1. 25 May, 2018 10 commits
  2. 24 May, 2018 2 commits
  3. 23 May, 2018 14 commits
  4. 22 May, 2018 13 commits
    • Bo Chen's avatar
      pcnet32: add an error handling path in pcnet32_probe_pci() · d7db3186
      Bo Chen authored
      Make sure to invoke pci_disable_device() when errors occur in
      pcnet32_probe_pci().
      Signed-off-by: default avatarBo Chen <chenbo@pdx.edu>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      d7db3186
    • Shahed Shaikh's avatar
      qed: Fix mask for physical address in ILT entry · fdd13dd3
      Shahed Shaikh authored
      ILT entry requires 12 bit right shifted physical address.
      Existing mask for ILT entry of physical address i.e.
      ILT_ENTRY_PHY_ADDR_MASK is not sufficient to handle 64bit
      address because upper 8 bits of 64 bit address were getting
      masked which resulted in completer abort error on
      PCIe bus due to invalid address.
      
      Fix that mask to handle 64bit physical address.
      
      Fixes: fe56b9e6 ("qed: Add module with basic common support")
      Signed-off-by: default avatarShahed Shaikh <shahed.shaikh@cavium.com>
      Signed-off-by: default avatarAriel Elior <ariel.elior@cavium.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      fdd13dd3
    • Eric Dumazet's avatar
      ipmr: properly check rhltable_init() return value · 66fb3325
      Eric Dumazet authored
      commit 8fb472c0 ("ipmr: improve hash scalability")
      added a call to rhltable_init() without checking its return value.
      
      This problem was then later copied to IPv6 and factorized in commit
      0bbbf0e7 ("ipmr, ip6mr: Unite creation of new mr_table")
      
      kasan: CONFIG_KASAN_INLINE enabled
      kasan: GPF could be caused by NULL-ptr deref or user memory access
      general protection fault: 0000 [#1] SMP KASAN
      Dumping ftrace buffer:
         (ftrace buffer empty)
      Modules linked in:
      CPU: 1 PID: 31552 Comm: syz-executor7 Not tainted 4.17.0-rc5+ #60
      Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
      RIP: 0010:rht_key_hashfn include/linux/rhashtable.h:277 [inline]
      RIP: 0010:__rhashtable_lookup include/linux/rhashtable.h:630 [inline]
      RIP: 0010:rhltable_lookup include/linux/rhashtable.h:716 [inline]
      RIP: 0010:mr_mfc_find_parent+0x2ad/0xbb0 net/ipv4/ipmr_base.c:63
      RSP: 0018:ffff8801826aef70 EFLAGS: 00010203
      RAX: 0000000000000001 RBX: 0000000000000001 RCX: ffffc90001ea0000
      RDX: 0000000000000079 RSI: ffffffff8661e859 RDI: 000000000000000c
      RBP: ffff8801826af1c0 R08: ffff8801b2212000 R09: ffffed003b5e46c2
      R10: ffffed003b5e46c2 R11: ffff8801daf23613 R12: dffffc0000000000
      R13: ffff8801826af198 R14: ffff8801cf8225c0 R15: ffff8801826af658
      FS:  00007ff7fa732700(0000) GS:ffff8801daf00000(0000) knlGS:0000000000000000
      CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
      CR2: 00000003ffffff9c CR3: 00000001b0210000 CR4: 00000000001406e0
      DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
      DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
      Call Trace:
       ip6mr_cache_find_parent net/ipv6/ip6mr.c:981 [inline]
       ip6mr_mfc_delete+0x1fe/0x6b0 net/ipv6/ip6mr.c:1221
       ip6_mroute_setsockopt+0x15c6/0x1d70 net/ipv6/ip6mr.c:1698
       do_ipv6_setsockopt.isra.9+0x422/0x4660 net/ipv6/ipv6_sockglue.c:163
       ipv6_setsockopt+0xbd/0x170 net/ipv6/ipv6_sockglue.c:922
       rawv6_setsockopt+0x59/0x140 net/ipv6/raw.c:1060
       sock_common_setsockopt+0x9a/0xe0 net/core/sock.c:3039
       __sys_setsockopt+0x1bd/0x390 net/socket.c:1903
       __do_sys_setsockopt net/socket.c:1914 [inline]
       __se_sys_setsockopt net/socket.c:1911 [inline]
       __x64_sys_setsockopt+0xbe/0x150 net/socket.c:1911
       do_syscall_64+0x1b1/0x800 arch/x86/entry/common.c:287
       entry_SYSCALL_64_after_hwframe+0x49/0xbe
      
      Fixes: 8fb472c0 ("ipmr: improve hash scalability")
      Fixes: 0bbbf0e7 ("ipmr, ip6mr: Unite creation of new mr_table")
      Signed-off-by: default avatarEric Dumazet <edumazet@google.com>
      Cc: Nikolay Aleksandrov <nikolay@cumulusnetworks.com>
      Cc: Yuval Mintz <yuvalm@mellanox.com>
      Reported-by: default avatarsyzbot <syzkaller@googlegroups.com>
      Acked-by: default avatarNikolay Aleksandrov <nikolay@cumulusnetworks.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      66fb3325
    • Alexey Kodanev's avatar
      dccp: don't free ccid2_hc_tx_sock struct in dccp_disconnect() · 2677d206
      Alexey Kodanev authored
      Syzbot reported the use-after-free in timer_is_static_object() [1].
      
      This can happen because the structure for the rto timer (ccid2_hc_tx_sock)
      is removed in dccp_disconnect(), and ccid2_hc_tx_rto_expire() can be
      called after that.
      
      The report [1] is similar to the one in commit 120e9dab ("dccp:
      defer ccid_hc_tx_delete() at dismantle time"). And the fix is the same,
      delay freeing ccid2_hc_tx_sock structure, so that it is freed in
      dccp_sk_destruct().
      
      [1]
      
      ==================================================================
      BUG: KASAN: use-after-free in timer_is_static_object+0x80/0x90
      kernel/time/timer.c:607
      Read of size 8 at addr ffff8801bebb5118 by task syz-executor2/25299
      
      CPU: 1 PID: 25299 Comm: syz-executor2 Not tainted 4.17.0-rc5+ #54
      Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
      Google 01/01/2011
      Call Trace:
        <IRQ>
        __dump_stack lib/dump_stack.c:77 [inline]
        dump_stack+0x1b9/0x294 lib/dump_stack.c:113
        print_address_description+0x6c/0x20b mm/kasan/report.c:256
        kasan_report_error mm/kasan/report.c:354 [inline]
        kasan_report.cold.7+0x242/0x2fe mm/kasan/report.c:412
        __asan_report_load8_noabort+0x14/0x20 mm/kasan/report.c:433
        timer_is_static_object+0x80/0x90 kernel/time/timer.c:607
        debug_object_activate+0x2d9/0x670 lib/debugobjects.c:508
        debug_timer_activate kernel/time/timer.c:709 [inline]
        debug_activate kernel/time/timer.c:764 [inline]
        __mod_timer kernel/time/timer.c:1041 [inline]
        mod_timer+0x4d3/0x13b0 kernel/time/timer.c:1102
        sk_reset_timer+0x22/0x60 net/core/sock.c:2742
        ccid2_hc_tx_rto_expire+0x587/0x680 net/dccp/ccids/ccid2.c:147
        call_timer_fn+0x230/0x940 kernel/time/timer.c:1326
        expire_timers kernel/time/timer.c:1363 [inline]
        __run_timers+0x79e/0xc50 kernel/time/timer.c:1666
        run_timer_softirq+0x4c/0x70 kernel/time/timer.c:1692
        __do_softirq+0x2e0/0xaf5 kernel/softirq.c:285
        invoke_softirq kernel/softirq.c:365 [inline]
        irq_exit+0x1d1/0x200 kernel/softirq.c:405
        exiting_irq arch/x86/include/asm/apic.h:525 [inline]
        smp_apic_timer_interrupt+0x17e/0x710 arch/x86/kernel/apic/apic.c:1052
        apic_timer_interrupt+0xf/0x20 arch/x86/entry/entry_64.S:863
        </IRQ>
      ...
      Allocated by task 25374:
        save_stack+0x43/0xd0 mm/kasan/kasan.c:448
        set_track mm/kasan/kasan.c:460 [inline]
        kasan_kmalloc+0xc4/0xe0 mm/kasan/kasan.c:553
        kasan_slab_alloc+0x12/0x20 mm/kasan/kasan.c:490
        kmem_cache_alloc+0x12e/0x760 mm/slab.c:3554
        ccid_new+0x25b/0x3e0 net/dccp/ccid.c:151
        dccp_hdlr_ccid+0x27/0x150 net/dccp/feat.c:44
        __dccp_feat_activate+0x184/0x270 net/dccp/feat.c:344
        dccp_feat_activate_values+0x3a7/0x819 net/dccp/feat.c:1538
        dccp_create_openreq_child+0x472/0x610 net/dccp/minisocks.c:128
        dccp_v4_request_recv_sock+0x12c/0xca0 net/dccp/ipv4.c:408
        dccp_v6_request_recv_sock+0x125d/0x1f10 net/dccp/ipv6.c:415
        dccp_check_req+0x455/0x6a0 net/dccp/minisocks.c:197
        dccp_v4_rcv+0x7b8/0x1f3f net/dccp/ipv4.c:841
        ip_local_deliver_finish+0x2e3/0xd80 net/ipv4/ip_input.c:215
        NF_HOOK include/linux/netfilter.h:288 [inline]
        ip_local_deliver+0x1e1/0x720 net/ipv4/ip_input.c:256
        dst_input include/net/dst.h:450 [inline]
        ip_rcv_finish+0x81b/0x2200 net/ipv4/ip_input.c:396
        NF_HOOK include/linux/netfilter.h:288 [inline]
        ip_rcv+0xb70/0x143d net/ipv4/ip_input.c:492
        __netif_receive_skb_core+0x26f5/0x3630 net/core/dev.c:4592
        __netif_receive_skb+0x2c/0x1e0 net/core/dev.c:4657
        process_backlog+0x219/0x760 net/core/dev.c:5337
        napi_poll net/core/dev.c:5735 [inline]
        net_rx_action+0x7b7/0x1930 net/core/dev.c:5801
        __do_softirq+0x2e0/0xaf5 kernel/softirq.c:285
      
      Freed by task 25374:
        save_stack+0x43/0xd0 mm/kasan/kasan.c:448
        set_track mm/kasan/kasan.c:460 [inline]
        __kasan_slab_free+0x11a/0x170 mm/kasan/kasan.c:521
        kasan_slab_free+0xe/0x10 mm/kasan/kasan.c:528
        __cache_free mm/slab.c:3498 [inline]
        kmem_cache_free+0x86/0x2d0 mm/slab.c:3756
        ccid_hc_tx_delete+0xc3/0x100 net/dccp/ccid.c:190
        dccp_disconnect+0x130/0xc66 net/dccp/proto.c:286
        dccp_close+0x3bc/0xe60 net/dccp/proto.c:1045
        inet_release+0x104/0x1f0 net/ipv4/af_inet.c:427
        inet6_release+0x50/0x70 net/ipv6/af_inet6.c:460
        sock_release+0x96/0x1b0 net/socket.c:594
        sock_close+0x16/0x20 net/socket.c:1149
        __fput+0x34d/0x890 fs/file_table.c:209
        ____fput+0x15/0x20 fs/file_table.c:243
        task_work_run+0x1e4/0x290 kernel/task_work.c:113
        tracehook_notify_resume include/linux/tracehook.h:191 [inline]
        exit_to_usermode_loop+0x2bd/0x310 arch/x86/entry/common.c:166
        prepare_exit_to_usermode arch/x86/entry/common.c:196 [inline]
        syscall_return_slowpath arch/x86/entry/common.c:265 [inline]
        do_syscall_64+0x6ac/0x800 arch/x86/entry/common.c:290
        entry_SYSCALL_64_after_hwframe+0x49/0xbe
      
      The buggy address belongs to the object at ffff8801bebb4cc0
        which belongs to the cache ccid2_hc_tx_sock of size 1240
      The buggy address is located 1112 bytes inside of
        1240-byte region [ffff8801bebb4cc0, ffff8801bebb5198)
      The buggy address belongs to the page:
      page:ffffea0006faed00 count:1 mapcount:0 mapping:ffff8801bebb41c0
      index:0xffff8801bebb5240 compound_mapcount: 0
      flags: 0x2fffc0000008100(slab|head)
      raw: 02fffc0000008100 ffff8801bebb41c0 ffff8801bebb5240 0000000100000003
      raw: ffff8801cdba3138 ffffea0007634120 ffff8801cdbaab40 0000000000000000
      page dumped because: kasan: bad access detected
      ...
      ==================================================================
      
      Reported-by: syzbot+5d47e9ec91a6f15dbd6f@syzkaller.appspotmail.com
      Signed-off-by: default avatarAlexey Kodanev <alexey.kodanev@oracle.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      2677d206
    • Wenwen Wang's avatar
      isdn: eicon: fix a missing-check bug · 6009d1fe
      Wenwen Wang authored
      In divasmain.c, the function divas_write() firstly invokes the function
      diva_xdi_open_adapter() to open the adapter that matches with the adapter
      number provided by the user, and then invokes the function diva_xdi_write()
      to perform the write operation using the matched adapter. The two functions
      diva_xdi_open_adapter() and diva_xdi_write() are located in diva.c.
      
      In diva_xdi_open_adapter(), the user command is copied to the object 'msg'
      from the userspace pointer 'src' through the function pointer 'cp_fn',
      which eventually calls copy_from_user() to do the copy. Then, the adapter
      number 'msg.adapter' is used to find out a matched adapter from the
      'adapter_queue'. A matched adapter will be returned if it is found.
      Otherwise, NULL is returned to indicate the failure of the verification on
      the adapter number.
      
      As mentioned above, if a matched adapter is returned, the function
      diva_xdi_write() is invoked to perform the write operation. In this
      function, the user command is copied once again from the userspace pointer
      'src', which is the same as the 'src' pointer in diva_xdi_open_adapter() as
      both of them are from the 'buf' pointer in divas_write(). Similarly, the
      copy is achieved through the function pointer 'cp_fn', which finally calls
      copy_from_user(). After the successful copy, the corresponding command
      processing handler of the matched adapter is invoked to perform the write
      operation.
      
      It is obvious that there are two copies here from userspace, one is in
      diva_xdi_open_adapter(), and one is in diva_xdi_write(). Plus, both of
      these two copies share the same source userspace pointer, i.e., the 'buf'
      pointer in divas_write(). Given that a malicious userspace process can race
      to change the content pointed by the 'buf' pointer, this can pose potential
      security issues. For example, in the first copy, the user provides a valid
      adapter number to pass the verification process and a valid adapter can be
      found. Then the user can modify the adapter number to an invalid number.
      This way, the user can bypass the verification process of the adapter
      number and inject inconsistent data.
      
      This patch reuses the data copied in
      diva_xdi_open_adapter() and passes it to diva_xdi_write(). This way, the
      above issues can be avoided.
      Signed-off-by: default avatarWenwen Wang <wang6495@umn.edu>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      6009d1fe
    • Fabio Estevam's avatar
      net: fec: Add a SPDX identifier · 1f508124
      Fabio Estevam authored
      Currently there is no license information in the header of
      this file.
      
      The MODULE_LICENSE field contains ("GPL"), which means
      GNU Public License v2 or later, so add a corresponding
      SPDX license identifier.
      Signed-off-by: default avatarFabio Estevam <fabio.estevam@nxp.com>
      Acked-by: default avatarFugang Duan <fugang.duan@nxp.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      1f508124
    • Fabio Estevam's avatar
      net: fec: ptp: Switch to SPDX identifier · 9fcca5ef
      Fabio Estevam authored
      Adopt the SPDX license identifier headers to ease license compliance
      management.
      Signed-off-by: default avatarFabio Estevam <fabio.estevam@nxp.com>
      Acked-by: default avatarFugang Duan <fugang.duan@nxp.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      9fcca5ef
    • Xin Long's avatar
      sctp: fix the issue that flags are ignored when using kernel_connect · 644fbdea
      Xin Long authored
      Now sctp uses inet_dgram_connect as its proto_ops .connect, and the flags
      param can't be passed into its proto .connect where this flags is really
      needed.
      
      sctp works around it by getting flags from socket file in __sctp_connect.
      It works for connecting from userspace, as inherently the user sock has
      socket file and it passes f_flags as the flags param into the proto_ops
      .connect.
      
      However, the sock created by sock_create_kern doesn't have a socket file,
      and it passes the flags (like O_NONBLOCK) by using the flags param in
      kernel_connect, which calls proto_ops .connect later.
      
      So to fix it, this patch defines a new proto_ops .connect for sctp,
      sctp_inet_connect, which calls __sctp_connect() directly with this
      flags param. After this, the sctp's proto .connect can be removed.
      
      Note that sctp_inet_connect doesn't need to do some checks that are not
      needed for sctp, which makes thing better than with inet_dgram_connect.
      Suggested-by: default avatarMarcelo Ricardo Leitner <marcelo.leitner@gmail.com>
      Signed-off-by: default avatarXin Long <lucien.xin@gmail.com>
      Acked-by: default avatarNeil Horman <nhorman@tuxdriver.com>
      Acked-by: default avatarMarcelo Ricardo Leitner <marcelo.leitner@gmail.com>
      Reviewed-by: default avatarMichal Kubecek <mkubecek@suse.cz>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      644fbdea
    • Kalle Valo's avatar
      MAINTAINERS: change Kalle as wcn36xx maintainer · 813477aa
      Kalle Valo authored
      Eugene hasn't worked on wcn36xx for some time now.
      Signed-off-by: default avatarKalle Valo <kvalo@codeaurora.org>
      813477aa
    • Kalle Valo's avatar
      MAINTAINERS: change Kalle as ath.ko maintainer · b5612909
      Kalle Valo authored
      Luis hasn't worked on ath.ko for some time now.
      Acked-by: default avatarLuis R. Rodriguez <mcgrof@kernel.org>
      Signed-off-by: default avatarKalle Valo <kvalo@codeaurora.org>
      b5612909
    • Kalle Valo's avatar
      MAINTAINERS: update Kalle's email address · c76700ab
      Kalle Valo authored
      I switched to use my codeaurora.org address.
      Signed-off-by: default avatarKalle Valo <kvalo@codeaurora.org>
      c76700ab
    • Andrew Zaborowski's avatar
      mac80211_hwsim: Fix radio dump for radio idx 0 · fed48250
      Andrew Zaborowski authored
      Since 6335698e the radio with idx of 0
      will not get dumped in HWSIM_CMD_GET_RADIO because of the last_idx
      checks.  Offset cb->args[0] by 1 similarly to what is done in nl80211.c.
      
      Fixes: 6335698e ("mac80211_hwsim: add generation count for netlink dump operation")
      Signed-off-by: default avatarAndrew Zaborowski <andrew.zaborowski@intel.com>
      Signed-off-by: default avatarJohannes Berg <johannes.berg@intel.com>
      fed48250
    • Haim Dreyfuss's avatar
      cfg80211: fix NULL pointer derference when querying regdb · 5247a77c
      Haim Dreyfuss authored
      Some drivers may call this function when regdb is not initialized yet,
      so we need to make sure regdb is valid before trying to access it.
      
      Make sure regdb is initialized before trying to access it in
      reg_query_regdb_wmm() and query_regdb().
      Reported-by: default avatarEric Biggers <ebiggers3@gmail.com>
      Signed-off-by: default avatarHaim Dreyfuss <haim.dreyfuss@intel.com>
      Signed-off-by: default avatarLuca Coelho <luciano.coelho@intel.com>
      Signed-off-by: default avatarJohannes Berg <johannes.berg@intel.com>
      5247a77c
  5. 21 May, 2018 1 commit
    • Linus Torvalds's avatar
      Merge tag 'mips_fixes_4.17_2' of git://git.kernel.org/pub/scm/linux/kernel/git/jhogan/mips · 6741c4bb
      Linus Torvalds authored
      Pull MIPS fixes from James Hogan:
      
       - fix build with DEBUG_ZBOOT and MACH_JZ4770 (4.16)
      
       - include xilfpga FDT in fitImage and stop generating dtb.o (4.15)
      
       - fix software IO coherence on CM SMP systems (4.8)
      
       - ptrace: Fix PEEKUSR/POKEUSR to o32 FGRs (3.14)
      
       - ptrace: Expose FIR register through FP regset (3.13)
      
       - fix typo in KVM debugfs file name (3.10)
      
      * tag 'mips_fixes_4.17_2' of git://git.kernel.org/pub/scm/linux/kernel/git/jhogan/mips:
        MIPS: Fix ptrace(2) PTRACE_PEEKUSR and PTRACE_POKEUSR accesses to o32 FGRs
        MIPS: xilfpga: Actually include FDT in fitImage
        MIPS: xilfpga: Stop generating useless dtb.o
        KVM: Fix spelling mistake: "cop_unsuable" -> "cop_unusable"
        MIPS: ptrace: Expose FIR register through FP regset
        MIPS: Fix build with DEBUG_ZBOOT and MACH_JZ4770
        MIPS: c-r4k: Fix data corruption related to cache coherence
      6741c4bb