Commit Graph

739362 Commits

Author SHA1 Message Date
Tobin C. Harding
2ad7429392 leaking_addresses: skip '/proc/1/syscall'
The pointers listed in /proc/1/syscall are user pointers, and negative
syscall args will show up like kernel addresses.

For example

/proc/31808/syscall: 0 0x3 0x55b107a38180 0x2000 0xffffffffffffffb0 \
0x55b107a302d0 0x55b107a38180 0x7fffa313b8e8 0x7ff098560d11

Skip parsing /proc/1/syscall

Suggested-by: Tycho Andersen <tycho@tycho.ws>
Signed-off-by: Tobin C. Harding <me@tobin.cc>
2018-04-07 08:50:34 +10:00
Tobin C. Harding
472c9e1085 leaking_addresses: skip all /proc/PID except /proc/1
When the system is idle it is likely that most files under /proc/PID
will be identical for various processes.  Scanning _all_ the PIDs under
/proc is unnecessary and implies that we are thoroughly scanning /proc.
This is _not_ the case because there may be ways userspace can trigger
creation of /proc files that leak addresses but were not present during
a scan.  For these two reasons we should exclude all PID directories
under /proc except '1/'

Exclude all /proc/PID except /proc/1.

Signed-off-by: Tobin C. Harding <me@tobin.cc>
2018-04-07 08:50:34 +10:00
Tobin C. Harding
5e4bac34ed leaking_addresses: cache architecture name
Currently we are repeatedly calling `uname -m`.  This is causing the
script to take a long time to run (more than 10 seconds to parse
/proc/kallsyms).  We can use Perl state variables to cache the result of
the first call to `uname -m`.  With this change in place the script
scans the whole kernel in under a minute.

Cache machine architecture in state variable.

Signed-off-by: Tobin C. Harding <me@tobin.cc>
2018-04-07 08:50:34 +10:00
Tobin C. Harding
b401f56f33 leaking_addresses: simplify path skipping
Currently script has multiple configuration arrays.  This is confusing,
evident by the fact that a bunch of the entries are in the wrong place.
We can simplify the code by just having a single array for absolute
paths to skip and a single array for file names to skip wherever they
appear in the scanned directory tree.  There are also currently multiple
subroutines to handle the different arrays, we can reduce these to a
single subroutine also.

Simplify the path skipping code.

Signed-off-by: Tobin C. Harding <me@tobin.cc>
2018-04-07 08:50:34 +10:00
Tobin C. Harding
e2858caddc leaking_addresses: do not parse binary files
Currently script parses binary files.  Since we are scanning for
readable kernel addresses there is no need to parse binary files.  We
can use Perl to check if file is binary and skip parsing it if so.

Do not parse binary files.

Signed-off-by: Tobin C. Harding <me@tobin.cc>
2018-04-07 08:50:34 +10:00
Tobin C. Harding
1410fe4eea leaking_addresses: add 32-bit support
Currently script only supports x86_64 and ppc64.  It would be nice to be
able to scan 32-bit machines also.  We can add support for 32-bit
architectures by modifying how we check for false positives, taking
advantage of the page offset used by the kernel, and using the correct
regular expression.

Support for 32-bit machines is enabled by the observation that the kernel
addresses on 32-bit machines are larger [in value] than the page offset.
We can use this to filter false positives when scanning the kernel for
leaking addresses.

Programmatic determination of the running architecture is not
immediately obvious (current 32-bit machines return various strings from
`uname -m`).  We therefore provide a flag to enable scanning of 32-bit
kernels.  Also we can check the kernel config file for the offset and if
not found default to 0xc0000000.  A command line option to parse in the
page offset is also provided.  We do automatically detect architecture
if running on ix86.

Add support for 32-bit kernels.  Add a command line option for page
offset.

Suggested-by: Kaiwan N Billimoria <kaiwan.billimoria@gmail.com>
Signed-off-by: Tobin C. Harding <me@tobin.cc>
2018-04-07 08:50:34 +10:00
Tobin C. Harding
5eb0da0568 leaking_addresses: add is_arch() wrapper subroutine
Currently there is duplicate code when checking the architecture type.
We can remove the duplication by implementing a wrapper function
is_arch().

Implement and use wrapper function is_arch().

Signed-off-by: Tobin C. Harding <me@tobin.cc>
2018-04-07 08:50:34 +10:00
Tobin C. Harding
6efb745828 leaking_addresses: use system command to get arch
Currently script uses Perl to get the machine architecture. This can be
erroneous since Perl uses the architecture of the machine that Perl was
compiled on not the architecture of the running machine. We should use
the systems `uname` command instead.

Use `uname -m` instead of Perl to get the machine architecture.

Signed-off-by: Tobin C. Harding <me@tobin.cc>
2018-04-07 08:50:34 +10:00
Tobin C. Harding
2f042c93a1 leaking_addresses: add support for 5 page table levels
Currently script only supports 4 page table levels because of the way
the kernel address regular expression is crafted. We can do better than
this. Using previously added support for kernel configuration options we
can get the number of page table levels defined by
CONFIG_PGTABLE_LEVELS. Using this value a correct regular expression can
be crafted. This only supports 5 page tables on x86_64.

Add support for 5 page table levels on x86_64.

Signed-off-by: Tobin C. Harding <me@tobin.cc>
2018-04-07 08:50:34 +10:00
Tobin C. Harding
f9d2a42dac leaking_addresses: add support for kernel config file
Features that rely on the ability to get kernel configuration options
are ready to be implemented in script. In preparation for this we can
add support for kernel config options as a separate patch to ease
review.

Add support for locating and parsing kernel configuration file.

Signed-off-by: Tobin C. Harding <me@tobin.cc>
2018-04-07 08:50:34 +10:00
Tobin C. Harding
87e3758856 leaking_addresses: add range check for vsyscall memory
Currently script checks only first and last address in the vsyscall
memory range. We can do better than this. When checking for false
positives against $match, we can convert $match to a hexadecimal value
then check if it lies within the range of vsyscall addresses.

Check whole range of vsyscall addresses when checking for false
positive.

Signed-off-by: Tobin C. Harding <me@tobin.cc>
2018-04-07 08:50:34 +10:00
Tobin C. Harding
15d60a35b8 leaking_addresses: indent dependant options
A number of the command line options to script are dependant on the
option --input-raw being set. If we indent these options it makes
explicit this dependency.

Indent options dependant on --input-raw.

Signed-off-by: Tobin C. Harding <me@tobin.cc>
2018-04-07 08:50:34 +10:00
Tobin C. Harding
6145de836a leaking_addresses: remove command examples
Currently help output includes command examples. These were cute when we
first started development of this script but are unnecessary.

Remove command examples.

Signed-off-by: Tobin C. Harding <me@tobin.cc>
2018-04-07 08:50:34 +10:00
Tobin C. Harding
20cdfb5fc4 leaking_addresses: remove mention of kptr_restrict
leaking_addresses.pl can be run with kptr_restrict==0 now, we don't need
the comment about setting kptr_restrict any more.

Remove comment suggesting setting kptr_restrict.

Signed-off-by: Tobin C. Harding <me@tobin.cc>
2018-04-07 08:50:34 +10:00
Tobin C. Harding
6d23dd9bbb leaking_addresses: fix typo function not called
Currently code uses a check against an undefined variable because the
variable is a sub routine name and is not evaluated.

Evaluate subroutine; add parenthesis to sub routine name.

Signed-off-by: Tobin C. Harding <me@tobin.cc>
2018-04-07 08:50:34 +10:00
Linus Torvalds
0adb32858b Linux 4.16 2018-04-01 14:20:27 -07:00
Linus Torvalds
10b84daddb Merge branch 'perf-urgent-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip
Pull perf fixes from Ingo Molnar:
 "Two fixlets"

* 'perf-urgent-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip:
  perf/hwbp: Simplify the perf-hwbp code, fix documentation
  perf/x86/intel: Fix linear IP of PEBS real_ip on Haswell and later CPUs
2018-03-31 07:59:00 -10:00
Linus Torvalds
ad0500ca87 Merge branch 'x86-urgent-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip
Pull x86 fixes from Ingo Molnar:
 "Two UV platform fixes, and a kbuild fix"

* 'x86-urgent-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip:
  x86/platform/UV: Fix critical UV MMR address error
  x86/platform/uv/BAU: Add APIC idt entry
  x86/purgatory: Avoid creating stray .<pid>.d files, remove -MD from KBUILD_CFLAGS
2018-03-31 07:50:30 -10:00
Linus Torvalds
93e04d4ad7 Merge branch 'x86-pti-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip
Pull x86 PTI fixes from Ingo Molnar:
 "Two fixes: a relatively simple objtool fix that makes Clang built
  kernels work with ORC debug info, plus an alternatives macro fix"

* 'x86-pti-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip:
  x86/alternatives: Fixup alternative_call_2
  objtool: Add Clang support
2018-03-31 07:26:48 -10:00
Linus Torvalds
b5dbc28762 Kbuild fixes for v4.16 (3rd)
- fix missed rebuild of TRIM_UNUSED_KSYMS
 
 - fix rpm-pkg for GNU tar >= 1.29
 
 - include scripts/dtc/include-prefixes/* to kernel header deb-pkg
 
 - add -no-integrated-as option ealier to fix building with Clang
 
 - fix netfilter Makefile for parallel building
 -----BEGIN PGP SIGNATURE-----
 Version: GnuPG v1
 
 iQIcBAABAgAGBQJavwJpAAoJED2LAQed4NsGQuIQAK/UmPVczOxT7RefB4BrAsZG
 Zlai7HnfpzWk5EZE6fbTHTmbFu6HZ1TuYhOW5UlJcxd3P+nJfL5WwDo0H52LVfLT
 UkSubLCtZBl+DqtbuOg4Xrmh8k3WneGqYT7H9D19LRXTeeoh82g81+mWYL3F9UOA
 OWGzKf9+3CQhP7OjeVlfdQ8qv2UR+snyIK0jNRImTuhtys8iy2Q4EP/nQYtF7oAA
 KcYY62rS3qVKfTrdk5NY7kxvpp6/1m6141UPR75Xve7h+Emx/u0RthiMUW08e2bv
 PX5IlyI8XFz54wD2tojawMEo235cYPJAKQHZAry5tiLXvOF5vEZvoPGc8oUZnMGe
 bMNONRfXrKWi10/pcTqEfl6gEAE+bvOrqIKj/DECT4hF1av2uEeou/SzuEX+wbqK
 GxU4L5mnUwDsJNLPiUeVjyl4GD48X16lBdCs9laamRzYat5lKzJFBmgNf0dyHdI+
 l/myEtk17nSeohPWRgUeTBcP8O+E27rER7U/+KC0c4spwKrEfLFIzzNauLLJdugN
 o1VNYacseg3cLQnjSpmC26jxZw29jMFaLM5mBuiI7/F9mUlK6zaG6gyoDzV3A5lN
 jgPw48apNj4SLnUMrOi+1RYWXWkguF09f8GecjJKXvR5wGqzY7E3ZDi/zgXBf72q
 5r5dDuIExh0KXcO9Risp
 =2WPN
 -----END PGP SIGNATURE-----

Merge tag 'kbuild-fixes-v4.16-3' of git://git.kernel.org/pub/scm/linux/kernel/git/masahiroy/linux-kbuild

Pull Kbuild fixes from Masahiro Yamada:

 - fix missed rebuild of TRIM_UNUSED_KSYMS

 - fix rpm-pkg for GNU tar >= 1.29

 - include scripts/dtc/include-prefixes/* to kernel header deb-pkg

 - add -no-integrated-as option ealier to fix building with Clang

 - fix netfilter Makefile for parallel building

* tag 'kbuild-fixes-v4.16-3' of git://git.kernel.org/pub/scm/linux/kernel/git/masahiroy/linux-kbuild:
  netfilter: nf_nat_snmp_basic: add correct dependency to Makefile
  kbuild: rpm-pkg: Support GNU tar >= 1.29
  builddeb: Fix header package regarding dtc source links
  kbuild: set no-integrated-as before incl. arch Makefile
  kbuild: make scripts/adjust_autoksyms.sh robust against timestamp races
2018-03-30 18:53:57 -10:00
Linus Torvalds
a44406ec3d Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net
Pull networking fixes from David Miller:

 1) Fix RCU locking in xfrm_local_error(), from Taehee Yoo.

 2) Fix return value assignments and thus error checking in
    iwl_mvm_start_ap_ibss(), from Johannes Berg.

 3) Don't count header length twice in vti4, from Stefano Brivio.

 4) Fix deadlock in rt6_age_examine_exception, from Eric Dumazet.

 5) Fix out-of-bounds access in nf_sk_lookup_slow{v4,v6}() from Subash
    Abhinov.

 6) Check nladdr size in netlink_connect(), from Alexander Potapenko.

 7) VF representor SQ numbers are 32 not 16 bits, in mlx5 driver, from
    Or Gerlitz.

 8) Out of bounds read in skb_network_protocol(), from Eric Dumazet.

 9) r8169 driver sets driver data pointer after register_netdev() which
    is too late. Fix from Heiner Kallweit.

10) Fix memory leak in mlx4 driver, from Moshe Shemesh.

11) The multi-VLAN decap fix added a regression when dealing with device
    that lack a MAC header, such as tun. Fix from Toshiaki Makita.

12) Fix integer overflow in dynamic interrupt coalescing code. From Tal
    Gilboa.

13) Use after free in vrf code, from David Ahern.

14) IPV6 route leak between VRFs fix, also from David Ahern.

* git://git.kernel.org/pub/scm/linux/kernel/git/davem/net: (81 commits)
  net: mvneta: fix enable of all initialized RXQs
  net/ipv6: Fix route leaking between VRFs
  vrf: Fix use after free and double free in vrf_finish_output
  ipv6: sr: fix seg6 encap performances with TSO enabled
  net/dim: Fix int overflow
  vlan: Fix vlan insertion for packets without ethernet header
  net: Fix untag for vlan packets without ethernet header
  atm: iphase: fix spelling mistake: "Receiverd" -> "Received"
  vhost: validate log when IOTLB is enabled
  qede: Do not drop rx-checksum invalidated packets.
  hv_netvsc: enable multicast if necessary
  ip_tunnel: Resolve ipsec merge conflict properly.
  lan78xx: Crash in lan78xx_writ_reg (Workqueue: events lan78xx_deferred_multicast_write)
  qede: Fix barrier usage after tx doorbell write.
  vhost: correctly remove wait queue during poll failure
  net/mlx4_core: Fix memory leak while delete slave's resources
  net/mlx4_en: Fix mixed PFC and Global pause user control requests
  net/smc: use announced length in sock_recvmsg()
  llc: properly handle dev_queue_xmit() return value
  strparser: Fix sign of err codes
  ...
2018-03-30 18:47:28 -10:00
Yelena Krivosheev
e81b5e01c1 net: mvneta: fix enable of all initialized RXQs
In mvneta_port_up() we enable relevant RX and TX port queues by write
queues bit map to an appropriate register.

q_map must be ZERO in the beginning of this process.

Signed-off-by: Yelena Krivosheev <yelena@marvell.com>
Signed-off-by: Gregory CLEMENT <gregory.clement@bootlin.com>
Acked-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2018-03-30 14:27:47 -04:00
David Ahern
b6cdbc8523 net/ipv6: Fix route leaking between VRFs
Donald reported that IPv6 route leaking between VRFs is not working.
The root cause is the strict argument in the call to rt6_lookup when
validating the nexthop spec.

ip6_route_check_nh validates the gateway and device (if given) of a
route spec. It in turn could call rt6_lookup (e.g., lookup in a given
table did not succeed so it falls back to a full lookup) and if so
sets the strict argument to 1. That means if the egress device is given,
the route lookup needs to return a result with the same device. This
strict requirement does not work with VRFs (IPv4 or IPv6) because the
oif in the flow struct is overridden with the index of the VRF device
to trigger a match on the l3mdev rule and force the lookup to its table.

The right long term solution is to add an l3mdev index to the flow
struct such that the oif is not overridden. That solution will not
backport well, so this patch aims for a simpler solution to relax the
strict argument if the route spec device is an l3mdev slave. As done
in other places, use the FLOWI_FLAG_SKIP_NH_OIF to know that the
RT6_LOOKUP_F_IFACE flag needs to be removed.

Fixes: ca254490c8 ("net: Add VRF support to IPv6 stack")
Reported-by: Donald Sharp <sharpd@cumulusnetworks.com>
Signed-off-by: David Ahern <dsahern@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2018-03-30 14:23:59 -04:00
David Ahern
82dd0d2a9a vrf: Fix use after free and double free in vrf_finish_output
Miguel reported an skb use after free / double free in vrf_finish_output
when neigh_output returns an error. The vrf driver should return after
the call to neigh_output as it takes over the skb on error path as well.

Patch is a simplified version of Miguel's patch which was written for 4.9,
and updated to top of tree.

Fixes: 8f58336d3f ("net: Add ethernet header for pass through VRF device")
Signed-off-by: Miguel Fadon Perlines <mfadon@teldat.com>
Signed-off-by: David Ahern <dsahern@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2018-03-30 14:20:23 -04:00
David Lebrun
5807b22c91 ipv6: sr: fix seg6 encap performances with TSO enabled
Enabling TSO can lead to abysmal performances when using seg6 in
encap mode, such as with the ixgbe driver. This patch adds a call to
iptunnel_handle_offloads() to remove the encapsulation bit if needed.

Before:
root@comp4-seg6bpf:~# iperf3 -c fc00::55
Connecting to host fc00::55, port 5201
[  4] local fc45::4 port 36592 connected to fc00::55 port 5201
[ ID] Interval           Transfer     Bandwidth       Retr  Cwnd
[  4]   0.00-1.00   sec   196 KBytes  1.60 Mbits/sec   47   6.66 KBytes
[  4]   1.00-2.00   sec   304 KBytes  2.49 Mbits/sec  100   5.33 KBytes
[  4]   2.00-3.00   sec   284 KBytes  2.32 Mbits/sec   92   5.33 KBytes

After:
root@comp4-seg6bpf:~# iperf3 -c fc00::55
Connecting to host fc00::55, port 5201
[  4] local fc45::4 port 43062 connected to fc00::55 port 5201
[ ID] Interval           Transfer     Bandwidth       Retr  Cwnd
[  4]   0.00-1.00   sec  1.03 GBytes  8.89 Gbits/sec    0    743 KBytes
[  4]   1.00-2.00   sec  1.03 GBytes  8.87 Gbits/sec    0    743 KBytes
[  4]   2.00-3.00   sec  1.03 GBytes  8.87 Gbits/sec    0    743 KBytes

Reported-by: Tom Herbert <tom@quantonium.net>
Fixes: 6c8702c60b ("ipv6: sr: add support for SRH encapsulation and injection with lwtunnels")
Signed-off-by: David Lebrun <dlebrun@google.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2018-03-30 14:14:33 -04:00
Linus Torvalds
9dd2326890 A fix for a dio-enabled loop on ceph deadlock from Zheng, marked for
stable.
 -----BEGIN PGP SIGNATURE-----
 Version: GnuPG v2
 
 iQEcBAABCAAGBQJavj1tAAoJEEp/3jgCEfOLE6EH/jjV2MM6cwZnWHc8yDdRcaYj
 SaunEoSliNeKwCpNSFjNsjL6y5KdnymLBboLGkBOoy5BJCkAMFCaGJQPEW4uCY21
 JBtT/PTykEO6c20bX8hcmrPpZguixd7U7oL077e/kQwjPBYHkZrnWWJfbJ6rtWxx
 PUtJ5fxr4Iv9XrusEi/TkeNFYthc6ivqeEn7wzqzFuJDHLLGAoC9pqZWNwYnqMoF
 klQ7Hk9dvoWwTM5OzD+x31nrVa8P/0tY0fYkhvpFoLrNLW70SGf1kVgltN5k1Ynp
 MW3KQlRHNKZrkgQskXHgPDMWPAeQA9oNw7YJOaOMe4As264cHyf2idmMn7bjhfg=
 =gA+z
 -----END PGP SIGNATURE-----

Merge tag 'ceph-for-4.16-rc8' of git://github.com/ceph/ceph-client

Pull ceph fix from Ilya Dryomov:
 "A fix for a dio-enabled loop on ceph deadlock from Zheng, marked for
  stable"

* tag 'ceph-for-4.16-rc8' of git://github.com/ceph/ceph-client:
  ceph: only dirty ITER_IOVEC pages for direct read
2018-03-30 07:29:47 -10:00
Linus Torvalds
72573481eb KVM fixes for v4.16-rc8
PPC:
  - Fix a bug causing occasional machine check exceptions on POWER8 hosts
    (introduced in 4.16-rc1)
 
 x86:
  - Fix a guest crashing regression with nested VMX and restricted guest
    (introduced in 4.16-rc1)
 
  - Fix dependency check for pv tlb flush (The wrong dependency that
    effectively disabled the feature was added in 4.16-rc4, the original
    feature in 4.16-rc1, so it got decent testing.)
 -----BEGIN PGP SIGNATURE-----
 
 iQEcBAABCAAGBQJavUt5AAoJEED/6hsPKofo8uQH/RuijrsAIUnymkYY+6BYFXlh
 Ri8qhG8VB+C3SpWEtsqcqNVkjJTepCD2Ej5BJTL4Gc9BSTWy7Ht6kqskEgwcnzu2
 xRfkg0q0vTj1+GDd+UiTZfxiinoHtB9x3fiXali5UNTCd1fweLxdidETfO+GqMMq
 KDhTR+S8dXE5VG7r+iJ80LZPtHQJ94f0fh9XpQk3X2ExTG5RBxag1U2nCfiKRAZk
 xRv1CNAxNaBxS38CgYfHzg31NJx38fnq/qREsIdOx0Ju9WQkglBFkhLAGUb4vL0I
 nn8YX/oV9cW2G8tyPWjC245AouABOLbzu0xyj5KgCY/z1leA9tdLFX/ET6Zye+E=
 =++uZ
 -----END PGP SIGNATURE-----

Merge tag 'for-linus' of git://git.kernel.org/pub/scm/virt/kvm/kvm

Pull KVM fixes from Radim Krčmář:
 "PPC:
   - Fix a bug causing occasional machine check exceptions on POWER8
     hosts (introduced in 4.16-rc1)

  x86:
   - Fix a guest crashing regression with nested VMX and restricted
     guest (introduced in 4.16-rc1)

   - Fix dependency check for pv tlb flush (the wrong dependency that
     effectively disabled the feature was added in 4.16-rc4, the
     original feature in 4.16-rc1, so it got decent testing)"

* tag 'for-linus' of git://git.kernel.org/pub/scm/virt/kvm/kvm:
  KVM: x86: Fix pv tlb flush dependencies
  KVM: nVMX: sync vmcs02 segment regs prior to vmx_set_cr0
  KVM: PPC: Book3S HV: Fix duplication of host SLB entries
2018-03-30 07:24:14 -10:00
Linus Torvalds
bd886137a1 Merge branch 'i2c/for-current' of git://git.kernel.org/pub/scm/linux/kernel/git/wsa/linux
Pull i2c fix from Wolfram Sang:
 "A simple but worthwhile I2C driver fix for 4.16"

* 'i2c/for-current' of git://git.kernel.org/pub/scm/linux/kernel/git/wsa/linux:
  i2c: i2c-stm32f7: fix no check on returned setup
2018-03-30 07:14:35 -10:00
Linus Torvalds
ef82f598a0 sound fixes for 4.16-final
Very small fixes (all one-liners) at this time.
 One fix is for a PCM core stuff to correct the mmap behavior on
 non-x86.  It doesn't show on most machines but mostly only for
 exotic non-interleaved formats.
 -----BEGIN PGP SIGNATURE-----
 
 iQJCBAABCAAsFiEEIXTw5fNLNI7mMiVaLtJE4w1nLE8FAlq8uZoOHHRpd2FpQHN1
 c2UuZGUACgkQLtJE4w1nLE/8sBAAj076kOSWaTbVoK765bPEztUA5c63ytgqjvFL
 IA5YuMgZLrG0r+3sZ9K/+wBtrlATZMI+zxMcDNM4y+BeiWl3D5HZN/oTcxUrOm6f
 fExaQZd2qEZNDJmRUalpWwHwM/XvUjPEjOwMMk3hN4FQulUrwIkVKCk2eE5Sp80Y
 lHOzh8gx1CniUi2mCdoheDHWJqyoRNsBmNryP4WfC3bDb8HgMEuhFxWSTUU7HRXn
 ONQodcINWo/zp8R/EB68XWBmJSMswL0OFWTxYOc5pLJGihzc0hrHSt7IX8Ht5KnG
 Xml/zrWI/2/pnQoo1BsuKwIlwo4K4q0/ZEj0P/Ieeg6YgPIFADLgVjgauD5wJJkT
 zKvaEDG296V93f/0zy763+6G0fx8NkhErsveMNe8gPoKnHKf8eOx0aBipYhxPhRn
 9ZqqNTGXg6UVJt4rQZii6n29G+O2S3h7AGUPvoUi9VL6XsY0uBLlZVPCqZfVkmSx
 aKwQz8SL4XwOqF9GG8neOXbjUH178DbdBdVtqWnttu6rJXJPIOuWErV64QR9dnzm
 xYpawivNkU6C4LP8RyG9KiysEDCtYE3a/pgubKoPBZULrUXS217e2Z7VTYLo7EGJ
 Dh1cBPhG8gJRPVowbDrDd0br3zhZ6aLbi8MoLDtred37imxOQq84Q56ZQTsyQPIt
 9+KviWY=
 =tUOp
 -----END PGP SIGNATURE-----

Merge tag 'sound-4.16' of git://git.kernel.org/pub/scm/linux/kernel/git/tiwai/sound

Pull sound fixes from Takashi Iwai:
 "Very small fixes (all one-liners) at this time.

  One fix is for a PCM core stuff to correct the mmap behavior on
  non-x86. It doesn't show on most machines but mostly only for exotic
  non-interleaved formats"

* tag 'sound-4.16' of git://git.kernel.org/pub/scm/linux/kernel/git/tiwai/sound:
  ALSA: pcm: potential uninitialized return values
  ALSA: pcm: Use dma_bytes as size parameter in dma_mmap_coherent()
  ALSA: usb-audio: Add native DSD support for TEAC UD-301
2018-03-30 07:11:14 -10:00
Tal Gilboa
f97c3dc3c0 net/dim: Fix int overflow
When calculating difference between samples, the values
are multiplied by 100. Large values may cause int overflow
when multiplied (usually on first iteration).
Fixed by forcing 100 to be of type unsigned long.

Fixes: 4c4dbb4a73 ("net/mlx5e: Move dynamic interrupt coalescing code to include/linux")
Signed-off-by: Tal Gilboa <talgi@mellanox.com>
Reviewed-by: Andy Gospodarek <gospo@broadcom.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2018-03-30 12:56:22 -04:00
David S. Miller
52a9692a43 Merge branch 'vlan-fix'
Toshiaki Makita says:

====================
Fix vlan tag handling for vlan packets without ethernet headers

Eric Dumazet reported syzbot found a new bug which leads to underflow of
size argument of memmove(), causing crash[1]. This can be triggered by tun
devices.

The underflow happened because skb_vlan_untag() did not expect vlan packets
without ethernet headers, and tun can produce such packets.
I also checked vlan_insert_inner_tag() and found a similar bug.

This series fixes these problems.

[1] https://marc.info/?l=linux-netdev&m=152221753920510&w=2
====================

Signed-off-by: David S. Miller <davem@davemloft.net>
2018-03-30 12:36:28 -04:00
Toshiaki Makita
c769accdf3 vlan: Fix vlan insertion for packets without ethernet header
In some situation vlan packets do not have ethernet headers. One example
is packets from tun devices. Users can specify vlan protocol in tun_pi
field instead of IP protocol. When we have a vlan device with reorder_hdr
disabled on top of the tun device, such packets from tun devices are
untagged in skb_vlan_untag() and vlan headers will be inserted back in
vlan_insert_inner_tag().

vlan_insert_inner_tag() however did not expect packets without ethernet
headers, so in such a case size argument for memmove() underflowed.

We don't need to copy headers for packets which do not have preceding
headers of vlan headers, so skip memmove() in that case.
Also don't write vlan protocol in skb->data when it does not have enough
room for it.

Fixes: cbe7128c4b ("vlan: Fix out of order vlan headers with reorder header off")
Signed-off-by: Toshiaki Makita <makita.toshiaki@lab.ntt.co.jp>
Signed-off-by: David S. Miller <davem@davemloft.net>
2018-03-30 12:36:27 -04:00
Toshiaki Makita
ae4745730c net: Fix untag for vlan packets without ethernet header
In some situation vlan packets do not have ethernet headers. One example
is packets from tun devices. Users can specify vlan protocol in tun_pi
field instead of IP protocol, and skb_vlan_untag() attempts to untag such
packets.

skb_vlan_untag() (more precisely, skb_reorder_vlan_header() called by it)
however did not expect packets without ethernet headers, so in such a case
size argument for memmove() underflowed and triggered crash.

====
BUG: unable to handle kernel paging request at ffff8801cccb8000
IP: __memmove+0x24/0x1a0 arch/x86/lib/memmove_64.S:43
PGD 9cee067 P4D 9cee067 PUD 1d9401063 PMD 1cccb7063 PTE 2810100028101
Oops: 000b [#1] SMP KASAN
Dumping ftrace buffer:
   (ftrace buffer empty)
Modules linked in:
CPU: 1 PID: 17663 Comm: syz-executor2 Not tainted 4.16.0-rc7+ #368
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
RIP: 0010:__memmove+0x24/0x1a0 arch/x86/lib/memmove_64.S:43
RSP: 0018:ffff8801cc046e28 EFLAGS: 00010287
RAX: ffff8801ccc244c4 RBX: fffffffffffffffe RCX: fffffffffff6c4c2
RDX: fffffffffffffffe RSI: ffff8801cccb7ffc RDI: ffff8801cccb8000
RBP: ffff8801cc046e48 R08: ffff8801ccc244be R09: ffffed0039984899
R10: 0000000000000001 R11: ffffed0039984898 R12: ffff8801ccc244c4
R13: ffff8801ccc244c0 R14: ffff8801d96b7c06 R15: ffff8801d96b7b40
FS:  00007febd562d700(0000) GS:ffff8801db300000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: ffff8801cccb8000 CR3: 00000001ccb2f006 CR4: 00000000001606e0
DR0: 0000000020000000 DR1: 0000000020000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000600
Call Trace:
 memmove include/linux/string.h:360 [inline]
 skb_reorder_vlan_header net/core/skbuff.c:5031 [inline]
 skb_vlan_untag+0x470/0xc40 net/core/skbuff.c:5061
 __netif_receive_skb_core+0x119c/0x3460 net/core/dev.c:4460
 __netif_receive_skb+0x2c/0x1b0 net/core/dev.c:4627
 netif_receive_skb_internal+0x10b/0x670 net/core/dev.c:4701
 netif_receive_skb+0xae/0x390 net/core/dev.c:4725
 tun_rx_batched.isra.50+0x5ee/0x870 drivers/net/tun.c:1555
 tun_get_user+0x299e/0x3c20 drivers/net/tun.c:1962
 tun_chr_write_iter+0xb9/0x160 drivers/net/tun.c:1990
 call_write_iter include/linux/fs.h:1782 [inline]
 new_sync_write fs/read_write.c:469 [inline]
 __vfs_write+0x684/0x970 fs/read_write.c:482
 vfs_write+0x189/0x510 fs/read_write.c:544
 SYSC_write fs/read_write.c:589 [inline]
 SyS_write+0xef/0x220 fs/read_write.c:581
 do_syscall_64+0x281/0x940 arch/x86/entry/common.c:287
 entry_SYSCALL_64_after_hwframe+0x42/0xb7
RIP: 0033:0x454879
RSP: 002b:00007febd562cc68 EFLAGS: 00000246 ORIG_RAX: 0000000000000001
RAX: ffffffffffffffda RBX: 00007febd562d6d4 RCX: 0000000000454879
RDX: 0000000000000157 RSI: 0000000020000180 RDI: 0000000000000014
RBP: 000000000072bea0 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 00000000ffffffff
R13: 00000000000006b0 R14: 00000000006fc120 R15: 0000000000000000
Code: 90 90 90 90 90 90 90 48 89 f8 48 83 fa 20 0f 82 03 01 00 00 48 39 fe 7d 0f 49 89 f0 49 01 d0 49 39 f8 0f 8f 9f 00 00 00 48 89 d1 <f3> a4 c3 48 81 fa a8 02 00 00 72 05 40 38 fe 74 3b 48 83 ea 20
RIP: __memmove+0x24/0x1a0 arch/x86/lib/memmove_64.S:43 RSP: ffff8801cc046e28
CR2: ffff8801cccb8000
====

We don't need to copy headers for packets which do not have preceding
headers of vlan headers, so skip memmove() in that case.

Fixes: 4bbb3e0e82 ("net: Fix vlan untag for bridge and vlan_dev with reorder_hdr off")
Reported-by: Eric Dumazet <eric.dumazet@gmail.com>
Signed-off-by: Toshiaki Makita <makita.toshiaki@lab.ntt.co.jp>
Signed-off-by: David S. Miller <davem@davemloft.net>
2018-03-30 12:36:27 -04:00
Colin Ian King
a9645b273e atm: iphase: fix spelling mistake: "Receiverd" -> "Received"
Trivial fix to spelling mistake in message text

Signed-off-by: Colin Ian King <colin.king@canonical.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2018-03-30 10:10:04 -04:00
Yan, Zheng
85784f9395 ceph: only dirty ITER_IOVEC pages for direct read
If a page is already locked, attempting to dirty it leads to a deadlock
in lock_page().  This is what currently happens to ITER_BVEC pages when
a dio-enabled loop device is backed by ceph:

  $ losetup --direct-io /dev/loop0 /mnt/cephfs/img
  $ xfs_io -c 'pread 0 4k' /dev/loop0

Follow other file systems and only dirty ITER_IOVEC pages.

Cc: stable@kernel.org
Signed-off-by: "Yan, Zheng" <zyan@redhat.com>
Reviewed-by: Ilya Dryomov <idryomov@gmail.com>
Signed-off-by: Ilya Dryomov <idryomov@gmail.com>
2018-03-30 11:17:48 +02:00
Linus Torvalds
c2a9838452 - Fix a DM multipath regression introduced in a v4.16-rc6 commit:
restore support for loading, and attaching, scsi_dh modules during
   multipath table load.  Otherwise some users may find themselves unable
   to boot, as was reported today:
   https://marc.info/?l=linux-scsi&m=152231276114962&w=2
 
 - Fix a DM core ioctl permission check regression introduced in a
   v4.16-rc5 commit.
 -----BEGIN PGP SIGNATURE-----
 Version: GnuPG v1
 
 iQEcBAABAgAGBQJavbT9AAoJEMUj8QotnQNaCO4H/iMUmvUl2tM8fPuWfp6ZXKov
 vyn9AwMQeAp2K9pE+04VaKbLazu0Z0GW4Fhf0oIFlsySKZ3VCebClTCTgNW5/AWd
 JV41T2oWY3QDoZaSep9TSPPPldXZYIniCznlxObYB47c7q5lRaFTy3NP4nMbVrvo
 24E/dbFNZ/hF+98IoPdHQ5vpIbosumYhquiKsS5zH+8XA4kR+KumeEgsmDAvwHVd
 zNJI1o8P5kdm/yM6NNUQsk5OL6knTEuVp8t4NT0V27wU6mUVY0Mo//Q/kEezPw3R
 MC1157EFxV/6N3UA6N6XW+Y6ePfzqU7+cj5QFFVJB5rdWbDWTBmlhoE5ukThZmU=
 =H2lD
 -----END PGP SIGNATURE-----

Merge tag 'for-4.16/dm-fixes-4' of git://git.kernel.org/pub/scm/linux/kernel/git/device-mapper/linux-dm

Pull device mapper fixes from Mike Snitzer:

 - Fix a DM multipath regression introduced in a v4.16-rc6 commit:
   restore support for loading, and attaching, scsi_dh modules during
   multipath table load. Otherwise some users may find themselves unable
   to boot, as was reported today:

     https://marc.info/?l=linux-scsi&m=152231276114962&w=2

 - Fix a DM core ioctl permission check regression introduced in a
   v4.16-rc5 commit.

* tag 'for-4.16/dm-fixes-4' of git://git.kernel.org/pub/scm/linux/kernel/git/device-mapper/linux-dm:
  dm: fix dropped return code from dm_get_bdev_for_ioctl
  dm mpath: fix support for loading scsi_dh modules during table load
2018-03-29 19:27:12 -10:00
Linus Torvalds
d89b9f5029 Fifth pull request for 4.16-rc
Bug fixes:
 - qedr driver bugfixes causing application hangs, wrong uapi errnos, and a
   race condition
 - 3 syzkaller found bugfixes in the ucma uapi
 
 Regression fixes for things introduced in 4.16:
 - Crash on error introduced in mlx5 UMR flow
 - Crash on module unload/etc introduced by bad interaction of restrack
   and mlx5 patches this cycle
 - Typo in a two line syzkaller bugfix causing a bad regression
 - Coverity report of nonsense code in hns driver
 -----BEGIN PGP SIGNATURE-----
 Version: GnuPG v2
 
 iQIcBAABCgAGBQJavTPwAAoJEDht9xV+IJsaMtIP/04hM1pWJAxCPtxlXFqlfLnQ
 llGvDlzyGUrFlSbDITmXXS3nVFtk36SM6Eqqa48yi7oZF+2+4JjlaqIUiYXmAOOR
 ocvpDB4QKXgnjAc9mIyJ8SOILhmSDOwwbueaKBClnyPIj5wGvrKlnAdeGDgPeuSU
 Jcmect5penbU4U44m4JtbqSNIRWuoUvrbQ6ioftHV32RnXBRyrP1KxXtM3tVvav8
 TlBgCt6zWhab1u6MGEebJgx97eFwhgc1Bd1mIJv9TPPEplC8kqaNRFrsctsyDUxu
 h674VNE5YyzoLBrUGI4IzvL5f3p8OEa18wslJB5ZyL6qiorj5y4vf+lSiQT8qOSF
 NW+jmsVEA0l0trVkl5r0qhzIV+EVTgSoR4C5wKbxEwMx51PmG/utPqFV+N511In7
 GPqmRL3KuJPBZ0TIepwoH57FwrXdfc/UiF95duLizHojJgMpbnn18pQUBj2Fofch
 Gs9IjipO8AxpYybRoGvBC7fMTrzs5IV3yNj2qxu2mCq0tRQMu1cbOh6y//YZKqjL
 wQFtUSX2rO/rcvABAgpEP7a/9aLEj5m+vsFpEtigteRQRggOH6dAxXYzK8qKFqPK
 4C9+5ybpAJqjjMuFxjd9n6BIYJG8gEhSGIyOaeP6cK016AQj4FN8ZgLwR9nTokQS
 p9DdyVZWFpqAuCWV5ML1
 =0JcN
 -----END PGP SIGNATURE-----

Merge tag 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/rdma/rdma

Pull rdma fixes from Jason Gunthorpe:
 "It has been fairly silent lately on our -rc front. Big queue of
  patches on the mailing list going to for-next though.

  Bug fixes:
   - qedr driver bugfixes causing application hangs, wrong uapi errnos,
     and a race condition
   - three syzkaller found bugfixes in the ucma uapi

  Regression fixes for things introduced in 4.16:
   - Crash on error introduced in mlx5 UMR flow
   - Crash on module unload/etc introduced by bad interaction of
     restrack and mlx5 patches this cycle
   - Typo in a two line syzkaller bugfix causing a bad regression
   - Coverity report of nonsense code in hns driver"

* tag 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/rdma/rdma:
  RDMA/ucma: Introduce safer rdma_addr_size() variants
  RDMA/hns: ensure for-loop actually iterates and free's buffers
  RDMA/ucma: Check that device exists prior to accessing it
  RDMA/ucma: Check that device is connected prior to access it
  RDMA/rdma_cm: Fix use after free race with process_one_req
  RDMA/qedr: Fix QP state initialization race
  RDMA/qedr: Fix rc initialization on CNQ allocation failure
  RDMA/qedr: fix QP's ack timeout configuration
  RDMA/ucma: Correct option size check using optlen
  RDMA/restrack: Move restrack_clean to be symmetrical to restrack_init
  IB/mlx5: Don't clean uninitialized UMR resources
2018-03-29 19:23:24 -10:00
Linus Torvalds
ab12762b19 * Fix a bug in Atmel ECC engine driver
* Fix a bug in the CFI/JEDEC driver
 -----BEGIN PGP SIGNATURE-----
 
 iQI5BAABCAAjBQJavSJwHBxib3Jpcy5icmV6aWxsb25AYm9vdGxpbi5jb20ACgkQ
 Ze02AX4ItwAOFxAAhJOgJYjreRCw5dNzx3ckrqsuqvaTjB9SqE34tCQXgM/+ln2G
 cr2YvG1JwQ6IUaJCJIjP+IOdzGpqdujvTUS5JlJfPEE8RkZe2wvrwjMFhOQjnx/i
 U2LHv2jJPQ8+0feRQ54lmWUA7gagKUIb1nkzp3llYaPJ0mrhBgkANnf5QsZtz+NN
 Nv7OA68h1Y7HfPK4o55CS26DdORGLiv2nVpumYDf82oc1t4EJbj/Y6wxNFpmvj/H
 74MqZ8SOHF2E4pAYZC8twJPsnRMfIXfrRToHyXOb1ShxXc423j1hcltTBlxRHpfB
 +1jzmp1Ux4c3ltRZJC221NO4SJHK8roop3Mr1a4zfH256gpY6DPFMchqLEqgW2kc
 ZFdQBaw/SvVQJRXds0MvhB3O33iATWbz02FRScF6rezgAlb9It2gTTo0frs03y5C
 +Pe4wlTTcehu5Vw7QzbB3TxdAhGr3MHitvgX7biSEcF754gwtMRkA/ey9rqBUTuM
 fdZB+/Dw0g4zPMuvztn2nmX9IlvcQZ1zEcbekUPTEnpf61W+GSELz2MzM2tmBQyi
 oHxjPM9r6t9ABKr98R7lgTAoiAehG7s0d7bC7zAHNw5fHRlx0MHog+9bFYYlBFUB
 27c/LKIX1MW8ts+IF3WM2x/M2SpPoWDkboge4RGrE42VETPqJltfXtm6gdo=
 =wEYA
 -----END PGP SIGNATURE-----

Merge tag 'mtd/fixes-for-4.16' of git://git.infradead.org/linux-mtd

Pull MTD fixes from Boris Brezillon:
 "Two fixes, one in the atmel NAND driver and another one in the
  CFI/JEDEC code.

  Summary:

   - Fix a bug in Atmel ECC engine driver

   - Fix a bug in the CFI/JEDEC driver"

* tag 'mtd/fixes-for-4.16' of git://git.infradead.org/linux-mtd:
  mtd: jedec_probe: Fix crash in jedec_read_mfr()
  mtd: nand: atmel: Fix get_sectorsize() function
2018-03-29 19:21:29 -10:00
Mike Snitzer
da5dadb4f1 dm: fix dropped return code from dm_get_bdev_for_ioctl
dm_get_bdev_for_ioctl()'s return of 0 or 1 must be the result from
prepare_ioctl (1 means the ioctl was issued to a partition, 0 means it
wasn't).  Unfortunately commit 519049afea ("dm: use blkdev_get rather
than bdgrab when issuing pass-through ioctl") reused the variable 'r'
to store the return from blkdev_get() that follows prepare_ioctl()
-- whereby dropping prepare_ioctl()'s result on the floor.

This can lead to an ioctl or persistent reservation being issued to a
partition going unnoticed, which implies the extra permission check for
CAP_SYS_RAWIO is skipped.

Fix this by using a different variable to store blkdev_get()'s return.

Fixes: 519049afea ("dm: use blkdev_get rather than bdgrab when issuing pass-through ioctl")
Reported-by: Alasdair G Kergon <agk@redhat.com>
Signed-off-by: Mike Snitzer <snitzer@redhat.com>
2018-03-29 23:31:32 -04:00
David S. Miller
74957cbfb7 Merge git://git.kernel.org/pub/scm/linux/kernel/git/bpf/bpf
Daniel Borkman says:

====================
pull-request: bpf 2018-03-29

The following pull-request contains BPF updates for your *net* tree.

The main changes are:

1) Fix nfp to properly check max insn count while emitting
   instructions in the JIT which was wrongly comparing bytes
   against number of instructions before, from Jakub.

2) Fix for bpftool to avoid usage of hex numbers in JSON
   output since JSON doesn't accept hex numbers with 0x
   prefix, also from Jakub.
====================

Signed-off-by: David S. Miller <davem@davemloft.net>
2018-03-29 21:49:19 -04:00
Mike Snitzer
e457edf0b2 dm mpath: fix support for loading scsi_dh modules during table load
The ability to have multipath dynamically attach a scsi_dh, that the user
specified in the multipath table, was broken by commit e8f74a0f00 ("dm
mpath: eliminate need to use scsi_device_from_queue").

Restore the ability to load, and attach, a particular scsi_dh module if
one is specified (as noticed by checking m->hw_handler_name).

Fixes: e8f74a0f00 ("dm mpath: eliminate need to use scsi_device_from_queue")
Reported-by: Paul Mackerras <paulus@ozlabs.org>
Signed-off-by: Mike Snitzer <snitzer@redhat.com>
2018-03-29 17:00:44 -04:00
Jason Wang
d65026c6c6 vhost: validate log when IOTLB is enabled
Vq log_base is the userspace address of bitmap which has nothing to do
with IOTLB. So it needs to be validated unconditionally otherwise we
may try use 0 as log_base which may lead to pin pages that will lead
unexpected result (e.g trigger BUG_ON() in set_bit_to_user()).

Fixes: 6b1e6cc785 ("vhost: new device IOTLB API")
Reported-by: syzbot+6304bf97ef436580fede@syzkaller.appspotmail.com
Signed-off-by: Jason Wang <jasowang@redhat.com>
Acked-by: Michael S. Tsirkin <mst@redhat.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2018-03-29 16:22:47 -04:00
Manish Chopra
58f101bf87 qede: Do not drop rx-checksum invalidated packets.
Today, driver drops received packets which are indicated as
invalid checksum by the device. Instead of dropping such packets,
pass them to the stack with CHECKSUM_NONE indication in skb.

Signed-off-by: Ariel Elior <ariel.elior@cavium.com>
Signed-off-by: Manish Chopra <manish.chopra@cavium.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2018-03-29 14:32:15 -04:00
Linus Walleij
87a73eb5b5 mtd: jedec_probe: Fix crash in jedec_read_mfr()
It turns out that the loop where we read manufacturer
jedec_read_mfd() can under some circumstances get a
CFI_MFR_CONTINUATION repeatedly, making the loop go
over all banks and eventually hit the end of the
map and crash because of an access violation:

Unable to handle kernel paging request at virtual address c4980000
pgd = (ptrval)
[c4980000] *pgd=03808811, *pte=00000000, *ppte=00000000
Internal error: Oops: 7 [#1] PREEMPT ARM
CPU: 0 PID: 1 Comm: swapper Not tainted 4.16.0-rc1+ #150
Hardware name: Gemini (Device Tree)
PC is at jedec_probe_chip+0x6ec/0xcd0
LR is at 0x4
pc : [<c03a2bf4>]    lr : [<00000004>]    psr: 60000013
sp : c382dd18  ip : 0000ffff  fp : 00000000
r10: c0626388  r9 : 00020000  r8 : c0626340
r7 : 00000000  r6 : 00000001  r5 : c3a71afc  r4 : c382dd70
r3 : 00000001  r2 : c4900000  r1 : 00000002  r0 : 00080000
Flags: nZCv  IRQs on  FIQs on  Mode SVC_32  ISA ARM  Segment none
Control: 0000397f  Table: 00004000  DAC: 00000053
Process swapper (pid: 1, stack limit = 0x(ptrval))

Fix this by breaking the loop with a return 0 if
the offset exceeds the map size.

Fixes: 5c9c11e1c4 ("[MTD] [NOR] Add support for flash chips with ID in bank other than 0")
Cc: <stable@vger.kernel.org>
Signed-off-by: Linus Walleij <linus.walleij@linaro.org>
Signed-off-by: Boris Brezillon <boris.brezillon@bootlin.com>
2018-03-29 19:29:06 +02:00
Boris Brezillon
2b1b1b4ac7 mtd: nand: atmel: Fix get_sectorsize() function
get_sectorsize() was not using the appropriate macro to extract the
ECC sector size from the config cache, which led to buggy ECC when
using 1024 byte sectors.

Fixes: f88fc122cc ("mtd: nand: Cleanup/rework the atmel_nand driver")
Cc: <stable@vger.kernel.org>
Reported-by: Olivier Schonken <olivier.schonken@gmail.com>
Signed-off-by: Boris Brezillon <boris.brezillon@bootlin.com>
Reviewed-by: Richard Weinberger <richard@nod.at>
Acked-by: Nicolas Ferre <nicolas.ferre@microchip.com>
Tested-by: Olivier Schonken <olivier.schonken@gmail.com>
2018-03-29 19:29:06 +02:00
Stephen Hemminger
f03dbb06dc hv_netvsc: enable multicast if necessary
My recent change to netvsc drive in how receive flags are handled
broke multicast.  The Hyper-v/Azure virtual interface there is not a
multicast filter list, filtering is only all or none. The driver must
enable all multicast if any multicast address is present.

Fixes: 009f766ca2 ("hv_netvsc: filter multicast/broadcast")
Signed-off-by: Stephen Hemminger <sthemmin@microsoft.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2018-03-29 11:45:06 -04:00
David S. Miller
5568cdc368 ip_tunnel: Resolve ipsec merge conflict properly.
We want to use dev_set_mtu() regardless of how we calculate
the mtu value.

Signed-off-by: David S. Miller <davem@davemloft.net>
2018-03-29 11:42:14 -04:00
Raghuram Chary J
2d2d99ec13 lan78xx: Crash in lan78xx_writ_reg (Workqueue: events lan78xx_deferred_multicast_write)
Description:
Crash was reported with syzkaller pointing to lan78xx_write_reg routine.

Root-cause:
Proper cleanup of workqueues and init/setup routines was not happening
in failure conditions.

Fix:
Handled the error conditions by cleaning up the queues and init/setup
routines.

Fixes: 55d7de9de6 ("Microchip's LAN7800 family USB 2/3 to 10/100/1000 Ethernet device driver")
Reported-by: Andrey Konovalov <andreyknvl@google.com>
Signed-off-by: Raghuram Chary J <raghuramchary.jallipalli@microchip.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2018-03-29 11:35:51 -04:00
David S. Miller
020295d95e Merge branch 'master' of git://git.kernel.org/pub/scm/linux/kernel/git/klassert/ipsec
Steffen Klassert says:

====================
pull request (net): ipsec 2018-03-29

1) Fix a rcu_read_lock/rcu_read_unlock imbalance
   in the error path of xfrm_local_error().
   From Taehee Yoo.

2) Some VTI MTU fixes. From Stefano Brivio.

3) Fix a too early overwritten skb control buffer
   on xfrm transport mode.

Please note that this pull request has a merge conflict
in net/ipv4/ip_tunnel.c.

The conflict is between

commit f6cc9c054e ("ip_tunnel: Emit events for post-register MTU changes")

from the net tree and

commit 24fc79798b ("ip_tunnel: Clamp MTU to bounds on new link")

from the ipsec tree.

It can be solved as it is currently done in linux-next.
====================

Signed-off-by: David S. Miller <davem@davemloft.net>
2018-03-29 10:12:47 -04:00
Linus Torvalds
0b412605ef tegra + amdkfd final fixes
-----BEGIN PGP SIGNATURE-----
 
 iQIcBAABAgAGBQJavDfaAAoJEAx081l5xIa+PJkQAJJTlmLeXSFhzMyxmBwOEiKl
 jAawsi7tTiJTjKeMwDmBZDbaU6TdlmEiwpwR0GgBvn+Bp7yM7MulSEByQF8lVv19
 fFnakWFyYiCvQyeuPIxXud1z7CihCFYDFhxLdkcB/fSbo9fiCwn07G895HKCY//P
 V6+O+5ghYckVVOYJzXhhPmPQnRAPPAL2vb924lvqQnnfdyufQTpZLsTFdZWIIDSO
 USiD8aLZ/fkyLvgTsOL/Fw2lsX/ToQkgnzciO3h/xMpGy2VY+C1gDe0Fp2KOJZrv
 dXdTGvoUi76z98l5hz+R+aCVBTKFEEtRIYKvpeWmHpZPU1bIoyCCZChQfEw3w13M
 +Vs4trHEixnOkPnHUorfUW+dPZRBvKqKXUDEBFdI3zUqaU7oWo2uWpKFqwvlu8GJ
 /MdMBDPFTy3RVCbecpEprTTtIXMJiNkNSod3rsGjEHxIZPSGUUYNGwqUh+9ZeGSf
 3GR3uIACKyizrLNRQfR8168XMGDwOYg8CNIu1gn1wzJeu6BSJR9OAH/UPpqybXUh
 zICNJp6JrHe2A49JorfO+UjI3vVk+4DhjrFXmRjrykMiftz0xF2TrGmYe3/6QsQ+
 WjUqFgSZmNP6JIeblfNpGA1J/FztJHDtfZfY52qPGweOx0nJMb4NLJCMIr3ulrQC
 5d7Cgz7KyOPD7JqnJCTL
 =oXU3
 -----END PGP SIGNATURE-----

Merge tag 'drm-fixes-for-v4.16-rc8' of git://people.freedesktop.org/~airlied/linux

Pull drm fixes from Dave Airlie:
 "Nothing serious, two amdkfd and two tegra fixes"

* tag 'drm-fixes-for-v4.16-rc8' of git://people.freedesktop.org/~airlied/linux:
  drm/tegra: dc: Using NULL instead of plain integer
  drm/amdkfd: Deallocate SDMA queues correctly
  drm/amdkfd: Fix scratch memory with HWS enabled
  drm/tegra: dc: Use correct format array for Tegra124
2018-03-28 15:07:23 -10:00