPI) interface
           introduced in 5.9 (current) release
      
         - fix "unresolved symbol" build error under CONFIG_NET w/o
           CONFIG_INET due to missing tcp_timewait_sock and inet_timewait_sock
           BTF.
      
         - fix 32 bit sub-register bounds tracking in the bpf verifier for OR
           case
      
         - tcp: fix receive window update in tcp_add_backlog()
      
         - openvswitch: handle DNAT tuple collision in conntrack-related code
      
         - r8169: wait for potential PHY reset to finish after applying a FW
           file, avoiding unexpected PHY behaviour and failures later on
      
         - mscc: fix tail dropping watermarks for Ocelot switches
      
         - avoid use-after-free in macsec code after a call to the GRO layer
      
         - avoid use-after-free in sctp error paths
      
         - add a device id for Cellient MPL200 WWAN card
      
         - rxrpc fixes:
            - fix the xdr encoding of the contents read from an rxrpc key
            - fix a BUG() for a unsupported encoding type.
            - fix missing _bh lock annotations.
            - fix acceptance handling for an incoming call where the incoming
              call is encrypted.
            - the server token keyring isn't network namespaced - it belongs
              to the server, so there's no need. Namespacing it means that
              request_key() fails to find it.
            - fix a leak of the server keyring"
      
      * git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net: (21 commits)
        net: usb: qmi_wwan: add Cellient MPL200 card
        macsec: avoid use-after-free in macsec_handle_frame()
        r8169: consider that PHY reset may still be in progress after applying firmware
        openvswitch: handle DNAT tuple collision
        sctp: fix sctp_auth_init_hmacs() error path
        bridge: Netlink interface fix.
        net: wireless: nl80211: fix out-of-bounds access in nl80211_del_key()
        bpf: Fix scalar32_min_max_or bounds tracking
        tcp: fix receive window update in tcp_add_backlog()
        net: usb: rtl8150: set random MAC address when set_ethernet_addr() fails
        mptcp: more DATA FIN fixes
        net: mscc: ocelot: warn when encoding an out-of-bounds watermark value
        net: mscc: ocelot: divide watermark value by 60 when writing to SYS_ATOP
        net: qrtr: ns: Fix the incorrect usage of rcu_read_lock()
        rxrpc: Fix server keyring leak
        rxrpc: The server keyring isn't network-namespaced
        rxrpc: Fix accept on a connection that need securing
        rxrpc: Fix some missing _bh annotations on locking conn->state_lock
        rxrpc: Downgrade the BUG() for unsupported token type in rxrpc_read()
        rxrpc: Fix rxkad token xdr encoding
        ...
      6288c1d8
    • Eli Cohen's avatar
      vdpa/mlx5: Fix dependency on MLX5_CORE · aff90770
      Eli Cohen authored
      Remove propmt for selecting MLX5_VDPA by the user and modify
      MLX5_VDPA_NET to select MLX5_VDPA. Also modify MLX5_VDPA_NET to depend
      on mlx5_core.
      
      This fixes an issue where configuration sets 'y' for MLX5_VDPA_NET while
      MLX5_CORE is compiled as a module causing link errors.
      Reported-by: default avatarkernel test robot <lkp@intel.com>
      Fixes: 1a86b377 ("vdpa/mlx5: Add VDPA driver for supported mlx5 device")s
      Signed-off-by: default avatarEli Cohen <elic@nvidia.com>
      Link: https://lore.kernel.org/r/20201007064011.GA50074@mtl-vdi-166.wap.labs.mlnxSigned-off-by: default avatarMichael S. Tsirkin <mst@redhat.com>
      aff90770
    • Si-Wei Liu's avatar
      vdpa/mlx5: should keep avail_index despite device status · 3176e974
      Si-Wei Liu authored
      A VM with mlx5 vDPA has below warnings while being reset:
      
      vhost VQ 0 ring restore failed: -1: Resource temporarily unavailable (11)
      vhost VQ 1 ring restore failed: -1: Resource temporarily unavailable (11)
      
      We should allow userspace emulating the virtio device be
      able to get to vq's avail_index, regardless of vDPA device
      status. Save the index that was last seen when virtq was
      stopped, so that userspace doesn't complain.
      Signed-off-by: default avatarSi-Wei Liu <si-wei.liu@oracle.com>
      Link: https://lore.kernel.org/r/1601583511-15138-1-git-send-email-si-wei.liu@oracle.comSigned-off-by: default avatarMichael S. Tsirkin <mst@redhat.com>
      Acked-by: default avatarEli Cohen <elic@nvidia.com>
      3176e974
    • Wilken Gottwalt's avatar
      net: usb: qmi_wwan: add Cellient MPL200 card · 28802e7c
      Wilken Gottwalt authored
      Add usb ids of the Cellient MPL200 card.
      Signed-off-by: default avatarWilken Gottwalt <wilken.gottwalt@mailbox.org>
      Acked-by: default avatarBjørn Mork <bjorn@mork.no>
      Signed-off-by: default avatarJakub Kicinski <kuba@kernel.org>
      28802e7c
    • Eric Dumazet's avatar
      macsec: avoid use-after-free in macsec_handle_frame() · c7cc9200
      Eric Dumazet authored
      De-referencing skb after call to gro_cells_receive() is not allowed.
      We need to fetch skb->len earlier.
      
      Fixes: 5491e7c6 ("macsec: enable GRO and RPS on macsec devices")
      Signed-off-by: default avatarEric Dumazet <edumazet@google.com>
      Cc: Paolo Abeni <pabeni@redhat.com>
      Acked-by: default avatarPaolo Abeni <pabeni@redhat.com>
      Signed-off-by: default avatarJakub Kicinski <kuba@kernel.org>
      c7cc9200
    • Heiner Kallweit's avatar
      r8169: consider that PHY reset may still be in progress after applying firmware · 47dda786
      Heiner Kallweit authored
      Some firmware files trigger a PHY soft reset and don't wait for it to
      be finished. PHY register writes directly after applying the firmware
      may fail or provide unexpected results therefore. Fix this by waiting
      for bit BMCR_RESET to be cleared after applying firmware.
      
      There's nothing wrong with the referenced change, it's just that the
      fix will apply cleanly only after this change.
      
      Fixes: 89fbd26c ("r8169: fix firmware not resetting tp->ocp_base")
      Signed-off-by: default avatarHeiner Kallweit <hkallweit1@gmail.com>
      Signed-off-by: default avatarJakub Kicinski <kuba@kernel.org>
      47dda786
    • Dumitru Ceara's avatar
      openvswitch: handle DNAT tuple collision · 8aa7b526
      Dumitru Ceara authored
      With multiple DNAT rules it's possible that after destination
      translation the resulting tuples collide.
      
      For example, two openvswitch flows:
      nw_dst=10.0.0.10,tp_dst=10, actions=ct(commit,table=2,nat(dst=20.0.0.1:20))
      nw_dst=10.0.0.20,tp_dst=10, actions=ct(commit,table=2,nat(dst=20.0.0.1:20))
      
      Assuming two TCP clients initiating the following connections:
      10.0.0.10:5000->10.0.0.10:10
      10.0.0.10:5000->10.0.0.20:10
      
      Both tuples would translate to 10.0.0.10:5000->20.0.0.1:20 causing
      nf_conntrack_confirm() to fail because of tuple collision.
      
      Netfilter handles this case by allocating a null binding for SNAT at
      egress by default.  Perform the same operation in openvswitch for DNAT
      if no explicit SNAT is requested by the user and allocate a null binding
      for SNAT for packets in the "original" direction.
      
      Reported-at: https://bugzilla.redhat.com/1877128Suggested-by: default avatarFlorian Westphal <fw@strlen.de>
      Fixes: 05752523 ("openvswitch: Interface with NAT.")
      Signed-off-by: default avatarDumitru Ceara <dceara@redhat.com>
      Signed-off-by: default avatarJakub Kicinski <kuba@kernel.org>
      8aa7b526
    • Eric Dumazet's avatar
      sctp: fix sctp_auth_init_hmacs() error path · d42ee76e
      Eric Dumazet authored
      After freeing ep->auth_hmacs we have to clear the pointer
      or risk use-after-free as reported by syzbot:
      
      BUG: KASAN: use-after-free in sctp_auth_destroy_hmacs net/sctp/auth.c:509 [inline]
      BUG: KASAN: use-after-free in sctp_auth_destroy_hmacs net/sctp/auth.c:501 [inline]
      BUG: KASAN: use-after-free in sctp_auth_free+0x17e/0x1d0 net/sctp/auth.c:1070
      Read of size 8 at addr ffff8880a8ff52c0 by task syz-executor941/6874
      
      CPU: 0 PID: 6874 Comm: syz-executor941 Not tainted 5.9.0-rc8-syzkaller #0
      Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
      Call Trace:
       __dump_stack lib/dump_stack.c:77 [inline]
       dump_stack+0x198/0x1fd lib/dump_stack.c:118
       print_address_description.constprop.0.cold+0xae/0x497 mm/kasan/report.c:383
       __kasan_report mm/kasan/report.c:513 [inline]
       kasan_report.cold+0x1f/0x37 mm/kasan/report.c:530
       sctp_auth_destroy_hmacs net/sctp/auth.c:509 [inline]
       sctp_auth_destroy_hmacs net/sctp/auth.c:501 [inline]
       sctp_auth_free+0x17e/0x1d0 net/sctp/auth.c:1070
       sctp_endpoint_destroy+0x95/0x240 net/sctp/endpointola.c:203
       sctp_endpoint_put net/sctp/endpointola.c:236 [inline]
       sctp_endpoint_free+0xd6/0x110 net/sctp/endpointola.c:183
       sctp_destroy_sock+0x9c/0x3c0 net/sctp/socket.c:4981
       sctp_v6_destroy_sock+0x11/0x20 net/sctp/socket.c:9415
       sk_common_release+0x64/0x390 net/core/sock.c:3254
       sctp_close+0x4ce/0x8b0 net/sctp/socket.c:1533
       inet_release+0x12e/0x280 net/ipv4/af_inet.c:431
       inet6_release+0x4c/0x70 net/ipv6/af_inet6.c:475
       __sock_release+0xcd/0x280 net/socket.c:596
       sock_close+0x18/0x20 net/socket.c:1277
       __fput+0x285/0x920 fs/file_table.c:281
       task_work_run+0xdd/0x190 kernel/task_work.c:141
       exit_task_work include/linux/task_work.h:25 [inline]
       do_exit+0xb7d/0x29f0 kernel/exit.c:806
       do_group_exit+0x125/0x310 kernel/exit.c:903
       __do_sys_exit_group kernel/exit.c:914 [inline]
       __se_sys_exit_group kernel/exit.c:912 [inline]
       __x64_sys_exit_group+0x3a/0x50 kernel/exit.c:912
       do_syscall_64+0x2d/0x70 arch/x86/entry/common.c:46
       entry_SYSCALL_64_after_hwframe+0x44/0xa9
      RIP: 0033:0x43f278
      Code: Bad RIP value.
      RSP: 002b:00007fffe0995c38 EFLAGS: 00000246 ORIG_RAX: 00000000000000e7
      RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 000000000043f278
      RDX: 0000000000000000 RSI: 000000000000003c RDI: 0000000000000000
      RBP: 00000000004bf068 R08: 00000000000000e7 R09: ffffffffffffffd0
      R10: 0000000020000000 R11: 0000000000000246 R12: 0000000000000001
      R13: 00000000006d1180 R14: 0000000000000000 R15: 0000000000000000
      
      Allocated by task 6874:
       kasan_save_stack+0x1b/0x40 mm/kasan/common.c:48
       kasan_set_track mm/kasan/common.c:56 [inline]
       __kasan_kmalloc.constprop.0+0xbf/0xd0 mm/kasan/common.c:461
       kmem_cache_alloc_trace+0x174/0x300 mm/slab.c:3554
       kmalloc include/linux/slab.h:554 [inline]
       kmalloc_array include/linux/slab.h:593 [inline]
       kcalloc include/linux/slab.h:605 [inline]
       sctp_auth_init_hmacs+0xdb/0x3b0 net/sctp/auth.c:464
       sctp_auth_init+0x8a/0x4a0 net/sctp/auth.c:1049
       sctp_setsockopt_auth_supported net/sctp/socket.c:4354 [inline]
       sctp_setsockopt+0x477e/0x97f0 net/sctp/socket.c:4631
       __sys_setsockopt+0x2db/0x610 net/socket.c:2132
       __do_sys_setsockopt net/socket.c:2143 [inline]
       __se_sys_setsockopt net/socket.c:2140 [inline]
       __x64_sys_setsockopt+0xba/0x150 net/socket.c:2140
       do_syscall_64+0x2d/0x70 arch/x86/entry/common.c:46
       entry_SYSCALL_64_after_hwframe+0x44/0xa9
      
      Freed by task 6874:
       kasan_save_stack+0x1b/0x40 mm/kasan/common.c:48
       kasan_set_track+0x1c/0x30 mm/kasan/common.c:56
       kasan_set_free_info+0x1b/0x30 mm/kasan/generic.c:355
       __kasan_slab_free+0xd8/0x120 mm/kasan/common.c:422
       __cache_free mm/slab.c:3422 [inline]
       kfree+0x10e/0x2b0 mm/slab.c:3760
       sctp_auth_destroy_hmacs net/sctp/auth.c:511 [inline]
       sctp_auth_destroy_hmacs net/sctp/auth.c:501 [inline]
       sctp_auth_init_hmacs net/sctp/auth.c:496 [inline]
       sctp_auth_init_hmacs+0x2b7/0x3b0 net/sctp/auth.c:454
       sctp_auth_init+0x8a/0x4a0 net/sctp/auth.c:1049
       sctp_setsockopt_auth_supported net/sctp/socket.c:4354 [inline]
       sctp_setsockopt+0x477e/0x97f0 net/sctp/socket.c:4631
       __sys_setsockopt+0x2db/0x610 net/socket.c:2132
       __do_sys_setsockopt net/socket.c:2143 [inline]
       __se_sys_setsockopt net/socket.c:2140 [inline]
       __x64_sys_setsockopt+0xba/0x150 net/socket.c:2140
       do_syscall_64+0x2d/0x70 arch/x86/entry/common.c:46
       entry_SYSCALL_64_after_hwframe+0x44/0xa9
      
      Fixes: 1f485649 ("[SCTP]: Implement SCTP-AUTH internals")
      Signed-off-by: default avatarEric Dumazet <edumazet@google.com>
      Cc: Vlad Yasevich <vyasevich@gmail.com>
      Cc: Neil Horman <nhorman@tuxdriver.com>
      Cc: Marcelo Ricardo Leitner <marcelo.leitner@gmail.com>
      Acked-by: default avatarMarcelo Ricardo Leitner <marcelo.leitner@gmail.com>
      Signed-off-by: default avatarJakub Kicinski <kuba@kernel.org>
      d42ee76e
    • Jakub Kicinski's avatar
      Merge tag 'mac80211-for-net-2020-10-08' of... · a9e54cb3
      Jakub Kicinski authored
      Merge tag 'mac80211-for-net-2020-10-08' of git://git.kernel.org/pub/scm/linux/kernel/git/jberg/mac80211
      
      Johannes Berg says:
      
      ====================
      pull-request: mac80211 2020-10-08
      
      A single fix for missing input validation in nl80211.
      ====================
      Signed-off-by: default avatarJakub Kicinski <kuba@kernel.org>
      a9e54cb3
    • Jakub Kicinski's avatar
      Merge git://git.kernel.org/pub/scm/linux/kernel/git/bpf/bpf · cfe90f49
      Jakub Kicinski authored
      Daniel Borkmann says:
      
      ====================
      pull-request: bpf 2020-10-08
      
      The main changes are:
      
      1) Fix "unresolved symbol" build error under CONFIG_NET w/o CONFIG_INET due
         to missing tcp_timewait_sock and inet_timewait_sock BTF, from Yonghong Song.
      
      2) Fix 32 bit sub-register bounds tracking for OR case, from Daniel Borkmann.
      ====================
      Signed-off-by: default avatarJakub Kicinski <kuba@kernel.org>
      cfe90f49
    • Henrik Bjoernlund's avatar
      bridge: Netlink interface fix. · b6c02ef5
      Henrik Bjoernlund authored
      This commit is correcting NETLINK br_fill_ifinfo() to be able to
      handle 'filter_mask' with multiple flags asserted.
      
      Fixes: 36a8e8e2 ("bridge: Extend br_fill_ifinfo to return MPR status")
      Signed-off-by: default avatarHenrik Bjoernlund <henrik.bjoernlund@microchip.com>
      Reviewed-by: default avatarHoratiu Vultur <horatiu.vultur@microchip.com>
      Suggested-by: default avatarNikolay Aleksandrov <nikolay@nvidia.com>
      Tested-by: default avatarHoratiu Vultur <horatiu.vultur@microchip.com>
      Acked-by: default avatarNikolay Aleksandrov <nikolay@nvidia.com>
      Signed-off-by: default avatarJakub Kicinski <kuba@kernel.org>
      b6c02ef5