Commit Graph

783583 Commits

Author SHA1 Message Date
Ake Koomsin
05c998b738 virtio_net: avoid using netif_tx_disable() for serializing tx routine
Commit 713a98d90c ("virtio-net: serialize tx routine during reset")
introduces netif_tx_disable() after netif_device_detach() in order to
avoid use-after-free of tx queues. However, there are two issues.

1) Its operation is redundant with netif_device_detach() in case the
   interface is running.
2) In case of the interface is not running before suspending and
   resuming, the tx does not get resumed by netif_device_attach().
   This results in losing network connectivity.

It is better to use netif_tx_lock_bh()/netif_tx_unlock_bh() instead for
serializing tx routine during reset. This also preserves the symmetry
of netif_device_detach() and netif_device_attach().

Fixes commit 713a98d90c ("virtio-net: serialize tx routine during reset")
Signed-off-by: Ake Koomsin <ake@igel.co.jp>
Acked-by: Jason Wang <jasowang@redhat.com>
Acked-by: Michael S. Tsirkin <mst@redhat.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2018-10-17 22:29:30 -07:00
Paolo Abeni
84dad55951 udp6: fix encap return code for resubmitting
The commit eb63f2964d ("udp6: add missing checks on edumux packet
processing") used the same return code convention of the ipv4 counterpart,
but ipv6 uses the opposite one: positive values means resubmit.

This change addresses the issue, using positive return value for
resubmitting. Also update the related comment, which was broken, too.

Fixes: eb63f2964d ("udp6: add missing checks on edumux packet processing")
Signed-off-by: Paolo Abeni <pabeni@redhat.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2018-10-17 22:26:53 -07:00
Ido Schimmel
9b3bc7db75 mlxsw: core: Fix use-after-free when flashing firmware during init
When the switch driver (e.g., mlxsw_spectrum) determines it needs to
flash a new firmware version it resets the ASIC after the flashing
process. The bus driver (e.g., mlxsw_pci) then registers itself again
with mlxsw_core which means (among other things) that the device
registers itself again with the hwmon subsystem again.

Since the device was registered with the hwmon subsystem using
devm_hwmon_device_register_with_groups(), then the old hwmon device
(registered before the flashing) was never unregistered and was
referencing stale data, resulting in a use-after free.

Fix by removing reliance on device managed APIs in mlxsw_hwmon_init().

Fixes: c86d62cc41 ("mlxsw: spectrum: Reset FW after flash")
Signed-off-by: Ido Schimmel <idosch@mellanox.com>
Reported-by: Alexander Petrovskiy <alexpe@mellanox.com>
Tested-by: Alexander Petrovskiy <alexpe@mellanox.com>
Reviewed-by: Petr Machata <petrm@mellanox.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2018-10-17 22:25:45 -07:00
Xin Long
c863850ce2 sctp: not free the new asoc when sctp_wait_for_connect returns err
When sctp_wait_for_connect is called to wait for connect ready
for sp->strm_interleave in sctp_sendmsg_to_asoc, a panic could
be triggered if cpu is scheduled out and the new asoc is freed
elsewhere, as it will return err and later the asoc gets freed
again in sctp_sendmsg.

[  285.840764] list_del corruption, ffff9f0f7b284078->next is LIST_POISON1 (dead000000000100)
[  285.843590] WARNING: CPU: 1 PID: 8861 at lib/list_debug.c:47 __list_del_entry_valid+0x50/0xa0
[  285.846193] Kernel panic - not syncing: panic_on_warn set ...
[  285.846193]
[  285.848206] CPU: 1 PID: 8861 Comm: sctp_ndata Kdump: loaded Not tainted 4.19.0-rc7.label #584
[  285.850559] Hardware name: Red Hat KVM, BIOS 0.5.1 01/01/2011
[  285.852164] Call Trace:
...
[  285.872210]  ? __list_del_entry_valid+0x50/0xa0
[  285.872894]  sctp_association_free+0x42/0x2d0 [sctp]
[  285.873612]  sctp_sendmsg+0x5a4/0x6b0 [sctp]
[  285.874236]  sock_sendmsg+0x30/0x40
[  285.874741]  ___sys_sendmsg+0x27a/0x290
[  285.875304]  ? __switch_to_asm+0x34/0x70
[  285.875872]  ? __switch_to_asm+0x40/0x70
[  285.876438]  ? ptep_set_access_flags+0x2a/0x30
[  285.877083]  ? do_wp_page+0x151/0x540
[  285.877614]  __sys_sendmsg+0x58/0xa0
[  285.878138]  do_syscall_64+0x55/0x180
[  285.878669]  entry_SYSCALL_64_after_hwframe+0x44/0xa9

This is a similar issue with the one fixed in Commit ca3af4dd28
("sctp: do not free asoc when it is already dead in sctp_sendmsg").
But this one can't be fixed by returning -ESRCH for the dead asoc
in sctp_wait_for_connect, as it will break sctp_connect's return
value to users.

This patch is to simply set err to -ESRCH before it returns to
sctp_sendmsg when any err is returned by sctp_wait_for_connect
for sp->strm_interleave, so that no asoc would be freed due to
this.

When users see this error, they will know the packet hasn't been
sent. And it also makes sense to not free asoc because waiting
connect fails, like the second call for sctp_wait_for_connect in
sctp_sendmsg_to_asoc.

Fixes: 668c9beb90 ("sctp: implement assign_number for sctp_stream_interleave")
Signed-off-by: Xin Long <lucien.xin@gmail.com>
Acked-by: Marcelo Ricardo Leitner <marcelo.leitner@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2018-10-17 22:12:46 -07:00
Marcelo Ricardo Leitner
b336decab2 sctp: fix race on sctp_id2asoc
syzbot reported an use-after-free involving sctp_id2asoc.  Dmitry Vyukov
helped to root cause it and it is because of reading the asoc after it
was freed:

        CPU 1                       CPU 2
(working on socket 1)            (working on socket 2)
	                         sctp_association_destroy
sctp_id2asoc
   spin lock
     grab the asoc from idr
   spin unlock
                                   spin lock
				     remove asoc from idr
				   spin unlock
				   free(asoc)
   if asoc->base.sk != sk ... [*]

This can only be hit if trying to fetch asocs from different sockets. As
we have a single IDR for all asocs, in all SCTP sockets, their id is
unique on the system. An application can try to send stuff on an id
that matches on another socket, and the if in [*] will protect from such
usage. But it didn't consider that as that asoc may belong to another
socket, it may be freed in parallel (read: under another socket lock).

We fix it by moving the checks in [*] into the protected region. This
fixes it because the asoc cannot be freed while the lock is held.

Reported-by: syzbot+c7dd55d7aec49d48e49a@syzkaller.appspotmail.com
Acked-by: Dmitry Vyukov <dvyukov@google.com>
Signed-off-by: Marcelo Ricardo Leitner <marcelo.leitner@gmail.com>
Acked-by: Neil Horman <nhorman@tuxdriver.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2018-10-17 22:11:14 -07:00
Heiner Kallweit
9675931e6b r8169: re-enable MSI-X on RTL8168g
Similar to d49c88d767 ("r8169: Enable MSI-X on RTL8106e") after
e9d0ba506ea8 ("PCI: Reprogram bridge prefetch registers on resume")
we can safely assume that this also fixes the root cause of
the issue worked around by 7c53a72245 ("r8169: don't use MSI-X on
RTL8168g"). So let's revert it.

Fixes: 7c53a72245 ("r8169: don't use MSI-X on RTL8168g")
Signed-off-by: Heiner Kallweit <hkallweit1@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2018-10-17 22:10:33 -07:00
Taehee Yoo
84258438e8 net: bpfilter: use get_pid_task instead of pid_task
pid_task() dereferences rcu protected tasks array.
But there is no rcu_read_lock() in shutdown_umh() routine so that
rcu_read_lock() is needed.
get_pid_task() is wrapper function of pid_task. it holds rcu_read_lock()
then calls pid_task(). if task isn't NULL, it increases reference count
of task.

test commands:
   %modprobe bpfilter
   %modprobe -rv bpfilter

splat looks like:
[15102.030932] =============================
[15102.030957] WARNING: suspicious RCU usage
[15102.030985] 4.19.0-rc7+ #21 Not tainted
[15102.031010] -----------------------------
[15102.031038] kernel/pid.c:330 suspicious rcu_dereference_check() usage!
[15102.031063]
	       other info that might help us debug this:

[15102.031332]
	       rcu_scheduler_active = 2, debug_locks = 1
[15102.031363] 1 lock held by modprobe/1570:
[15102.031389]  #0: 00000000580ef2b0 (bpfilter_lock){+.+.}, at: stop_umh+0x13/0x52 [bpfilter]
[15102.031552]
               stack backtrace:
[15102.031583] CPU: 1 PID: 1570 Comm: modprobe Not tainted 4.19.0-rc7+ #21
[15102.031607] Hardware name: To be filled by O.E.M. To be filled by O.E.M./Aptio CRB, BIOS 5.6.5 07/08/2015
[15102.031628] Call Trace:
[15102.031676]  dump_stack+0xc9/0x16b
[15102.031723]  ? show_regs_print_info+0x5/0x5
[15102.031801]  ? lockdep_rcu_suspicious+0x117/0x160
[15102.031855]  pid_task+0x134/0x160
[15102.031900]  ? find_vpid+0xf0/0xf0
[15102.032017]  shutdown_umh.constprop.1+0x1e/0x53 [bpfilter]
[15102.032055]  stop_umh+0x46/0x52 [bpfilter]
[15102.032092]  __x64_sys_delete_module+0x47e/0x570
[ ... ]

Fixes: d2ba09c17a ("net: add skeleton of bpfilter kernel module")
Signed-off-by: Taehee Yoo <ap420073@gmail.com>
Acked-by: Alexei Starovoitov <ast@kernel.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
2018-10-17 22:03:40 -07:00
Gustavo A. R. Silva
efa61c8cf2 ptp: fix Spectre v1 vulnerability
pin_index can be indirectly controlled by user-space, hence leading
to a potential exploitation of the Spectre variant 1 vulnerability.

This issue was detected with the help of Smatch:

drivers/ptp/ptp_chardev.c:253 ptp_ioctl() warn: potential spectre issue
'ops->pin_config' [r] (local cap)

Fix this by sanitizing pin_index before using it to index
ops->pin_config, and before passing it as an argument to
function ptp_set_pinfunc(), in which it is used to index
info->pin_config.

Notice that given that speculation windows are large, the policy is
to kill the speculation on the first load and not worry if it can be
completed with a dependent load/store [1].

[1] https://marc.info/?l=linux-kernel&m=152449131114778&w=2

Cc: stable@vger.kernel.org
Signed-off-by: Gustavo A. R. Silva <gustavo@embeddedor.com>
Acked-by: Richard Cochran <richardcochran@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2018-10-17 22:00:22 -07:00
Nathan Chancellor
8c3bf9b62b net: qla3xxx: Remove overflowing shift statement
Clang currently warns:

drivers/net/ethernet/qlogic/qla3xxx.c:384:24: warning: signed shift
result (0xF00000000) requires 37 bits to represent, but 'int' only has
32 bits [-Wshift-overflow]
                    ((ISP_NVRAM_MASK << 16) | qdev->eeprom_cmd_data));
                      ~~~~~~~~~~~~~~ ^  ~~
1 warning generated.

The warning is certainly accurate since ISP_NVRAM_MASK is defined as
(0x000F << 16) which is then shifted by 16, resulting in 64424509440,
well above UINT_MAX.

Given that this is the only location in this driver where ISP_NVRAM_MASK
is shifted again, it seems likely that ISP_NVRAM_MASK was originally
defined without a shift and during the move of the shift to the
definition, this statement wasn't properly removed (since ISP_NVRAM_MASK
is used in the statenent right above this). Only the maintainers can
confirm this since this statment has been here since the driver was
first added to the kernel.

Link: https://github.com/ClangBuiltLinux/linux/issues/127
Signed-off-by: Nathan Chancellor <natechancellor@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2018-10-17 21:52:40 -07:00
David S. Miller
dc6d0f0b43 Merge branch 'geneve-vxlan-mtu'
Stefano Brivio says:

====================
geneve, vxlan: Don't set exceptions if skb->len < mtu

This series fixes the exception abuse described in 2/2, and 1/2
is just a preparatory change to make 2/2 less ugly.
====================

Signed-off-by: David S. Miller <davem@davemloft.net>
2018-10-17 21:51:14 -07:00
Stefano Brivio
6b4f92af3d geneve, vxlan: Don't set exceptions if skb->len < mtu
We shouldn't abuse exceptions: if the destination MTU is already higher
than what we're transmitting, no exception should be created.

Fixes: 52a589d51f ("geneve: update skb dst pmtu on tx path")
Fixes: a93bf0ff44 ("vxlan: update skb dst pmtu on tx path")
Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
Reviewed-by: Sabrina Dubroca <sd@queasysnail.net>
Signed-off-by: David S. Miller <davem@davemloft.net>
2018-10-17 21:51:13 -07:00
Stefano Brivio
7463e4f9b9 geneve, vxlan: Don't check skb_dst() twice
Commit f15ca723c1 ("net: don't call update_pmtu unconditionally") avoids
that we try updating PMTU for a non-existent destination, but didn't clean
up cases where the check was already explicit. Drop those redundant checks.

Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
Reviewed-by: Sabrina Dubroca <sd@queasysnail.net>
Signed-off-by: David S. Miller <davem@davemloft.net>
2018-10-17 21:51:13 -07:00
Xin Long
0ac1077e3a sctp: get pr_assoc and pr_stream all status with SCTP_PR_SCTP_ALL instead
According to rfc7496 section 4.3 or 4.4:

   sprstat_policy:  This parameter indicates for which PR-SCTP policy
      the user wants the information.  It is an error to use
      SCTP_PR_SCTP_NONE in sprstat_policy.  If SCTP_PR_SCTP_ALL is used,
      the counters provided are aggregated over all supported policies.

We change to dump pr_assoc and pr_stream all status by SCTP_PR_SCTP_ALL
instead, and return error for SCTP_PR_SCTP_NONE, as it also said "It is
an error to use SCTP_PR_SCTP_NONE in sprstat_policy. "

Fixes: 826d253d57 ("sctp: add SCTP_PR_ASSOC_STATUS on sctp sockopt")
Fixes: d229d48d18 ("sctp: add SCTP_PR_STREAM_STATUS sockopt for prsctp")
Reported-by: Ying Xu <yinxu@redhat.com>
Signed-off-by: Xin Long <lucien.xin@gmail.com>
Acked-by: Neil Horman <nhorman@tuxdriver.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2018-10-16 09:58:49 -07:00
David S. Miller
bd8be2cf8b Merge branch 'nfp-fix-pedit-set-action-offloads'
Jakub Kicinski says:

====================
nfp: fix pedit set action offloads

Pieter says:

This set fixes set actions when using multiple pedit actions with
partial masks and with multiple keys per pedit action. Additionally
it fixes set ipv6 pedit action offloads when using it in combination
with other header keys.

The problem would only trigger if one combines multiple pedit actions
of the same type with partial masks, e.g.:

$ tc filter add dev netdev protocol ip parent ffff: \
    flower indev netdev \
    ip_proto tcp \
    action pedit ex munge \
    ip src set 11.11.11.11 retain 65535 munge \
    ip src set 22.22.22.22 retain 4294901760 pipe \
    csum ip and tcp pipe \
    mirred egress redirect dev netdev
====================

Signed-off-by: David S. Miller <davem@davemloft.net>
2018-10-15 23:17:25 -07:00
Pieter Jansen van Vuuren
140b6abac2 nfp: flower: use offsets provided by pedit instead of index for ipv6
Previously when populating the set ipv6 address action, we incorrectly
made use of pedit's key index to determine which 32bit word should be
set. We now calculate which word has been selected based on the offset
provided by the pedit action.

Fixes: 354b82bb32 ("nfp: add set ipv6 source and destination address")
Signed-off-by: Pieter Jansen van Vuuren <pieter.jansenvanvuuren@netronome.com>
Reviewed-by: Jakub Kicinski <jakub.kicinski@netronome.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2018-10-15 23:17:25 -07:00
Pieter Jansen van Vuuren
d08c9e5893 nfp: flower: fix multiple keys per pedit action
Previously we only allowed a single header key per pedit action to
change the header. This used to result in the last header key in the
pedit action to overwrite previous headers. We now keep track of them
and allow multiple header keys per pedit action.

Fixes: c0b1bd9a8b ("nfp: add set ipv4 header action flower offload")
Fixes: 354b82bb32 ("nfp: add set ipv6 source and destination address")
Fixes: f8b7b0a6b1 ("nfp: add set tcp and udp header action flower offload")
Signed-off-by: Pieter Jansen van Vuuren <pieter.jansenvanvuuren@netronome.com>
Reviewed-by: Jakub Kicinski <jakub.kicinski@netronome.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2018-10-15 23:17:24 -07:00
Pieter Jansen van Vuuren
8913806f16 nfp: flower: fix pedit set actions for multiple partial masks
Previously we did not correctly change headers when using multiple
pedit actions with partial masks. We now take this into account and
no longer just commit the last pedit action.

Fixes: c0b1bd9a8b ("nfp: add set ipv4 header action flower offload")
Signed-off-by: Pieter Jansen van Vuuren <pieter.jansenvanvuuren@netronome.com>
Reviewed-by: Jakub Kicinski <jakub.kicinski@netronome.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2018-10-15 23:17:24 -07:00
David Howells
1890fea793 rxrpc: Fix a missing rxrpc_put_peer() in the error_report handler
Fix a missing call to rxrpc_put_peer() on the main path through the
rxrpc_error_report() function.  This manifests itself as a ref leak
whenever an ICMP packet or other error comes in.

In commit f334430316, the hand-off of the ref to a work item was removed
and was not replaced with a put.

Fixes: f334430316 ("rxrpc: Fix error distribution")
Signed-off-by: David Howells <dhowells@redhat.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2018-10-15 23:13:42 -07:00
Xin Long
d805397c38 sctp: use the pmtu from the icmp packet to update transport pathmtu
Other than asoc pmtu sync from all transports, sctp_assoc_sync_pmtu
is also processing transport pmtu_pending by icmp packets. But it's
meaningless to use sctp_dst_mtu(t->dst) as new pmtu for a transport.

The right pmtu value should come from the icmp packet, and it would
be saved into transport->mtu_info in this patch and used later when
the pmtu sync happens in sctp_sendmsg_to_asoc or sctp_packet_config.

Besides, without this patch, as pmtu can only be updated correctly
when receiving a icmp packet and no place is holding sock lock, it
will take long time if the sock is busy with sending packets.

Note that it doesn't process transport->mtu_info in .release_cb(),
as there is no enough information for pmtu update, like for which
asoc or transport. It is not worth traversing all asocs to check
pmtu_pending. So unlike tcp, sctp does this in tx path, for which
mtu_info needs to be atomic_t.

Signed-off-by: Xin Long <lucien.xin@gmail.com>
Acked-by: Marcelo Ricardo Leitner <marcelo.leitner@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2018-10-15 22:54:20 -07:00
Fugang Duan
ec20a63aa8 net: fec: don't dump RX FIFO register when not available
Commit db65f35f50 ("net: fec: add support of ethtool get_regs") introduce
ethool "--register-dump" interface to dump all FEC registers.

But not all silicon implementations of the Freescale FEC hardware module
have the FRBR (FIFO Receive Bound Register) and FRSR (FIFO Receive Start
Register) register, so we should not be trying to dump them on those that
don't.

To fix it we create a quirk flag, FEC_QUIRK_HAS_RFREG, and check it before
dump those RX FIFO registers.

Signed-off-by: Fugang Duan <fugang.duan@nxp.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2018-10-15 22:52:18 -07:00
Colin Ian King
fbe1222c63 qed: fix spelling mistake "Ireelevant" -> "Irrelevant"
Trivial fix to spelling mistake in DP_INFO message

Signed-off-by: Colin Ian King <colin.king@canonical.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2018-10-15 22:40:27 -07:00
Eric Dumazet
dc012f3628 ipv6: mcast: fix a use-after-free in inet6_mc_check
syzbot found a use-after-free in inet6_mc_check [1]

The problem here is that inet6_mc_check() uses rcu
and read_lock(&iml->sflock)

So the fact that ip6_mc_leave_src() is called under RTNL
and the socket lock does not help us, we need to acquire
iml->sflock in write mode.

In the future, we should convert all this stuff to RCU.

[1]
BUG: KASAN: use-after-free in ipv6_addr_equal include/net/ipv6.h:521 [inline]
BUG: KASAN: use-after-free in inet6_mc_check+0xae7/0xb40 net/ipv6/mcast.c:649
Read of size 8 at addr ffff8801ce7f2510 by task syz-executor0/22432

CPU: 1 PID: 22432 Comm: syz-executor0 Not tainted 4.19.0-rc7+ #280
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Call Trace:
 __dump_stack lib/dump_stack.c:77 [inline]
 dump_stack+0x1c4/0x2b4 lib/dump_stack.c:113
 print_address_description.cold.8+0x9/0x1ff mm/kasan/report.c:256
 kasan_report_error mm/kasan/report.c:354 [inline]
 kasan_report.cold.9+0x242/0x309 mm/kasan/report.c:412
 __asan_report_load8_noabort+0x14/0x20 mm/kasan/report.c:433
 ipv6_addr_equal include/net/ipv6.h:521 [inline]
 inet6_mc_check+0xae7/0xb40 net/ipv6/mcast.c:649
 __raw_v6_lookup+0x320/0x3f0 net/ipv6/raw.c:98
 ipv6_raw_deliver net/ipv6/raw.c:183 [inline]
 raw6_local_deliver+0x3d3/0xcb0 net/ipv6/raw.c:240
 ip6_input_finish+0x467/0x1aa0 net/ipv6/ip6_input.c:345
 NF_HOOK include/linux/netfilter.h:289 [inline]
 ip6_input+0xe9/0x600 net/ipv6/ip6_input.c:426
 ip6_mc_input+0x48a/0xd20 net/ipv6/ip6_input.c:503
 dst_input include/net/dst.h:450 [inline]
 ip6_rcv_finish+0x17a/0x330 net/ipv6/ip6_input.c:76
 NF_HOOK include/linux/netfilter.h:289 [inline]
 ipv6_rcv+0x120/0x640 net/ipv6/ip6_input.c:271
 __netif_receive_skb_one_core+0x14d/0x200 net/core/dev.c:4913
 __netif_receive_skb+0x2c/0x1e0 net/core/dev.c:5023
 netif_receive_skb_internal+0x12c/0x620 net/core/dev.c:5126
 napi_frags_finish net/core/dev.c:5664 [inline]
 napi_gro_frags+0x75a/0xc90 net/core/dev.c:5737
 tun_get_user+0x3189/0x4250 drivers/net/tun.c:1923
 tun_chr_write_iter+0xb9/0x154 drivers/net/tun.c:1968
 call_write_iter include/linux/fs.h:1808 [inline]
 do_iter_readv_writev+0x8b0/0xa80 fs/read_write.c:680
 do_iter_write+0x185/0x5f0 fs/read_write.c:959
 vfs_writev+0x1f1/0x360 fs/read_write.c:1004
 do_writev+0x11a/0x310 fs/read_write.c:1039
 __do_sys_writev fs/read_write.c:1112 [inline]
 __se_sys_writev fs/read_write.c:1109 [inline]
 __x64_sys_writev+0x75/0xb0 fs/read_write.c:1109
 do_syscall_64+0x1b9/0x820 arch/x86/entry/common.c:290
 entry_SYSCALL_64_after_hwframe+0x49/0xbe
RIP: 0033:0x457421
Code: 75 14 b8 14 00 00 00 0f 05 48 3d 01 f0 ff ff 0f 83 34 b5 fb ff c3 48 83 ec 08 e8 1a 2d 00 00 48 89 04 24 b8 14 00 00 00 0f 05 <48> 8b 3c 24 48 89 c2 e8 63 2d 00 00 48 89 d0 48 83 c4 08 48 3d 01
RSP: 002b:00007f2d30ecaba0 EFLAGS: 00000293 ORIG_RAX: 0000000000000014
RAX: ffffffffffffffda RBX: 000000000000003e RCX: 0000000000457421
RDX: 0000000000000001 RSI: 00007f2d30ecabf0 RDI: 00000000000000f0
RBP: 0000000020000500 R08: 00000000000000f0 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000293 R12: 00007f2d30ecb6d4
R13: 00000000004c4890 R14: 00000000004d7b90 R15: 00000000ffffffff

Allocated by task 22437:
 save_stack+0x43/0xd0 mm/kasan/kasan.c:448
 set_track mm/kasan/kasan.c:460 [inline]
 kasan_kmalloc+0xc7/0xe0 mm/kasan/kasan.c:553
 __do_kmalloc mm/slab.c:3718 [inline]
 __kmalloc+0x14e/0x760 mm/slab.c:3727
 kmalloc include/linux/slab.h:518 [inline]
 sock_kmalloc+0x15a/0x1f0 net/core/sock.c:1983
 ip6_mc_source+0x14dd/0x1960 net/ipv6/mcast.c:427
 do_ipv6_setsockopt.isra.9+0x3afb/0x45d0 net/ipv6/ipv6_sockglue.c:743
 ipv6_setsockopt+0xbd/0x170 net/ipv6/ipv6_sockglue.c:933
 rawv6_setsockopt+0x59/0x140 net/ipv6/raw.c:1069
 sock_common_setsockopt+0x9a/0xe0 net/core/sock.c:3038
 __sys_setsockopt+0x1ba/0x3c0 net/socket.c:1902
 __do_sys_setsockopt net/socket.c:1913 [inline]
 __se_sys_setsockopt net/socket.c:1910 [inline]
 __x64_sys_setsockopt+0xbe/0x150 net/socket.c:1910
 do_syscall_64+0x1b9/0x820 arch/x86/entry/common.c:290
 entry_SYSCALL_64_after_hwframe+0x49/0xbe

Freed by task 22430:
 save_stack+0x43/0xd0 mm/kasan/kasan.c:448
 set_track mm/kasan/kasan.c:460 [inline]
 __kasan_slab_free+0x102/0x150 mm/kasan/kasan.c:521
 kasan_slab_free+0xe/0x10 mm/kasan/kasan.c:528
 __cache_free mm/slab.c:3498 [inline]
 kfree+0xcf/0x230 mm/slab.c:3813
 __sock_kfree_s net/core/sock.c:2004 [inline]
 sock_kfree_s+0x29/0x60 net/core/sock.c:2010
 ip6_mc_leave_src+0x11a/0x1d0 net/ipv6/mcast.c:2448
 __ipv6_sock_mc_close+0x20b/0x4e0 net/ipv6/mcast.c:310
 ipv6_sock_mc_close+0x158/0x1d0 net/ipv6/mcast.c:328
 inet6_release+0x40/0x70 net/ipv6/af_inet6.c:452
 __sock_release+0xd7/0x250 net/socket.c:579
 sock_close+0x19/0x20 net/socket.c:1141
 __fput+0x385/0xa30 fs/file_table.c:278
 ____fput+0x15/0x20 fs/file_table.c:309
 task_work_run+0x1e8/0x2a0 kernel/task_work.c:113
 tracehook_notify_resume include/linux/tracehook.h:193 [inline]
 exit_to_usermode_loop+0x318/0x380 arch/x86/entry/common.c:166
 prepare_exit_to_usermode arch/x86/entry/common.c:197 [inline]
 syscall_return_slowpath arch/x86/entry/common.c:268 [inline]
 do_syscall_64+0x6be/0x820 arch/x86/entry/common.c:293
 entry_SYSCALL_64_after_hwframe+0x49/0xbe

The buggy address belongs to the object at ffff8801ce7f2500
 which belongs to the cache kmalloc-192 of size 192
The buggy address is located 16 bytes inside of
 192-byte region [ffff8801ce7f2500, ffff8801ce7f25c0)
The buggy address belongs to the page:
page:ffffea000739fc80 count:1 mapcount:0 mapping:ffff8801da800040 index:0x0
flags: 0x2fffc0000000100(slab)
raw: 02fffc0000000100 ffffea0006f6e548 ffffea000737b948 ffff8801da800040
raw: 0000000000000000 ffff8801ce7f2000 0000000100000010 0000000000000000
page dumped because: kasan: bad access detected

Memory state around the buggy address:
 ffff8801ce7f2400: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
 ffff8801ce7f2480: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc
>ffff8801ce7f2500: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
                         ^
 ffff8801ce7f2580: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc
 ffff8801ce7f2600: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

Signed-off-by: Eric Dumazet <edumazet@google.com>
Reported-by: syzbot <syzkaller@googlegroups.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2018-10-15 22:38:55 -07:00
Tung Nguyen
d3092b2efc tipc: fix unsafe rcu locking when accessing publication list
The binding table's 'cluster_scope' list is rcu protected to handle
races between threads changing the list and those traversing the list at
the same moment. We have now found that the function named_distribute()
uses the regular list_for_each() macro to traverse the said list.
Likewise, the function tipc_named_withdraw() is removing items from the
same list using the regular list_del() call. When these two functions
execute in parallel we see occasional crashes.

This commit fixes this by adding the missing _rcu() suffixes.

Signed-off-by: Tung Nguyen <tung.q.nguyen@dektech.com.au>
Signed-off-by: Jon Maloy <jon.maloy@ericsson.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2018-10-15 22:33:27 -07:00
David Howells
7ec8dc96e1 rxrpc: Fix incorrect conditional on IPV6
The udpv6_encap_enable() function is part of the ipv6 code, and if that is
configured as a loadable module and rxrpc is built in then a build failure
will occur because the conditional check is wrong:

  net/rxrpc/local_object.o: In function `rxrpc_lookup_local':
  local_object.c:(.text+0x2688): undefined reference to `udpv6_encap_enable'

Use the correct config symbol (CONFIG_AF_RXRPC_IPV6) in the conditional
check rather than CONFIG_IPV6 as that will do the right thing.

Fixes: 5271953cad ("rxrpc: Use the UDP encap_rcv hook")
Reported-by: kbuild-all@01.org
Reported-by: Arnd Bergmann <arnd@arndb.de>
Signed-off-by: David Howells <dhowells@redhat.com>
Reviewed-by: Arnd Bergmann <arnd@arndb.de>
Signed-off-by: David S. Miller <davem@davemloft.net>
2018-10-15 22:19:46 -07:00
Sabrina Dubroca
f547fac624 ipv6: rate-limit probes for neighbourless routes
When commit 270972554c ("[IPV6]: ROUTE: Add Router Reachability
Probing (RFC4191).") introduced router probing, the rt6_probe() function
required that a neighbour entry existed. This neighbour entry is used to
record the timestamp of the last probe via the ->updated field.

Later, commit 2152caea71 ("ipv6: Do not depend on rt->n in rt6_probe().")
removed the requirement for a neighbour entry. Neighbourless routes skip
the interval check and are not rate-limited.

This patch adds rate-limiting for neighbourless routes, by recording the
timestamp of the last probe in the fib6_info itself.

Fixes: 2152caea71 ("ipv6: Do not depend on rt->n in rt6_probe().")
Signed-off-by: Sabrina Dubroca <sd@queasysnail.net>
Reviewed-by: Stefano Brivio <sbrivio@redhat.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2018-10-15 22:18:27 -07:00
Florian Fainelli
64bd9c8135 net: bcmgenet: Poll internal PHY for GENETv5
On GENETv5, there is a hardware issue which prevents the GENET hardware
from generating a link UP interrupt when the link is operating at
10Mbits/sec. Since we do not have any way to configure the link
detection logic, fallback to polling in that case.

Fixes: 421380856d ("net: bcmgenet: add support for the GENETv5 hardware")
Signed-off-by: Florian Fainelli <f.fainelli@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2018-10-15 22:10:21 -07:00
YueHaibing
d6672a5a97 rxrpc: use correct kvec num when sending BUSY response packet
Fixes gcc '-Wunused-but-set-variable' warning:

net/rxrpc/output.c: In function 'rxrpc_reject_packets':
net/rxrpc/output.c:527:11: warning:
 variable 'ioc' set but not used [-Wunused-but-set-variable]

'ioc' is the correct kvec num when sending a BUSY (or an ABORT) response
packet.

Fixes: ece64fec16 ("rxrpc: Emit BUSY packets when supposed to rather than ABORTs")
Signed-off-by: YueHaibing <yuehaibing@huawei.com>
Signed-off-by: David Howells <dhowells@redhat.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2018-10-15 22:08:17 -07:00
David Howells
d7b4c24f45 rxrpc: Fix an uninitialised variable
Fix an uninitialised variable introduced by the last patch.  This can cause
a crash when a new call comes in to a local service, such as when an AFS
fileserver calls back to the local cache manager.

Fixes: c1e15b4944 ("rxrpc: Fix the packet reception routine")
Signed-off-by: David Howells <dhowells@redhat.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2018-10-15 22:07:36 -07:00
Jon Maloy
4af00f4cc1 tipc: initialize broadcast link stale counter correctly
In the commit referred to below we added link tolerance as an additional
criteria for declaring broadcast transmission "stale" and resetting the
unicast links to the affected node.

Unfortunately, this 'improvement' introduced two bugs, which each and
one alone cause only limited problems, but combined lead to seemingly
stochastic unicast link resets, depending on the amount of broadcast
traffic transmitted.

The first issue, a missing initialization of the 'tolerance' field of
the receiver broadcast link, was recently fixed by commit 047491ea33
("tipc: set link tolerance correctly in broadcast link").

Ths second issue, where we omit to reset the 'stale_cnt' field of
the same link after a 'stale' period is over, leads to this counter
accumulating over time, and in the absence of the 'tolerance' criteria
leads to the above described symptoms. This commit adds the missing
initialization.

Fixes: a4dc70d46c ("tipc: extend link reset criteria for stale packet retransmission")
Signed-off-by: Jon Maloy <jon.maloy@ericsson.com>
Acked-by: Ying Xue <ying.xue@windriver.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2018-10-15 22:03:34 -07:00
Cong Wang
5a8e7aea95 llc: set SOCK_RCU_FREE in llc_sap_add_socket()
WHen an llc sock is added into the sk_laddr_hash of an llc_sap,
it is not marked with SOCK_RCU_FREE.

This causes that the sock could be freed while it is still being
read by __llc_lookup_established() with RCU read lock. sock is
refcounted, but with RCU read lock, nothing prevents the readers
getting a zero refcnt.

Fix it by setting SOCK_RCU_FREE in llc_sap_add_socket().

Reported-by: syzbot+11e05f04c15e03be5254@syzkaller.appspotmail.com
Signed-off-by: Cong Wang <xiyou.wangcong@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2018-10-15 22:01:37 -07:00
David S. Miller
d0f068e572 mlx5-fixes-2018-10-10
-----BEGIN PGP SIGNATURE-----
 
 iQEcBAABAgAGBQJbvqcMAAoJEEg/ir3gV/o+eFsH/2TbJH+i1BuGMVwCB8o+U1Rz
 C01pJmR7Lb7WwQZ8ZKTOqQkS7BkGX1hNGyIlc4i6ZnP+4gsVJAbP6LKPjTvyD7e6
 TNb8bvxTUCOovknrevKkGba8tzoTTsC4wwwbHLGHd1hkKSY1P5hXg8R7vpear+n6
 /PFJwzpIXDAa8AHqeORCNYj7MneUm3kaahcmSOxOhvDbRx3UG9cgy7tEhPjZbRn5
 jPFsxFCSPcGedtI+g8bzodmpneTcu1KF6QCunrl2bGt5EzgDrbaw1UUoctxD2CJR
 Ch45W807EvBJoFiJXXCNf9N+p5020F/Q+mTmK7khPirUjdtoLdcT9Goswpjfbtk=
 =vJIA
 -----END PGP SIGNATURE-----

Merge tag 'mlx5-fixes-2018-10-10' of git://git.kernel.org/pub/scm/linux/kernel/git/saeed/linux

Saeed Mahameed says:

====================
Mellanox, mlx5 fixes 2018-10-10

This pull request includes some fixes to mlx5 driver,
Please pull and let me know if there's any problem.

For -stable v4.11:
('net/mlx5: Take only bit 24-26 of wqe.pftype_wq for page fault type')
For -stable v4.17:
('net/mlx5: Fix memory leak when setting fpga ipsec caps')
For -stable v4.18:
('net/mlx5: WQ, fixes for fragmented WQ buffers API')
====================

Signed-off-by: David S. Miller <davem@davemloft.net>
2018-10-15 21:51:28 -07:00
Davide Caratti
e331473fee net/sched: cls_api: add missing validation of netlink attributes
Similarly to what has been done in 8b4c3cdd9d ("net: sched: Add policy
validation for tc attributes"), fix classifier code to add validation of
TCA_CHAIN and TCA_KIND netlink attributes.

tested with:
 # ./tdc.py -c filter

v2: Let sch_api and cls_api share nla_policy they have in common, thanks
    to David Ahern.
v3: Avoid EXPORT_SYMBOL(), as validation of those attributes is not done
    by TC modules, thanks to Cong Wang.
    While at it, restore the 'Delete / get qdisc' comment to its orginal
    position, just above tc_get_qdisc() function prototype.

Fixes: 5bc1701881 ("net: sched: introduce multichain support for filters")
Signed-off-by: Davide Caratti <dcaratti@redhat.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2018-10-15 21:48:44 -07:00
Wenwen Wang
58f5bbe331 ethtool: fix a privilege escalation bug
In dev_ethtool(), the eth command 'ethcmd' is firstly copied from the
use-space buffer 'useraddr' and checked to see whether it is
ETHTOOL_PERQUEUE. If yes, the sub-command 'sub_cmd' is further copied from
the user space. Otherwise, 'sub_cmd' is the same as 'ethcmd'. Next,
according to 'sub_cmd', a permission check is enforced through the function
ns_capable(). For example, the permission check is required if 'sub_cmd' is
ETHTOOL_SCOALESCE, but it is not necessary if 'sub_cmd' is
ETHTOOL_GCOALESCE, as suggested in the comment "Allow some commands to be
done by anyone". The following execution invokes different handlers
according to 'ethcmd'. Specifically, if 'ethcmd' is ETHTOOL_PERQUEUE,
ethtool_set_per_queue() is called. In ethtool_set_per_queue(), the kernel
object 'per_queue_opt' is copied again from the user-space buffer
'useraddr' and 'per_queue_opt.sub_command' is used to determine which
operation should be performed. Given that the buffer 'useraddr' is in the
user space, a malicious user can race to change the sub-command between the
two copies. In particular, the attacker can supply ETHTOOL_PERQUEUE and
ETHTOOL_GCOALESCE to bypass the permission check in dev_ethtool(). Then
before ethtool_set_per_queue() is called, the attacker changes
ETHTOOL_GCOALESCE to ETHTOOL_SCOALESCE. In this way, the attacker can
bypass the permission check and execute ETHTOOL_SCOALESCE.

This patch enforces a check in ethtool_set_per_queue() after the second
copy from 'useraddr'. If the sub-command is different from the one obtained
in the first copy in dev_ethtool(), an error code EINVAL will be returned.

Fixes: f38d138a7d ("net/ethtool: support set coalesce per queue")
Signed-off-by: Wenwen Wang <wang6495@umn.edu>
Reviewed-by: Michal Kubecek <mkubecek@suse.cz>
Signed-off-by: David S. Miller <davem@davemloft.net>
2018-10-15 21:37:58 -07:00
Wenwen Wang
2bb3207dbb ethtool: fix a missing-check bug
In ethtool_get_rxnfc(), the eth command 'cmd' is compared against
'ETHTOOL_GRXFH' to see whether it is necessary to adjust the variable
'info_size'. Then the whole structure of 'info' is copied from the
user-space buffer 'useraddr' with 'info_size' bytes. In the following
execution, 'info' may be copied again from the buffer 'useraddr' depending
on the 'cmd' and the 'info.flow_type'. However, after these two copies,
there is no check between 'cmd' and 'info.cmd'. In fact, 'cmd' is also
copied from the buffer 'useraddr' in dev_ethtool(), which is the caller
function of ethtool_get_rxnfc(). Given that 'useraddr' is in the user
space, a malicious user can race to change the eth command in the buffer
between these copies. By doing so, the attacker can supply inconsistent
data and cause undefined behavior because in the following execution 'info'
will be passed to ops->get_rxnfc().

This patch adds a necessary check on 'info.cmd' and 'cmd' to confirm that
they are still same after the two copies in ethtool_get_rxnfc(). Otherwise,
an error code EINVAL will be returned.

Signed-off-by: Wenwen Wang <wang6495@umn.edu>
Signed-off-by: David S. Miller <davem@davemloft.net>
2018-10-15 21:37:01 -07:00
Jian-Hong Pan
d49c88d767 r8169: Enable MSI-X on RTL8106e
Originally, we have an issue where r8169 MSI-X interrupt is broken after
S3 suspend/resume on RTL8106e of ASUS X441UAR.

02:00.0 Ethernet controller [0200]: Realtek Semiconductor Co., Ltd.
RTL8101/2/6E PCI Express Fast/Gigabit Ethernet controller [10ec:8136]
(rev 07)
	Subsystem: ASUSTeK Computer Inc. RTL810xE PCI Express Fast
Ethernet controller [1043:200f]
	Flags: bus master, fast devsel, latency 0, IRQ 16
	I/O ports at e000 [size=256]
	Memory at ef100000 (64-bit, non-prefetchable) [size=4K]
	Memory at e0000000 (64-bit, prefetchable) [size=16K]
	Capabilities: [40] Power Management version 3
	Capabilities: [50] MSI: Enable- Count=1/1 Maskable- 64bit+
	Capabilities: [70] Express Endpoint, MSI 01
	Capabilities: [b0] MSI-X: Enable+ Count=4 Masked-
	Capabilities: [d0] Vital Product Data
	Capabilities: [100] Advanced Error Reporting
	Capabilities: [140] Virtual Channel
	Capabilities: [160] Device Serial Number 01-00-00-00-36-4c-e0-00
	Capabilities: [170] Latency Tolerance Reporting
	Kernel driver in use: r8169
	Kernel modules: r8169

We found the all of the values in PCI BAR=4 of the ethernet adapter
become 0xFF after system resumes.  That breaks the MSI-X interrupt.
Therefore, we can only fall back to MSI interrupt to fix the issue at
that time.

However, there is a commit which resolves the drivers getting nothing in
PCI BAR=4 after system resumes.  It is 04cb3ae895d7 "PCI: Reprogram
bridge prefetch registers on resume" by Daniel Drake.

After apply the patch, the ethernet adapter works fine before suspend
and after resume.  So, we can revert the workaround after the commit
"PCI: Reprogram bridge prefetch registers on resume" is merged into main
tree.

This patch reverts commit 7bb05b85bc
"r8169: don't use MSI-X on RTL8106e".

Buglink: https://bugzilla.kernel.org/show_bug.cgi?id=201181
Fixes: 7bb05b85bc ("r8169: don't use MSI-X on RTL8106e")
Signed-off-by: Jian-Hong Pan <jian-hong@endlessm.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2018-10-15 21:31:53 -07:00
David S. Miller
028c99fa91 Merge git://git.kernel.org/pub/scm/linux/kernel/git/bpf/bpf
Daniel Borkmann says:

====================
pull-request: bpf 2018-10-14

The following pull-request contains BPF updates for your *net* tree.

The main changes are:

1) Fix xsk map update and delete operation to not call synchronize_net()
   but to piggy back on SOCK_RCU_FREE for sockets instead as we are not
   allowed to sleep under RCU, from Björn.

2) Do not change RLIMIT_MEMLOCK in reuseport_bpf selftest if the process
   already has unlimited RLIMIT_MEMLOCK, from Eric.
====================

Signed-off-by: David S. Miller <davem@davemloft.net>
2018-10-14 13:01:20 -07:00
Greg Kroah-Hartman
bab5c80b21 ARM: SoC fixes for 4.19
Two last minute bugfixes, both for NXP platforms:
 
 * The Layerscape 'qbman' infrastructure suffers from probe ordering
   bugs in some configurations, a two-patch series adds a hotfix for
   this. 4.20 will have a longer set of patches to rework it.
 
 * The old imx53-qsb board regressed in 4.19 after the addition
   of cpufreq support, adding a set of explicit operating points
   fixes this.
 -----BEGIN PGP SIGNATURE-----
 Version: GnuPG v1
 
 iQIcBAABAgAGBQJbwLz1AAoJEGCrR//JCVInfygP/2U3Uqt3Tr2QRROx4wIl0gGh
 +sE5gfjBSrXPXq8SoLrJOOgxHYQwbAoWO93rYcmgjhn5a14YZuJzK9cgKiHaHOIc
 fbkqjGrJ8Bbmy6gRCKrEVCvF8W6qV4pAwh/VT+HFaKDJK6pblvJEOysAAzFEbAP+
 3fOxJcjKh5KaDrvWS/Y/wVBd5BUfpIpPWksWBaRONIfaO24gGs5Bp+OfVS/u2Ccz
 iml59Pgg3KsaBr5u6PQSgZDfJ1CX4mMdJS0yLlqCdh+LdHduCWomH15OLIxiCEty
 8hrDeSleMRW7MzIhbnxvGgkKGE3wa5yPr5ABMB6DR6wcWuI0V1K5TDr0GP4x53yK
 li4+rFGVgenIkGqtFEogYerfbH7jLp3noC/7SYKPsT4wkSSoXegFgOw+tV9DPmVf
 6CZbNP98HCNlPyu/pxizHv9PHPKOVmzO7k32Afens35/7/2oPrbeNnXbBRBaKbFF
 2oUUNyHER6DOuELsXcMZGLeJpp5lwRa7+0/6pKOFvqkirbJji7N1o7EBNMG2ZL82
 OiDXK4SKip9TWDfZ7ueKV8TznYnGlWmiGc1az1wrsOctB8Sk2tqxl7UADFOYM/5L
 KBwDw9SVttRWfbKTBhEiaFIyHLY+X6JPSbEqbXU7HL/MNW9JlGVwZzFHtaq/AaYL
 yPNvMgg7GFfGpEk8pQFV
 =WY74
 -----END PGP SIGNATURE-----

Merge tag 'armsoc-fixes-4.19' of git://git.kernel.org/pub/scm/linux/kernel/git/arm/arm-soc

Arnd writes:
  "ARM: SoC fixes for 4.19

   Two last minute bugfixes, both for NXP platforms:

   * The Layerscape 'qbman' infrastructure suffers from probe ordering
     bugs in some configurations, a two-patch series adds a hotfix for
     this. 4.20 will have a longer set of patches to rework it.

   * The old imx53-qsb board regressed in 4.19 after the addition
     of cpufreq support, adding a set of explicit operating points
     fixes this."

* tag 'armsoc-fixes-4.19' of git://git.kernel.org/pub/scm/linux/kernel/git/arm/arm-soc:
  soc: fsl: qman_portals: defer probe after qman's probe
  soc: fsl: qbman: add APIs to retrieve the probing status
  ARM: dts: imx53-qsb: disable 1.2GHz OPP
2018-10-12 17:41:27 +02:00
David Howells
f014ffb025 afs: Fix afs_server struct leak
Fix a leak of afs_server structs.  The routine that installs them in the
various lookup lists and trees gets a ref on leaving the function, whether
it added the server or a server already exists.  It shouldn't increment
the refcount if it added the server.

The effect of this that "rmmod kafs" will hang waiting for the leaked
server to become unused.

Fixes: d2ddc776a4 ("afs: Overhaul volume and server record caching and fileserver rotation")
Signed-off-by: David Howells <dhowells@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2018-10-12 17:36:40 +02:00
Peter Rosin
b40afc0066 MAINTAINERS: use the correct location for dt-bindings includes for mux
Just drop the "linux" part of the path, it was never correct.

Reported-by: Joe Perches <joe@perches.com>
Fixes: 256ac03750 ("dt-bindings: document devicetree bindings for mux-controllers and gpio-mux")
Signed-off-by: Peter Rosin <peda@axentia.se>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2018-10-12 17:36:39 +02:00
Peter Rosin
38a12607a8 mux: adgs1408: use the correct MODULE_LICENSE
The file is GPL v2 or later.

Acked-by: Mircea Caprioru <mircea.caprioru@analog.com>
Signed-off-by: Peter Rosin <peda@axentia.se>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2018-10-12 17:36:39 +02:00
David Howells
6b3944e42e afs: Fix cell proc list
Access to the list of cells by /proc/net/afs/cells has a couple of
problems:

 (1) It should be checking against SEQ_START_TOKEN for the keying the
     header line.

 (2) It's only holding the RCU read lock, so it can't just walk over the
     list without following the proper RCU methods.

Fix these by using an hlist instead of an ordinary list and using the
appropriate accessor functions to follow it with RCU.

Since the code that adds a cell to the list must also necessarily change,
sort the list on insertion whilst we're at it.

Fixes: 989782dcdc ("afs: Overhaul cell database management")
Signed-off-by: David Howells <dhowells@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2018-10-12 13:18:57 +02:00
Greg Kroah-Hartman
4ea07abbfb MMC core:
- Avoid fragile multiblock reads for the last sector in SPI mode
 
 WIFI/SDIO:
  - libertas: Fixup suspend sequence for the SDIO card
 -----BEGIN PGP SIGNATURE-----
 
 iQJLBAABCgA1FiEEugLDXPmKSktSkQsV/iaEJXNYjCkFAlvAeBQXHHVsZi5oYW5z
 c29uQGxpbmFyby5vcmcACgkQ/iaEJXNYjCnGZQ/+OYERfaKGxOWlfTyBEFUoVHid
 OKoayYgtI4rHATsDYxo4h33dPneAxd1HL0sGa7U7ReY2whUfMlxzVw0Y1MhfVlwn
 LrKXzVvuAu57FbckGIf4aROw6NHGSxYZALCTbFxN/Lz1I7rEsjrKytl5wV8o2Sgc
 INevRqYQTQq7B4nkEGCLvvbKOfTSitvh8uYKAXGJRKxM9PEBc0JgZ/eOJe+iFmUV
 T79Fj5Rv6Fqi2cKh25kzTD/RVQt/NOKBb7hblnKrAsMCNWOOPhXNacKsXWTpBI0u
 w1TAy1rFbmHC1KGuZuVYiYxgYJTkfCqybEh3SQNO+4qxBT6PZjRUIzrQjZ24xAm2
 lvXjkhRl0OtS+mAWYDa3CyX+2+sSx45QDjUtpaHdfwpCv3ykoxjpnTS1TWqkdKzh
 7MKeeYMH5yF/ERTdPWKNqya11DF5vaI4I10dxux1vHLSVhHFRT4dq0h2XvXL/n8S
 +d3Oli3Mn7osXyyCiQCv1vhkaSzRrp3mHKzcbColB2VJPqiHPqjZ8fj7cVdmm8IB
 A+25FuLXOaty21SwNsJBwCnxsIGI3t7G0tnh6fu2ZuXEAQGeKlqq6i0Wsq9H2PRs
 RGX/tUhphTFXw/E23BZwd3V5igJohy+9MKJttfGxBYJDuJvHAw+pPzv+uTzVsh+d
 7D4fwEbVnC9TxCOea4g=
 =s+ye
 -----END PGP SIGNATURE-----

Merge tag 'mmc-v4.19-rc7' of git://git.kernel.org/pub/scm/linux/kernel/git/ulfh/mmc

Ulf writes:
   "MMC core:
    - Avoid fragile multiblock reads for the last sector in SPI mode
    WIFI/SDIO:
    - libertas: Fixup suspend sequence for the SDIO card"

* tag 'mmc-v4.19-rc7' of git://git.kernel.org/pub/scm/linux/kernel/git/ulfh/mmc:
  libertas: call into generic suspend code before turning off power
  mmc: block: avoid multiblock reads for the last sector in SPI mode
2018-10-12 12:57:05 +02:00
Greg Kroah-Hartman
60bd7be764 GPIO fix for the v4.19 series:
- Fix up the interrupt parent for the irqdomains.
 -----BEGIN PGP SIGNATURE-----
 
 iQIcBAABAgAGBQJbwFv8AAoJEEEQszewGV1zMrIP/jU2Mr91B3HECmflXH2bV9YQ
 fVv0ey8XLI96ZOFEHtIh5S4j77WIY7enycZVv8CHgZQcGn+f0trKL0SmEtygEHDD
 vDyBnISC0FLARWYEQs2GR01GsmRvRXFYaqxUhRRoJ/tODnj+ZZ4XXTt4Y5WaoIhX
 6vNAnE/ZKG8D1rL68gAgdD6y3gCLKyr+AryfAMpLQf2lZvrO4Ri0gZ19/mGBw2PF
 kM/1QSNN6OnSIpbkxtirwFWTGaiF5QTSBFha5mBTTpiBxBZCCIIyoDCez3iS//io
 cTu7PSyuwWPuOSIwHksYbfT4HJtgLZYyy5AKw/ymUn2sDOFAHWfw1MgE9+mQdcea
 1us73cf+gavOpiTczo7zi3H+fmzzad9XauorDSFP6pAy9WzJC3B2DzSFtTsnH90A
 FNOZ5DOEzanNZgDQM9yTSMqlQ0Bs/Pb20Brpk69lMPzCeGMbM4mS8KnuPmEAlzoE
 zGYlMaLZt4ww+ZZCWgdl070jwn9hV30gJybUgYIFSaP0gFAKrhFRkMzMMQLFA3D+
 nDQjyEPV6qdl7ZceEovpvjQiRB2CErsNkH/5CJgZAYJRfhbYItM9WZWYiRU5J6uM
 nwF28mEva5nuPGh6t9iZFHcQnQZLl+WUPvScdzivLEttpbxI1pbd+4byh7xDpWqa
 OGvzIuDln3w+OVDyXWsa
 =5Sij
 -----END PGP SIGNATURE-----

Merge tag 'gpio-v4.19-4' of git://git.kernel.org/pub/scm/linux/kernel/git/linusw/linux-gpio

Linus writes:
  "GPIO fix for the v4.19 series:
   - Fix up the interrupt parent for the irqdomains."

* tag 'gpio-v4.19-4' of git://git.kernel.org/pub/scm/linux/kernel/git/linusw/linux-gpio:
  gpio: Assign gpio_irq_chip::parents to non-stack pointer
2018-10-12 12:56:25 +02:00
Greg Kroah-Hartman
ef0e75a47c A single pin control fix for v4.19:
- Interrupt setup in the MCP23S08 driver.
 -----BEGIN PGP SIGNATURE-----
 
 iQIcBAABAgAGBQJbwFqJAAoJEEEQszewGV1zukkP/AplWWlbD8ZwpRvcCZeCRiRw
 lZv6qwdunDUY9b10WHCeQvYbxKI+WYC336ASNiBpR7mB4J3qJ0AuSDqmBldwB0dI
 k3oQ3T1U0YLAnzSAZJ0LVzzLpEup60FZrS7e+w1DzB6DY+ofGjT+alqY8F6OPRuw
 v75unuH209NJSN63/OQgkBKW5byWdLA1hI+zgaPUsU3RyNDXPleUbRjDLK2C4YyU
 2Chkvan3841qH6bEtd95PSkrF7z5WLDNHXL8sMZB8RNMxVIwzcdeXDI/sHVo0GFm
 SmKzhI8nkTEWp8nnzfQyUDIcEF8WfLnjicSpEdGi2t3chtjEJezV8+ggrCNR8vc2
 uxsZ5q1x9Dm4OyimWW8o3GkDI6yWaWR54Pn6tcRN3Gfc+8BuS4W704dsRt4eG6kU
 tRuxQqhUgzt6WK1Cej3zZJNIyZYftcQcRbS5eojf12l5rpEkWDrEYcQ27+zuKUI4
 xG1etFXtEY2RbRx+aiy2+emIEqHXQSrVmCsR5GVeIpgv/lStdsKkMW3/ItZhrOWM
 YV31InCk6+MgHSkt2j8vOSqqqA0Ih0CqQcpLZ40HBeIRGjfrYJK2QH2qHYwFNTEa
 DHspa7mvKaEE1qr5zjiHV47yS27ZhqcOyvU+aGwEvuFFt8WLggRTSUgy9En2nRew
 5XFm7efspLxpLoM4OCJf
 =XPcv
 -----END PGP SIGNATURE-----

Merge tag 'pinctrl-v4.19-5' of git://git.kernel.org/pub/scm/linux/kernel/git/linusw/linux-pinctrl

Linus writes:
  "pin control fix for v4.19:

   A single pin control fix for v4.19:
   - Interrupt setup in the MCP23S08 driver."

* tag 'pinctrl-v4.19-5' of git://git.kernel.org/pub/scm/linux/kernel/git/linusw/linux-pinctrl:
  pinctrl: mcp23s08: fix irq and irqchip setup order
2018-10-12 12:55:47 +02:00
Greg Kroah-Hartman
a291ab2d40 * Fix a stack overflow in lib/bch.c
-----BEGIN PGP SIGNATURE-----
 
 iQI5BAABCAAjBQJbwEtmHBxib3Jpcy5icmV6aWxsb25AYm9vdGxpbi5jb20ACgkQ
 Ze02AX4ItwB9+g/7BGRJ4PkXiDVNI01N/I50oSeAQhfSJPGLOH4uWRLvvAwMMoqJ
 WmblcUwvllg7E8t9hcMOINuVEhweSAu6YxKBvVbGRKhqnuV13eNyOj8OB4IF+Yk0
 RVAYbf1lyyfZGs4PQGwvMG14kM4Y/9ttVnwfewOjBqdJf66MiTeRTX4k7z7GTrYo
 kpkTSwKUlYi9eEEJB9Mhq9Ib9f2aiIeGWhzX/oZQ5ZIW0u5wkjdYTgIA4xaT1vML
 m4KiTBRMbDV63BWuJmSDi7YXLvEb9PbZRC2EA5j8VwDmEgWDw3hPuSdayQ06s/1g
 JjZR7s6+HW8D84i9ecGJOafOS0nuwIkdBJ7aepDkiad87crweWLf9JRxkz11LPbw
 DRrXIDswh8525fHLSwK9Fzg067fSJye8XrQtwMgZVAG6d+dDkrjzgUAfTo9fTf2j
 0pShcwedDmoJrL5ntO0MQKm05RfUKRe7HmiUXX3FiXDdjNyhSM9SReN2dPw9MszP
 mlwaWZdmg3hd6cvn0aCHvmqbDBxeh1mS3RyEcXxONU+h1NGv3IS0mpLD3vLk7SHm
 6Al8+Lpbd92ldEnPLYUrJeBlhJJiwS1amTZf4xxKGWLDFM4pKzWwj9T2vFtVAZAa
 bXEs8x8CgHbfP/oYBh8sHFjoHGlaF+f6opfp5JuUcHV3GHhUFDVlVQyOBR8=
 =vdMk
 -----END PGP SIGNATURE-----

Merge tag 'mtd/fixes-for-4.19-rc8' of git://git.infradead.org/linux-mtd

Boris writes:
  "mdt: fix for 4.19-rc8

   * Fix a stack overflow in lib/bch.c"

* tag 'mtd/fixes-for-4.19-rc8' of git://git.infradead.org/linux-mtd:
  lib/bch: fix possible stack overrun
2018-10-12 12:54:26 +02:00
Greg Kroah-Hartman
62d2e531d7 single nouveau runtime reference and mst change
-----BEGIN PGP SIGNATURE-----
 
 iQIcBAABAgAGBQJbwDfFAAoJEAx081l5xIa+w1UP/2r/3PaJoqy/O7kqr9rH44PY
 TNCFfLlyhAtF/iwXGYockl2eOnGefIX10yhB1TKp6vcIkmXDwyAfMLs5AOrs8u2R
 x/O8OslMvXsaXq1tPTD9EvEtl380RtXnFgDxxXSI1gpUBPaqzEFsTGKjfyOMcyO4
 /jEg2LGStg1lENHTrDyxuxHInjd2JoHRS4HBT4By2oVP3JZAFgk5MMpW6ejIwGgm
 Xi1uBwfEw3ZWqenTYXl2aNzApRH3175G96jZVW7CNPXgR4wFtgcE3HRlN1ZUxe0V
 QjBrKrZCx1UB3EDKKZXnrqTYYywqh6SjJR9gZaKJOlM5lI+lYGb3r9oyM0YtcI9+
 cdMA2TLlHiy/oACjLgce9PtwrbuU6uQdGaX3mMOl+E+tLWMT0om+8zZLdGRxOh7S
 WyFTLr/ekTYY2MY4mMw1d+yZuMnhDExZtXLDJqHo5F01BMU7r6PX8mtQOTq6yik1
 BY+0mqkbsieUyNZyiPa+rRcVddqd8BVNjU5Fs2MA7jQ1E2EALHvGlKj2D4pxqrvZ
 8XgF7hUA7/h5Kt8glEIuebz/6jpSpa+QM7BgyriVGd/6Um0iEKzQxxzZDGEAr/p6
 C3vIDLMCKNwd/8AmwFipNXrBCzjiTOL00WHXw+CF1nuQoF3Q4oauMOQe4kSc7arl
 g+CoKv0dH4dO9eXHGgJa
 =8MHk
 -----END PGP SIGNATURE-----

Merge tag 'drm-fixes-2018-10-12-1' of git://anongit.freedesktop.org/drm/drm

Dave writes:
  "drm fixes for 4.19-rc8

   single nouveau runtime reference and mst change"

* tag 'drm-fixes-2018-10-12-1' of git://anongit.freedesktop.org/drm/drm:
  drm/nouveau/drm/nouveau: Grab runtime PM ref in nv50_mstc_detect()
2018-10-12 12:53:48 +02:00
Greg Kroah-Hartman
c789174bde Final for-rc pull request for 4.19
We only have one bug to submit this time around.  It fixes a DMA unmap
 issue where we unmapped the DMA address from the IOMMU before we did
 from the card, resulting in a DMAR error with IOMMU enabled, or possible
 crash without.
 -----BEGIN PGP SIGNATURE-----
 
 iQIcBAABAgAGBQJbv508AAoJELgmozMOVy/dw4oP/2ibxsE6MOtGfpbYldqiK2Jt
 wmq1Sfdunx85acHv3gyF4MEprqGbFPR9RXhLA/0gn3ywPHElgVAG5/w4xgFJXDk7
 nlwBeMuPjWkSvfPgPAKl1NhQ/nmSjbeBl3B+Nh2T3tZwjKEBRDdoFacxfSuP7K1x
 yzGVkniSvyecskfgVV026qN9XiVboXeNotFWNq41MGmPrbLZrQRyu/uwnn1dbdKE
 CpHfsFUpIXlCwhJT8s/MVs4CpvKQ0cEPTc+mkoy0YBsVBxQXFMeHXRUAHmsy/Q6P
 AKsYkBA9hZjAMLcGeF3YOQyZ3/c4hXdQYshw+g566MtmpHA+pn0wZQT9YOEZwq7C
 OoSaxLM1arOJKZvYv3v1Q0hZAtZgAsZeRItEEAmIGdxn9V90omyMd7CaZ+7FsKIp
 X4e8ooR8v9qyiQu6uMZw6JIydwp0NM3BR9Ko1b165LRS8+Zaq/SjjUo6jmczhzZv
 6i619iBl57nC+S7HLwv7HgoZnWgs8Pfp9cu3JI6RUcjwT8LRr0MeASW3CEkS9Pq0
 T7poMHZ7X8ydGtKuRbCzSJvYRGAfVmYBUAZaobE28mNXVx1kCzN1ZT3JCEC6UgnT
 uydC9zYps7I50vyr0Ah4kahnupStId9mjGf6Aa8UlZzh5koZqk4tHyTpkoqMFp44
 0LyrVB1C1Ai8PIRJIj/L
 =hozJ
 -----END PGP SIGNATURE-----

Merge tag 'for-gkh' of git://git.kernel.org/pub/scm/linux/kernel/git/rdma/rdma

Doug writes:
  "RDMA fixes:

   Final for-rc pull request for 4.19

   We only have one bug to submit this time around.  It fixes a DMA
   unmap issue where we unmapped the DMA address from the IOMMU before
   we did from the card, resulting in a DMAR error with IOMMU enabled,
   or possible crash without."

* tag 'for-gkh' of git://git.kernel.org/pub/scm/linux/kernel/git/rdma/rdma:
  IB/mlx5: Unmap DMA addr from HCA before IOMMU
2018-10-12 12:53:06 +02:00
Greg Kroah-Hartman
eb81bfb224 Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/dtor/input
Dmitry writes:
  "Input updates for v4.19-rc7

   - we added a few scheduling points into various input interfaces to
     ensure that large writes will not cause RCU stalls
   - fixed configuring PS/2 keyboards as wakeup devices on newer
     platforms
   - added a new Xbox gamepad ID."

* 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/dtor/input:
  Input: uinput - add a schedule point in uinput_inject_events()
  Input: evdev - add a schedule point in evdev_write()
  Input: mousedev - add a schedule point in mousedev_write()
  Input: i8042 - enable keyboard wakeups by default when s2idle is used
  Input: xpad - add support for Xbox1 PDP Camo series gamepad
2018-10-12 12:35:02 +02:00
Greg Kroah-Hartman
0c53b6a5f8 Two fixes from Peter Oberparleiter <oberpar@linux.ibm.com>:
Commit
 
   6b7dca401c ("tracing: Allow gcov profiling on only ftrace subsystem")
 
 uncovered linker problems when using gcov kernel profiling on some
 architectures. These problems were likely introduced earlier, and are
 possibly related to compiler changes.
 -----BEGIN PGP SIGNATURE-----
 
 iQIzBAABCAAdFiEEmFtoH6RZGWmXU6JkifkcCkHVwHoFAlu/yIEACgkQifkcCkHV
 wHr8vRAAl36pf3VwpX1D0ps5+qkDJLjU+B+Y/fUY2G1dPL133qzogJcvjqMAbQiC
 QFLTS6/++WGbDx6VFhW7sf+WLIew1Qx3g51lV1XJ7mN/+2WtJ8W0dvkXnNE2kJbi
 jaOBwNnhZzuTi14J+6JfhC/tRqD46OKh/zDsNr7ORhBayV1zYpOpKqg5T9Fdt+jW
 DkErv5miHo2Nt7jNCfZh7JgzJBI8CIsHuZcpQoMMgLaRmjdTKewV08wMEGhymu8E
 mafkNy7PXNu58VYITfYgVpVhJd9KMYa/22C9g4hTAFe3hLpUcWrhC5Sv1b90lxkY
 j57mdmGREHNM1/A3ilio0q8/JYn/F5u+hRJxl+xAvtQS9vFxWe0+6MW9oDA/JKnS
 0wSHTQG/sAFiSVS1k0vjxBYkcrS/IHtfnkxBiikedXDvOQsknOYaHDVpChWPe/YI
 W0wmdJDszfsk4/AzSpnHQ1MQiAtgwGL/SgzH7gVS0ALov/aci/LQty32q7izzCgY
 G6WH6Vze9eaIP23J6UF1o+iBurao581eV6zvX5KKucWq/W5ENQ0At+272Y67/OBC
 u933VNgsk9TmUh9UHoQZp/IMdKy9gDfu/LXupy4WkHPHutEi/0+tu6EtkuuFgg0/
 O/zFNZwgGfP6I49GP1eXD4wXXETRkjepdqnE5mJF0CLKbCSM4qo=
 =mvmS
 -----END PGP SIGNATURE-----

Merge tag 'next-fixes-20181012' of git://git.kernel.org/pub/scm/linux/kernel/git/sfr/next-fixes

Stephen writes:
  "A couple of warning fixes:

  Two fixes from Peter Oberparleiter <oberpar@linux.ibm.com>:
    Commit 6b7dca401c ("tracing: Allow gcov profiling on only ftrace subsystem")
   uncovered linker problems when using gcov kernel profiling on some
   architectures. These problems were likely introduced earlier, and are
   possibly related to compiler changes."

* tag 'next-fixes-20181012' of git://git.kernel.org/pub/scm/linux/kernel/git/sfr/next-fixes:
  vmlinux.lds.h: Fix linker warnings about orphan .LPBX sections
  vmlinux.lds.h: Fix incomplete .text.exit discards
2018-10-12 12:33:54 +02:00
Arnd Bergmann
f0fe77f601 lib/bch: fix possible stack overrun
The previous patch introduced very large kernel stack usage and a Makefile
change to hide the warning about it.

From what I can tell, a number of things went wrong here:

- The BCH_MAX_T constant was set to the maximum value for 'n',
  not the maximum for 't', which is much smaller.

- The stack usage is actually larger than the entire kernel stack
  on some architectures that can use 4KB stacks (m68k, sh, c6x), which
  leads to an immediate overrun.

- The justification in the patch description claimed that nothing
  changed, however that is not the case even without the two points above:
  the configuration is machine specific, and most boards  never use the
  maximum BCH_ECC_WORDS() length but instead have something much smaller.
  That maximum would only apply to machines that use both the maximum
  block size and the maximum ECC strength.

The largest value for 't' that I could find is '32', which in turn leads
to a 60 byte array instead of 2048 bytes. Making it '64' for future
extension seems also worthwhile, with 120 bytes for the array. Anything
larger won't fit into the OOB area on NAND flash.

With that changed, the warning can be enabled again.

Only linux-4.19+ contains the breakage, so this is only needed
as a stable backport if it does not make it into the release.

Fixes: 02361bc778 ("lib/bch: Remove VLA usage")
Reported-by: Ard Biesheuvel <ard.biesheuvel@linaro.org>
Cc: stable@vger.kernel.org
Signed-off-by: Arnd Bergmann <arnd@arndb.de>
Signed-off-by: Boris Brezillon <boris.brezillon@bootlin.com>
2018-10-12 09:17:46 +02:00