1. 17 Feb, 2019 2 commits
    • Dan Carpenter's avatar
      atm: clean up vcc_seq_next() · d0edde8d
      Dan Carpenter authored
      It's confusing to call PTR_ERR(v).  The PTR_ERR() function is basically
      a fancy cast to long so it makes you wonder, was IS_ERR() intended?  But
      that doesn't make sense because vcc_walk() doesn't return error
      pointers.
      
      This patch doesn't affect runtime, it's just a cleanup.
      Signed-off-by: default avatarDan Carpenter <dan.carpenter@oracle.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      d0edde8d
    • Guillaume Nault's avatar
      sock: consistent handling of extreme SO_SNDBUF/SO_RCVBUF values · 4057765f
      Guillaume Nault authored
      SO_SNDBUF and SO_RCVBUF (and their *BUFFORCE version) may overflow or
      underflow their input value. This patch aims at providing explicit
      handling of these extreme cases, to get a clear behaviour even with
      values bigger than INT_MAX / 2 or lower than INT_MIN / 2.
      
      For simplicity, only SO_SNDBUF and SO_SNDBUFFORCE are described here,
      but the same explanation and fix apply to SO_RCVBUF and SO_RCVBUFFORCE
      (with 'SNDBUF' replaced by 'RCVBUF' and 'wmem_max' by 'rmem_max').
      
      Overflow of positive values
      
      ===========================
      
      When handling SO_SNDBUF or SO_SNDBUFFORCE, if 'val' exceeds
      INT_MAX / 2, the buffer size is set to its minimum value because
      'val * 2' overflows, and max_t() considers that it's smaller than
      SOCK_MIN_SNDBUF. For SO_SNDBUF, this can only happen with
      net.core.wmem_max > INT_MAX / 2.
      
      SO_SNDBUF and SO_SNDBUFFORCE are actually designed to let users probe
      for the maximum buffer size by setting an arbitrary large number that
      gets capped to the maximum allowed/possible size. Having the upper
      half of the positive integer space to potentially reduce the buffer
      size to its minimum value defeats this purpose.
      
      This patch caps the base value to INT_MAX / 2, so that bigger values
      don't overflow and keep setting the buffer size to its maximum.
      
      Underflow of negative values
      ============================
      
      For negative numbers, SO_SNDBUF always considers them bigger than
      net.core.wmem_max, which is bounded by [SOCK_MIN_SNDBUF, INT_MAX].
      Therefore such values are set to net.core.wmem_max and we're back to
      the behaviour of positive integers described above (return maximum
      buffer size if wmem_max <= INT_MAX / 2, return SOCK_MIN_SNDBUF
      otherwise).
      
      However, SO_SNDBUFFORCE behaves differently. The user value is
      directly multiplied by two and compared with SOCK_MIN_SNDBUF. If
      'val * 2' doesn't underflow or if it underflows to a value smaller
      than SOCK_MIN_SNDBUF then buffer size is set to its minimum value.
      Otherwise the buffer size is set to the underflowed value.
      
      This patch treats negative values passed to SO_SNDBUFFORCE as null, to
      prevent underflows. Therefore negative values now always set the buffer
      size to its minimum value.
      
      Even though SO_SNDBUF behaves inconsistently by setting buffer size to
      the maximum value when passed a negative number, no attempt is made to
      modify this behaviour. There may exist some programs that rely on using
      negative numbers to set the maximum buffer size. Avoiding overflows
      because of extreme net.core.wmem_max values is the most we can do here.
      
      Summary of altered behaviours
      =============================
      
      val      : user-space value passed to setsockopt()
      val_uf   : the underflowed value resulting from doubling val when
                 val < INT_MIN / 2
      wmem_max : short for net.core.wmem_max
      val_cap  : min(val, wmem_max)
      min_len  : minimal buffer length (that is, SOCK_MIN_SNDBUF)
      max_len  : maximal possible buffer length, regardless of wmem_max (that
                 is, INT_MAX - 1)
      ^^^^     : altered behaviour
      
      SO_SNDBUF:
      +-------------------------+-------------+------------+----------------+
      |       CONDITION         | OLD RESULT  | NEW RESULT |    COMMENT     |
      +-------------------------+-------------+------------+----------------+
      | val < 0 &&              |             |            | No overflow,   |
      | wmem_max <= INT_MAX/2   | wmem_max*2  | wmem_max*2 | keep original  |
      |                         |             |            | behaviour      |
      +-------------------------+-------------+------------+----------------+
      | val < 0 &&              |             |            | Cap wmem_max   |
      | INT_MAX/2 < wmem_max    | min_len     | max_len    | to prevent     |
      |                         |             | ^^^^^^^    | overflow       |
      +-------------------------+-------------+------------+----------------+
      | 0 <= val <= min_len/2   | min_len     | min_len    | Ordinary case  |
      +-------------------------+-------------+------------+----------------+
      | min_len/2 < val &&      | val_cap*2   | val_cap*2  | Ordinary case  |
      | val_cap <= INT_MAX/2    |             |            |                |
      +-------------------------+-------------+------------+----------------+
      | min_len < val &&        |             |            | Cap val_cap    |
      | INT_MAX/2 < val_cap     | min_len     | max_len    | again to       |
      | (implies that           |             | ^^^^^^^    | prevent        |
      | INT_MAX/2 < wmem_max)   |             |            | overflow       |
      +-------------------------+-------------+------------+----------------+
      
      SO_SNDBUFFORCE:
      +------------------------------+---------+---------+------------------+
      |          CONDITION           | BEFORE  | AFTER   |     COMMENT      |
      |                              | PATCH   | PATCH   |                  |
      +------------------------------+---------+---------+------------------+
      | val < INT_MIN/2 &&           | min_len | min_len | Underflow with   |
      | val_uf <= min_len            |         |         | no consequence   |
      +------------------------------+---------+---------+------------------+
      | val < INT_MIN/2 &&           | val_uf  | min_len | Set val to 0 to  |
      | val_uf > min_len             |         | ^^^^^^^ | avoid underflow  |
      +------------------------------+---------+---------+------------------+
      | INT_MIN/2 <= val < 0         | min_len | min_len | No underflow     |
      +------------------------------+---------+---------+------------------+
      | 0 <= val <= min_len/2        | min_len | min_len | Ordinary case    |
      +------------------------------+---------+---------+------------------+
      | min_len/2 < val <= INT_MAX/2 | val*2   | val*2   | Ordinary case    |
      +------------------------------+---------+---------+------------------+
      | INT_MAX/2 < val              | min_len | max_len | Cap val to       |
      |                              |         | ^^^^^^^ | prevent overflow |
      +------------------------------+---------+---------+------------------+
      Signed-off-by: default avatarGuillaume Nault <gnault@redhat.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      4057765f
  2. 16 Feb, 2019 26 commits
  3. 15 Feb, 2019 12 commits
    • David S. Miller's avatar
      Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net · 3313da81
      David S. Miller authored
      The netfilter conflicts were rather simple overlapping
      changes.
      
      However, the cls_tcindex.c stuff was a bit more complex.
      
      On the 'net' side, Cong is fixing several races and memory
      leaks.  Whilst on the 'net-next' side we have Vlad adding
      the rtnl-ness support.
      
      What I've decided to do, in order to resolve this, is revert the
      conversion over to using a workqueue that Cong did, bringing us back
      to pure RCU.  I did it this way because I believe that either Cong's
      races don't apply with have Vlad did things, or Cong will have to
      implement the race fix slightly differently.
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      3313da81
    • Linus Torvalds's avatar
      Merge tag 'for-linus-20190215' of git://git.kernel.dk/linux-block · 24f0a487
      Linus Torvalds authored
      Pull block fixes from Jens Axboe:
      
       - Ensure we insert into the hctx dispatch list, if a request is marked
         as DONTPREP (Jianchao)
      
       - NVMe pull request, single missing unlock on error fix (Keith)
      
       - MD pull request, single fix for a potentially data corrupting issue
         (Nate)
      
       - Floppy check_events regression fix (Yufen)
      
      * tag 'for-linus-20190215' of git://git.kernel.dk/linux-block:
        md/raid1: don't clear bitmap bits on interrupted recovery.
        floppy: check_events callback should not return a negative number
        nvme-pci: add missing unlock for reset error
        blk-mq: insert rq with DONTPREP to hctx dispatch list when requeue
      24f0a487
    • Linus Torvalds's avatar
      Merge tag 'for-5.0/dm-fixes-3' of... · ae3fa8bd
      Linus Torvalds authored
      Merge tag 'for-5.0/dm-fixes-3' of git://git.kernel.org/pub/scm/linux/kernel/git/device-mapper/linux-dm
      
      Pull device mapper fixes from Mike Snitzer:
      
       - Fix bug in DM crypt's sizing of its block integrity tag space,
         resulting in less memory use when DM crypt layers on DM integrity.
      
       - Fix a long-standing DM thinp crash consistency bug that was due to
         improper handling of FUA. This issue is specific to writes that fill
         an entire thinp block which needs to be allocated.
      
      * tag 'for-5.0/dm-fixes-3' of git://git.kernel.org/pub/scm/linux/kernel/git/device-mapper/linux-dm:
        dm thin: fix bug where bio that overwrites thin block ignores FUA
        dm crypt: don't overallocate the integrity tag space
      ae3fa8bd
    • Linus Torvalds's avatar
      Merge tag 'mmc-v5.0-rc5' of git://git.kernel.org/pub/scm/linux/kernel/git/ulfh/mmc · dfeae337
      Linus Torvalds authored
      Pull MMC fixes from Ulf Hansson:
       "A couple of MMC fixes intended for v5.0-rc7.
      
        MMC core:
         - Fix deadlock bug for block I/O requests
      
        MMC host:
         - sunxi: Disable broken HS-DDR mode for H5 by default
         - sunxi: Avoid unsupported speed modes declared via DT
         - meson-gx: Restore interrupt name"
      
      * tag 'mmc-v5.0-rc5' of git://git.kernel.org/pub/scm/linux/kernel/git/ulfh/mmc:
        mmc: meson-gx: fix interrupt name
        mmc: block: handle complete_work on separate workqueue
        mmc: sunxi: Filter out unsupported modes declared in the device tree
        mmc: sunxi: Disable HS-DDR mode for H5 eMMC controller by default
      dfeae337
    • Linus Torvalds's avatar
      Merge tag 'drm-fixes-2019-02-15-1' of git://anongit.freedesktop.org/drm/drm · 545aabcb
      Linus Torvalds authored
      Pull drm fixes from Dave Airlie:
       "Usual pull request, little larger than I'd like but nothing too
        strange in it. Willy found an bug in the lease ioctl calculations, but
        it's a drm master only ioctl which makes it harder to mess with.
      
       i915:
         - combo phy programming fix
         - opregion version check fix for VBT RVDA lookup
         - gem mmap ioctl race fix
         - fbdev hpd during suspend fix
         - array size bounds check fix in pmu
      
        amdgpu:
         - Vega20 psp fix
         - Add vrr range to debugfs for freesync debugging
      
        sched:
         - Scheduler race fix
      
        vkms:
         - license header fixups
      
        imx:
         - Fix CSI register offsets for i.MX51 and i.MX53.
         - Fix delayed page flip completion events on i.MX6QP due to
           unexpected behaviour of the PRE when issuing NOP buffer updates to
           the same buffer address.
         - Stop throwing errors for plane updates on disabled CRTCs when a
           userspace process is killed while a plane update is pending.
         - Add missing of_node_put cleanup in imx_ldb_bind"
      
      * tag 'drm-fixes-2019-02-15-1' of git://anongit.freedesktop.org/drm/drm:
        drm: Use array_size() when creating lease
        drm/amdgpu/psp11: TA firmware is optional (v3)
        drm/i915/opregion: rvda is relative from opregion base in opregion 2.1+
        drm/i915/opregion: fix version check
        drm/i915: Prevent a race during I915_GEM_MMAP ioctl with WC set
        drm/i915: Block fbdev HPD processing during suspend
        drm/i915/pmu: Fix enable count array size and bounds checking
        drm/i915/cnl: Fix CNL macros for Voltage Swing programming
        drm/i915/icl: combo port vswing programming changes per BSPEC
        drm/vkms: Fix license inconsistent
        drm/amd/display: Expose connector VRR range via debugfs
        drm/sched: Always trace the dependencies we wait on, to fix a race.
        gpu: ipu-v3: pre: don't trigger update if buffer address doesn't change
        gpu: ipu-v3: Fix CSI offsets for imx53
        drm/imx: imx-ldb: add missing of_node_puts
        gpu: ipu-v3: Fix i.MX51 CSI control registers offset
        drm/imx: ignore plane updates on disabled crtcs
      545aabcb
    • Linus Torvalds's avatar
      Merge branch 'linus' of git://git.kernel.org/pub/scm/linux/kernel/git/herbert/crypto-2.6 · 2aba3220
      Linus Torvalds authored
      Pull crypto fix from Herbert Xu:
       "This fixes a crash on resume in the ccree driver"
      
      * 'linus' of git://git.kernel.org/pub/scm/linux/kernel/git/herbert/crypto-2.6:
        crypto: ccree - fix resume race condition on init
      2aba3220
    • Linus Torvalds's avatar
      Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net · 6e7bd3b5
      Linus Torvalds authored
      Pull networking fixes from David Miller:
      
       1) Fix MAC address setting in mac80211 pmsr code, from Johannes Berg.
      
       2) Probe SFP modules after being attached, from Russell King.
      
       3) Byte ordering bug in SMC rx_curs_confirmed code, from Ursula Braun.
      
       4) Revert some r8169 changes that are causing regressions, from Heiner
          Kallweit.
      
       5) Fix spurious connection timeouts in netfilter nat code, from Florian
          Westphal.
      
       6) SKB leak in tipc, from Hoang Le.
      
       7) Short packet checkum issue in mlx4, similar to a previous mlx5
          change, from Saeed Mahameed. The issue is that whilst padding bytes
          are usually zero, it is not guarateed and the hardware doesn't take
          the padding bytes into consideration when generating the checksum.
      
       8) Fix various races in cls_tcindex, from Cong Wang.
      
       9) Need to set stream ext to NULL before freeing in SCTP code, from Xin
          Long.
      
      10) Fix locking in phy_is_started, from Heiner Kallweit.
      
      * git://git.kernel.org/pub/scm/linux/kernel/git/davem/net: (54 commits)
        net: ethernet: freescale: set FEC ethtool regs version
        net: hns: Fix object reference leaks in hns_dsaf_roce_reset()
        mm: page_alloc: fix ref bias in page_frag_alloc() for 1-byte allocs
        net: phy: fix potential race in the phylib state machine
        net: phy: don't use locking in phy_is_started
        selftests: fix timestamping Makefile
        net: dsa: bcm_sf2: potential array overflow in bcm_sf2_sw_suspend()
        net: fix possible overflow in __sk_mem_raise_allocated()
        dsa: mv88e6xxx: Ensure all pending interrupts are handled prior to exit
        net: phy: fix interrupt handling in non-started states
        sctp: set stream ext to NULL after freeing it in sctp_stream_outq_migrate
        sctp: call gso_reset_checksum when computing checksum in sctp_gso_segment
        net/mlx5e: XDP, fix redirect resources availability check
        net/mlx5: Fix a compilation warning in events.c
        net/mlx5: No command allowed when command interface is not ready
        net/mlx5e: Fix NULL pointer derefernce in set channels error flow
        netfilter: nft_compat: use-after-free when deleting targets
        team: avoid complex list operations in team_nl_cmd_options_set()
        net_sched: fix two more memory leaks in cls_tcindex
        net_sched: fix a memory leak in cls_tcindex
        ...
      6e7bd3b5
    • Linus Torvalds's avatar
      Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/ebiederm/user-namespace · 02d75040
      Linus Torvalds authored
      Pull signal fix from Eric Biederman:
       "Just a single patch that restores PTRACE_EVENT_EXIT functionality that
        was accidentally broken by last weeks fixes"
      
      * 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/ebiederm/user-namespace:
        signal: Restore the stop PTRACE_EVENT_EXIT
      02d75040
    • Matthew Wilcox's avatar
      drm: Use array_size() when creating lease · 69ef943d
      Matthew Wilcox authored
      Passing an object_count of sufficient size will make
      object_count * 4 wrap around to be very small, then a later function
      will happily iterate off the end of the object_ids array.  Using
      array_size() will saturate at SIZE_MAX, the kmalloc() will fail and
      we'll return an -ENOMEM to the norty userspace.
      
      Fixes: 62884cd3 ("drm: Add four ioctls for managing drm mode object leases [v7]")
      Signed-off-by: default avatarMatthew Wilcox <willy@infradead.org>
      Acked-by: default avatarKees Cook <keescook@chromium.org>
      Acked-by: default avatarDaniel Vetter <daniel.vetter@ffwll.ch>
      Cc: <stable@vger.kernel.org> # v4.15+
      Signed-off-by: default avatarDave Airlie <airlied@redhat.com>
      69ef943d
    • Dave Airlie's avatar
      Merge branch 'drm-fixes-5.0' of git://people.freedesktop.org/~agd5f/linux into drm-fixes · 7abbb35b
      Dave Airlie authored
      amdgpu:
      - Vega20 psp fix
      - Add vrr range to debugfs for freesync debugging
      
      sched:
      - Scheduler race fix
      Signed-off-by: default avatarDave Airlie <airlied@redhat.com>
      From: Alex Deucher <alexdeucher@gmail.com>
      Link: https://patchwork.freedesktop.org/patch/msgid/20190213202958.3336-1-alexander.deucher@amd.com
      7abbb35b
    • Dave Airlie's avatar
      Merge tag 'drm-intel-fixes-2019-02-13' of... · 5016bd24
      Dave Airlie authored
      Merge tag 'drm-intel-fixes-2019-02-13' of git://anongit.freedesktop.org/drm/drm-intel into drm-fixes
      
      drm/i915 fixes for v5.0-rc7:
      - combo phy programming fix
      - opregion version check fix for VBT RVDA lookup
      - gem mmap ioctl race fix
      - fbdev hpd during suspend fix
      - array size bounds check fix in pmu
      Signed-off-by: default avatarDave Airlie <airlied@redhat.com>
      
      From: Jani Nikula <jani.nikula@intel.com>
      Link: https://patchwork.freedesktop.org/patch/msgid/877ee3504b.fsf@intel.com
      5016bd24
    • Dave Airlie's avatar
      Merge tag 'drm-misc-fixes-2019-02-13' of git://anongit.freedesktop.org/drm/drm-misc into drm-fixes · d586d571
      Dave Airlie authored
      drm-misc-fixes for v5.0:
      - Fix license inconsistency in vkms.
      Signed-off-by: default avatarDave Airlie <airlied@redhat.com>
      
      From: Maarten Lankhorst <maarten.lankhorst@linux.intel.com>
      Link: https://patchwork.freedesktop.org/patch/msgid/812e2f53-d72a-8fba-6c8c-fde8f44cf141@linux.intel.com
      d586d571