1. 08 Oct, 2019 5 commits
    • Jakub Kicinski's avatar
      Merge branch 'llc-fix-sk_buff-refcounting' · 38dc3b5f
      Jakub Kicinski authored
      Eric Biggers says:
      
      ====================
      Patches 1-2 fix the memory leaks that syzbot has reported in net/llc:
      
      	memory leak in llc_ui_create (2)
      	memory leak in llc_ui_sendmsg
      	memory leak in llc_conn_ac_send_sabme_cmd_p_set_x
      
      Patches 3-4 fix related bugs that I noticed while reading this code.
      
      Note: I've tested that this fixes the syzbot bugs, but otherwise I don't
      know of any way to test this code.
      ====================
      Signed-off-by: default avatarJakub Kicinski <jakub.kicinski@netronome.com>
      38dc3b5f
    • Eric Biggers's avatar
      llc: fix sk_buff refcounting in llc_conn_state_process() · 36453c85
      Eric Biggers authored
      If llc_conn_state_process() sees that llc_conn_service() put the skb on
      a list, it will drop one fewer references to it.  This is wrong because
      the current behavior is that llc_conn_service() never consumes a
      reference to the skb.
      
      The code also makes the number of skb references being dropped
      conditional on which of ind_prim and cfm_prim are nonzero, yet neither
      of these affects how many references are *acquired*.  So there is extra
      code that tries to fix this up by sometimes taking another reference.
      
      Remove the unnecessary/broken refcounting logic and instead just add an
      skb_get() before the only two places where an extra reference is
      actually consumed.
      
      Fixes: 1da177e4 ("Linux-2.6.12-rc2")
      Signed-off-by: default avatarEric Biggers <ebiggers@google.com>
      Signed-off-by: default avatarJakub Kicinski <jakub.kicinski@netronome.com>
      36453c85
    • Eric Biggers's avatar
      llc: fix another potential sk_buff leak in llc_ui_sendmsg() · fc8d5db1
      Eric Biggers authored
      All callers of llc_conn_state_process() except llc_build_and_send_pkt()
      (via llc_ui_sendmsg() -> llc_ui_send_data()) assume that it always
      consumes a reference to the skb.  Fix this caller to do the same.
      
      Fixes: 1da177e4 ("Linux-2.6.12-rc2")
      Signed-off-by: default avatarEric Biggers <ebiggers@google.com>
      Signed-off-by: default avatarJakub Kicinski <jakub.kicinski@netronome.com>
      fc8d5db1
    • Eric Biggers's avatar
      llc: fix sk_buff leak in llc_conn_service() · b74555de
      Eric Biggers authored
      syzbot reported:
      
          BUG: memory leak
          unreferenced object 0xffff88811eb3de00 (size 224):
             comm "syz-executor559", pid 7315, jiffies 4294943019 (age 10.300s)
             hex dump (first 32 bytes):
               00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
               00 a0 38 24 81 88 ff ff 00 c0 f2 15 81 88 ff ff  ..8$............
             backtrace:
               [<000000008d1c66a1>] kmemleak_alloc_recursive  include/linux/kmemleak.h:55 [inline]
               [<000000008d1c66a1>] slab_post_alloc_hook mm/slab.h:439 [inline]
               [<000000008d1c66a1>] slab_alloc_node mm/slab.c:3269 [inline]
               [<000000008d1c66a1>] kmem_cache_alloc_node+0x153/0x2a0 mm/slab.c:3579
               [<00000000447d9496>] __alloc_skb+0x6e/0x210 net/core/skbuff.c:198
               [<000000000cdbf82f>] alloc_skb include/linux/skbuff.h:1058 [inline]
               [<000000000cdbf82f>] llc_alloc_frame+0x66/0x110 net/llc/llc_sap.c:54
               [<000000002418b52e>] llc_conn_ac_send_sabme_cmd_p_set_x+0x2f/0x140  net/llc/llc_c_ac.c:777
               [<000000001372ae17>] llc_exec_conn_trans_actions net/llc/llc_conn.c:475  [inline]
               [<000000001372ae17>] llc_conn_service net/llc/llc_conn.c:400 [inline]
               [<000000001372ae17>] llc_conn_state_process+0x1ac/0x640  net/llc/llc_conn.c:75
               [<00000000f27e53c1>] llc_establish_connection+0x110/0x170  net/llc/llc_if.c:109
               [<00000000291b2ca0>] llc_ui_connect+0x10e/0x370 net/llc/af_llc.c:477
               [<000000000f9c740b>] __sys_connect+0x11d/0x170 net/socket.c:1840
               [...]
      
      The bug is that most callers of llc_conn_send_pdu() assume it consumes a
      reference to the skb, when actually due to commit b85ab56c ("llc:
      properly handle dev_queue_xmit() return value") it doesn't.
      
      Revert most of that commit, and instead make the few places that need
      llc_conn_send_pdu() to *not* consume a reference call skb_get() before.
      
      Fixes: b85ab56c ("llc: properly handle dev_queue_xmit() return value")
      Reported-by: syzbot+6b825a6494a04cc0e3f7@syzkaller.appspotmail.com
      Signed-off-by: default avatarEric Biggers <ebiggers@google.com>
      Signed-off-by: default avatarJakub Kicinski <jakub.kicinski@netronome.com>
      b74555de
    • Eric Biggers's avatar
      llc: fix sk_buff leak in llc_sap_state_process() · c6ee11c3
      Eric Biggers authored
      syzbot reported:
      
          BUG: memory leak
          unreferenced object 0xffff888116270800 (size 224):
             comm "syz-executor641", pid 7047, jiffies 4294947360 (age 13.860s)
             hex dump (first 32 bytes):
               00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
               00 20 e1 2a 81 88 ff ff 00 40 3d 2a 81 88 ff ff  . .*.....@=*....
             backtrace:
               [<000000004d41b4cc>] kmemleak_alloc_recursive  include/linux/kmemleak.h:55 [inline]
               [<000000004d41b4cc>] slab_post_alloc_hook mm/slab.h:439 [inline]
               [<000000004d41b4cc>] slab_alloc_node mm/slab.c:3269 [inline]
               [<000000004d41b4cc>] kmem_cache_alloc_node+0x153/0x2a0 mm/slab.c:3579
               [<00000000506a5965>] __alloc_skb+0x6e/0x210 net/core/skbuff.c:198
               [<000000001ba5a161>] alloc_skb include/linux/skbuff.h:1058 [inline]
               [<000000001ba5a161>] alloc_skb_with_frags+0x5f/0x250  net/core/skbuff.c:5327
               [<0000000047d9c78b>] sock_alloc_send_pskb+0x269/0x2a0  net/core/sock.c:2225
               [<000000003828fe54>] sock_alloc_send_skb+0x32/0x40 net/core/sock.c:2242
               [<00000000e34d94f9>] llc_ui_sendmsg+0x10a/0x540 net/llc/af_llc.c:933
               [<00000000de2de3fb>] sock_sendmsg_nosec net/socket.c:652 [inline]
               [<00000000de2de3fb>] sock_sendmsg+0x54/0x70 net/socket.c:671
               [<000000008fe16e7a>] __sys_sendto+0x148/0x1f0 net/socket.c:1964
      	 [...]
      
      The bug is that llc_sap_state_process() always takes an extra reference
      to the skb, but sometimes neither llc_sap_next_state() nor
      llc_sap_state_process() itself drops this reference.
      
      Fix it by changing llc_sap_next_state() to never consume a reference to
      the skb, rather than sometimes do so and sometimes not.  Then remove the
      extra skb_get() and kfree_skb() from llc_sap_state_process().
      
      Reported-by: syzbot+6bf095f9becf5efef645@syzkaller.appspotmail.com
      Reported-by: syzbot+31c16aa4202dace3812e@syzkaller.appspotmail.com
      Fixes: 1da177e4 ("Linux-2.6.12-rc2")
      Signed-off-by: default avatarEric Biggers <ebiggers@google.com>
      Signed-off-by: default avatarJakub Kicinski <jakub.kicinski@netronome.com>
      c6ee11c3
  2. 07 Oct, 2019 9 commits
    • Antonio Borneo's avatar
      ptp: fix typo of "mechanism" in Kconfig help text · 503c9add
      Antonio Borneo authored
      Fix typo s/mechansim/mechanism/
      Signed-off-by: default avatarAntonio Borneo <antonio.borneo@st.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      503c9add
    • Shannon Nelson's avatar
      ionic: fix stats memory dereference · 4b514936
      Shannon Nelson authored
      When the netdev is down, the queues and their debug stats
      do not exist, so don't try using a pointer to them when
      when printing the ethtool stats.
      
      Fixes: e470355b ("ionic: Add driver stats")
      Signed-off-by: default avatarShannon Nelson <snelson@pensando.io>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      4b514936
    • David S. Miller's avatar
      Merge tag 'rxrpc-fixes-20191007' of git://git.kernel.org/pub/scm/linux/kernel/git/dhowells/linux-fs · 7359db69
      David S. Miller authored
      David Howells says:
      
      ====================
      rxrpc: Syzbot-inspired fixes
      
      Here's a series of patches that fix a number of issues found by syzbot:
      
       (1) A reference leak on rxrpc_call structs in a sendmsg error path.
      
       (2) A tracepoint that looked in the rxrpc_peer record after putting it.
      
           Analogous with this, though not presently detected, the same bug is
           also fixed in relation to rxrpc_connection and rxrpc_call records.
      
       (3) Peer records don't pin local endpoint records, despite accessing them.
      
       (4) Access to connection crypto ops to clean up a call after the call's
           ref on that connection has been put.
      ====================
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      7359db69
    • David Howells's avatar
      rxrpc: Fix call crypto state cleanup · 91fcfbe8
      David Howells authored
      Fix the cleanup of the crypto state on a call after the call has been
      disconnected.  As the call has been disconnected, its connection ref has
      been discarded and so we can't go through that to get to the security ops
      table.
      
      Fix this by caching the security ops pointer in the rxrpc_call struct and
      using that when freeing the call security state.  Also use this in other
      places we're dealing with call-specific security.
      
      The symptoms look like:
      
          BUG: KASAN: use-after-free in rxrpc_release_call+0xb2d/0xb60
          net/rxrpc/call_object.c:481
          Read of size 8 at addr ffff888062ffeb50 by task syz-executor.5/4764
      
      Fixes: 1db88c53 ("rxrpc: Fix -Wframe-larger-than= warnings from on-stack crypto")
      Reported-by: syzbot+eed305768ece6682bb7f@syzkaller.appspotmail.com
      Signed-off-by: default avatarDavid Howells <dhowells@redhat.com>
      91fcfbe8
    • David Howells's avatar
      rxrpc: rxrpc_peer needs to hold a ref on the rxrpc_local record · 9ebeddef
      David Howells authored
      The rxrpc_peer record needs to hold a reference on the rxrpc_local record
      it points as the peer is used as a base to access information in the
      rxrpc_local record.
      
      This can cause problems in __rxrpc_put_peer(), where we need the network
      namespace pointer, and in rxrpc_send_keepalive(), where we need to access
      the UDP socket, leading to symptoms like:
      
          BUG: KASAN: use-after-free in __rxrpc_put_peer net/rxrpc/peer_object.c:411
          [inline]
          BUG: KASAN: use-after-free in rxrpc_put_peer+0x685/0x6a0
          net/rxrpc/peer_object.c:435
          Read of size 8 at addr ffff888097ec0058 by task syz-executor823/24216
      
      Fix this by taking a ref on the local record for the peer record.
      
      Fixes: ace45bec ("rxrpc: Fix firewall route keepalive")
      Fixes: 2baec2c3 ("rxrpc: Support network namespacing")
      Reported-by: syzbot+b9be979c55f2bea8ed30@syzkaller.appspotmail.com
      Signed-off-by: default avatarDavid Howells <dhowells@redhat.com>
      9ebeddef
    • David Howells's avatar
      rxrpc: Fix trace-after-put looking at the put call record · 48c9e0ec
      David Howells authored
      rxrpc_put_call() calls trace_rxrpc_call() after it has done the decrement
      of the refcount - which looks at the debug_id in the call record.  But
      unless the refcount was reduced to zero, we no longer have the right to
      look in the record and, indeed, it may be deleted by some other thread.
      
      Fix this by getting the debug_id out before decrementing the refcount and
      then passing that into the tracepoint.
      
      Fixes: e34d4234 ("rxrpc: Trace rxrpc_call usage")
      Signed-off-by: default avatarDavid Howells <dhowells@redhat.com>
      48c9e0ec
    • David Howells's avatar
      rxrpc: Fix trace-after-put looking at the put connection record · 4c1295dc
      David Howells authored
      rxrpc_put_*conn() calls trace_rxrpc_conn() after they have done the
      decrement of the refcount - which looks at the debug_id in the connection
      record.  But unless the refcount was reduced to zero, we no longer have the
      right to look in the record and, indeed, it may be deleted by some other
      thread.
      
      Fix this by getting the debug_id out before decrementing the refcount and
      then passing that into the tracepoint.
      
      Fixes: 363deeab ("rxrpc: Add connection tracepoint and client conn state tracepoint")
      Signed-off-by: default avatarDavid Howells <dhowells@redhat.com>
      4c1295dc
    • David Howells's avatar
      rxrpc: Fix trace-after-put looking at the put peer record · 55f6c98e
      David Howells authored
      rxrpc_put_peer() calls trace_rxrpc_peer() after it has done the decrement
      of the refcount - which looks at the debug_id in the peer record.  But
      unless the refcount was reduced to zero, we no longer have the right to
      look in the record and, indeed, it may be deleted by some other thread.
      
      Fix this by getting the debug_id out before decrementing the refcount and
      then passing that into the tracepoint.
      
      This can cause the following symptoms:
      
          BUG: KASAN: use-after-free in __rxrpc_put_peer net/rxrpc/peer_object.c:411
          [inline]
          BUG: KASAN: use-after-free in rxrpc_put_peer+0x685/0x6a0
          net/rxrpc/peer_object.c:435
          Read of size 8 at addr ffff888097ec0058 by task syz-executor823/24216
      
      Fixes: 1159d4b4 ("rxrpc: Add a tracepoint to track rxrpc_peer refcounting")
      Reported-by: syzbot+b9be979c55f2bea8ed30@syzkaller.appspotmail.com
      Signed-off-by: default avatarDavid Howells <dhowells@redhat.com>
      55f6c98e
    • David Howells's avatar
      rxrpc: Fix call ref leak · c48fc11b
      David Howells authored
      When sendmsg() finds a call to continue on with, if the call is in an
      inappropriate state, it doesn't release the ref it just got on that call
      before returning an error.
      
      This causes the following symptom to show up with kasan:
      
      	BUG: KASAN: use-after-free in rxrpc_send_keepalive+0x8a2/0x940
      	net/rxrpc/output.c:635
      	Read of size 8 at addr ffff888064219698 by task kworker/0:3/11077
      
      where line 635 is:
      
      	whdr.epoch	= htonl(peer->local->rxnet->epoch);
      
      The local endpoint (which cannot be pinned by the call) has been released,
      but not the peer (which is pinned by the call).
      
      Fix this by releasing the call in the error path.
      
      Fixes: 37411cad ("rxrpc: Fix potential NULL-pointer exception")
      Reported-by: syzbot+d850c266e3df14da1d31@syzkaller.appspotmail.com
      Signed-off-by: default avatarDavid Howells <dhowells@redhat.com>
      c48fc11b
  3. 06 Oct, 2019 5 commits
  4. 05 Oct, 2019 21 commits
    • Linus Torvalds's avatar
      Merge tag 'kbuild-fixes-v5.4' of... · 2d00aee2
      Linus Torvalds authored
      Merge tag 'kbuild-fixes-v5.4' of git://git.kernel.org/pub/scm/linux/kernel/git/masahiroy/linux-kbuild
      
      Pull Kbuild fixes from Masahiro Yamada:
      
       - remove unneeded ar-option and KBUILD_ARFLAGS
      
       - remove long-deprecated SUBDIRS
      
       - fix modpost to suppress false-positive warnings for UML builds
      
       - fix namespace.pl to handle relative paths to ${objtree}, ${srctree}
      
       - make setlocalversion work for /bin/sh
      
       - make header archive reproducible
      
       - fix some Makefiles and documents
      
      * tag 'kbuild-fixes-v5.4' of git://git.kernel.org/pub/scm/linux/kernel/git/masahiroy/linux-kbuild:
        kheaders: make headers archive reproducible
        kbuild: update compile-test header list for v5.4-rc2
        kbuild: two minor updates for Documentation/kbuild/modules.rst
        scripts/setlocalversion: clear local variable to make it work for sh
        namespace: fix namespace.pl script to support relative paths
        video/logo: do not generate unneeded logo C files
        video/logo: remove unneeded *.o pattern from clean-files
        integrity: remove pointless subdir-$(CONFIG_...)
        integrity: remove unneeded, broken attempt to add -fshort-wchar
        modpost: fix static EXPORT_SYMBOL warnings for UML build
        kbuild: correct formatting of header in kbuild module docs
        kbuild: remove SUBDIRS support
        kbuild: remove ar-option and KBUILD_ARFLAGS
      2d00aee2
    • Linus Torvalds's avatar
      Merge tag 'scsi-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/jejb/scsi · 126195c9
      Linus Torvalds authored
      Pull SCSI fixes from James Bottomley:
       "Twelve patches mostly small but obvious fixes or cosmetic but small
        updates"
      
      * tag 'scsi-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/jejb/scsi:
        scsi: qla2xxx: Fix Nport ID display value
        scsi: qla2xxx: Fix N2N link up fail
        scsi: qla2xxx: Fix N2N link reset
        scsi: qla2xxx: Optimize NPIV tear down process
        scsi: qla2xxx: Fix stale mem access on driver unload
        scsi: qla2xxx: Fix unbound sleep in fcport delete path.
        scsi: qla2xxx: Silence fwdump template message
        scsi: hisi_sas: Make three functions static
        scsi: megaraid: disable device when probe failed after enabled device
        scsi: storvsc: setup 1:1 mapping between hardware queue and CPU queue
        scsi: qedf: Remove always false 'tmp_prio < 0' statement
        scsi: ufs: skip shutdown if hba is not powered
        scsi: bnx2fc: Handle scope bits when array returns BUSY or TSF
      126195c9
    • Linus Torvalds's avatar
      Merge branch 'readdir' (readdir speedup and sanity checking) · 4f11918a
      Linus Torvalds authored
      This makes getdents() and getdents64() do sanity checking on the
      pathname that it gives to user space.  And to mitigate the performance
      impact of that, it first cleans up the way it does the user copying, so
      that the code avoids doing the SMAP/PAN updates between each part of the
      dirent structure write.
      
      I really wanted to do this during the merge window, but didn't have
      time.  The conversion of filldir to unsafe_put_user() is something I've
      had around for years now in a private branch, but the extra pathname
      checking finally made me clean it up to the point where it is mergable.
      
      It's worth noting that the filename validity checking really should be a
      bit smarter: it would be much better to delay the error reporting until
      the end of the readdir, so that non-corrupted filenames are still
      returned.  But that involves bigger changes, so let's see if anybody
      actually hits the corrupt directory entry case before worrying about it
      further.
      
      * branch 'readdir':
        Make filldir[64]() verify the directory entry filename is valid
        Convert filldir[64]() from __put_user() to unsafe_put_user()
      4f11918a
    • Linus Torvalds's avatar
      Make filldir[64]() verify the directory entry filename is valid · 8a23eb80
      Linus Torvalds authored
      This has been discussed several times, and now filesystem people are
      talking about doing it individually at the filesystem layer, so head
      that off at the pass and just do it in getdents{64}().
      
      This is partially based on a patch by Jann Horn, but checks for NUL
      bytes as well, and somewhat simplified.
      
      There's also commentary about how it might be better if invalid names
      due to filesystem corruption don't cause an immediate failure, but only
      an error at the end of the readdir(), so that people can still see the
      filenames that are ok.
      
      There's also been discussion about just how much POSIX strictly speaking
      requires this since it's about filesystem corruption.  It's really more
      "protect user space from bad behavior" as pointed out by Jann.  But
      since Eric Biederman looked up the POSIX wording, here it is for context:
      
       "From readdir:
      
         The readdir() function shall return a pointer to a structure
         representing the directory entry at the current position in the
         directory stream specified by the argument dirp, and position the
         directory stream at the next entry. It shall return a null pointer
         upon reaching the end of the directory stream. The structure dirent
         defined in the <dirent.h> header describes a directory entry.
      
        From definitions:
      
         3.129 Directory Entry (or Link)
      
         An object that associates a filename with a file. Several directory
         entries can associate names with the same file.
      
        ...
      
         3.169 Filename
      
         A name consisting of 1 to {NAME_MAX} bytes used to name a file. The
         characters composing the name may be selected from the set of all
         character values excluding the slash character and the null byte. The
         filenames dot and dot-dot have special meaning. A filename is
         sometimes referred to as a 'pathname component'."
      
      Note that I didn't bother adding the checks to any legacy interfaces
      that nobody uses.
      
      Also note that if this ends up being noticeable as a performance
      regression, we can fix that to do a much more optimized model that
      checks for both NUL and '/' at the same time one word at a time.
      
      We haven't really tended to optimize 'memchr()', and it only checks for
      one pattern at a time anyway, and we really _should_ check for NUL too
      (but see the comment about "soft errors" in the code about why it
      currently only checks for '/')
      
      See the CONFIG_DCACHE_WORD_ACCESS case of hash_name() for how the name
      lookup code looks for pathname terminating characters in parallel.
      
      Link: https://lore.kernel.org/lkml/20190118161440.220134-2-jannh@google.com/
      Cc: Alexander Viro <viro@zeniv.linux.org.uk>
      Cc: Jann Horn <jannh@google.com>
      Cc: Eric W. Biederman <ebiederm@xmission.com>
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      8a23eb80
    • Linus Torvalds's avatar
      Convert filldir[64]() from __put_user() to unsafe_put_user() · 9f79b78e
      Linus Torvalds authored
      We really should avoid the "__{get,put}_user()" functions entirely,
      because they can easily be mis-used and the original intent of being
      used for simple direct user accesses no longer holds in a post-SMAP/PAN
      world.
      
      Manually optimizing away the user access range check makes no sense any
      more, when the range check is generally much cheaper than the "enable
      user accesses" code that the __{get,put}_user() functions still need.
      
      So instead of __put_user(), use the unsafe_put_user() interface with
      user_access_{begin,end}() that really does generate better code these
      days, and which is generally a nicer interface.  Under some loads, the
      multiple user writes that filldir() does are actually quite noticeable.
      
      This also makes the dirent name copy use unsafe_put_user() with a couple
      of macros.  We do not want to make function calls with SMAP/PAN
      disabled, and the code this generates is quite good when the
      architecture uses "asm goto" for unsafe_put_user() like x86 does.
      
      Note that this doesn't bother with the legacy cases.  Nobody should use
      them anyway, so performance doesn't really matter there.
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      9f79b78e
    • Linus Torvalds's avatar
      Merge git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net · 9819a30c
      Linus Torvalds authored
      Pull networking fixes from David Miller:
      
       1) Fix ieeeu02154 atusb driver use-after-free, from Johan Hovold.
      
       2) Need to validate TCA_CBQ_WRROPT netlink attributes, from Eric
          Dumazet.
      
       3) txq null deref in mac80211, from Miaoqing Pan.
      
       4) ionic driver needs to select NET_DEVLINK, from Arnd Bergmann.
      
       5) Need to disable bh during nft_connlimit GC, from Pablo Neira Ayuso.
      
       6) Avoid division by zero in taprio scheduler, from Vladimir Oltean.
      
       7) Various xgmac fixes in stmmac driver from Jose Abreu.
      
       8) Avoid 64-bit division in mlx5 leading to link errors on 32-bit from
          Michal Kubecek.
      
       9) Fix bad VLAN check in rtl8366 DSA driver, from Linus Walleij.
      
      10) Fix sleep while atomic in sja1105, from Vladimir Oltean.
      
      11) Suspend/resume deadlock in stmmac, from Thierry Reding.
      
      12) Various UDP GSO fixes from Josh Hunt.
      
      13) Fix slab out of bounds access in tcp_zerocopy_receive(), from Eric
          Dumazet.
      
      14) Fix OOPS in __ipv6_ifa_notify(), from David Ahern.
      
      15) Memory leak in NFC's llcp_sock_bind, from Eric Dumazet.
      
      * git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net: (72 commits)
        selftests/net: add nettest to .gitignore
        net: qlogic: Fix memory leak in ql_alloc_large_buffers
        nfc: fix memory leak in llcp_sock_bind()
        sch_dsmark: fix potential NULL deref in dsmark_init()
        net: phy: at803x: use operating parameters from PHY-specific status
        net: phy: extract pause mode
        net: phy: extract link partner advertisement reading
        net: phy: fix write to mii-ctrl1000 register
        ipv6: Handle missing host route in __ipv6_ifa_notify
        net: phy: allow for reset line to be tied to a sleepy GPIO controller
        net: ipv4: avoid mixed n_redirects and rate_tokens usage
        r8152: Set macpassthru in reset_resume callback
        cxgb4:Fix out-of-bounds MSI-X info array access
        Revert "ipv6: Handle race in addrconf_dad_work"
        net: make sock_prot_memory_pressure() return "const char *"
        rxrpc: Fix rxrpc_recvmsg tracepoint
        qmi_wwan: add support for Cinterion CLS8 devices
        tcp: fix slab-out-of-bounds in tcp_zerocopy_receive()
        lib: textsearch: fix escapes in example code
        udp: only do GSO if # of segs > 1
        ...
      9819a30c
    • Linus Torvalds's avatar
      Merge tag 's390-5.4-3' of git://git.kernel.org/pub/scm/linux/kernel/git/s390/linux · 6fe137cb
      Linus Torvalds authored
      Pull s390 fixes from Vasily Gorbik:
      
       - defconfig updates
      
       - Fix build errors with CC_OPTIMIZE_FOR_SIZE due to usage of "i"
         constraint for function arguments. Two kvm changes acked-by Christian
         Borntraeger.
      
       - Fix -Wunused-but-set-variable warnings in mm code.
      
       - Avoid a constant misuse in qdio.
      
       - Handle a case when cpumf is temporarily unavailable.
      
      * tag 's390-5.4-3' of git://git.kernel.org/pub/scm/linux/kernel/git/s390/linux:
        KVM: s390: mark __insn32_query() as __always_inline
        KVM: s390: fix __insn32_query() inline assembly
        s390: update defconfigs
        s390/pci: mark function(s) __always_inline
        s390/mm: mark function(s) __always_inline
        s390/jump_label: mark function(s) __always_inline
        s390/cpu_mf: mark function(s) __always_inline
        s390/atomic,bitops: mark function(s) __always_inline
        s390/mm: fix -Wunused-but-set-variable warnings
        s390: mark __cpacf_query() as __always_inline
        s390/qdio: clarify size of the QIB parm area
        s390/cpumf: Fix indentation in sampling device driver
        s390/cpumsf: Check for CPU Measurement sampling
        s390/cpumf: Use consistant debug print format
      6fe137cb
    • Heiko Carstens's avatar
      KVM: s390: mark __insn32_query() as __always_inline · d0dea733
      Heiko Carstens authored
      __insn32_query() will not compile if the compiler decides to not
      inline it, since it contains an inline assembly with an "i" constraint
      with variable contents.
      Acked-by: default avatarChristian Borntraeger <borntraeger@de.ibm.com>
      Signed-off-by: default avatarHeiko Carstens <heiko.carstens@de.ibm.com>
      Signed-off-by: default avatarVasily Gorbik <gor@linux.ibm.com>
      d0dea733
    • Heiko Carstens's avatar
      KVM: s390: fix __insn32_query() inline assembly · b1c41ac3
      Heiko Carstens authored
      The inline assembly constraints of __insn32_query() tell the compiler
      that only the first byte of "query" is being written to. Intended was
      probably that 32 bytes are written to.
      
      Fix and simplify the code and just use a "memory" clobber.
      
      Fixes: d6681397 ("KVM: s390: provide query function for instructions returning 32 byte")
      Cc: stable@vger.kernel.org # v5.2+
      Acked-by: default avatarChristian Borntraeger <borntraeger@de.ibm.com>
      Signed-off-by: default avatarHeiko Carstens <heiko.carstens@de.ibm.com>
      Signed-off-by: default avatarVasily Gorbik <gor@linux.ibm.com>
      b1c41ac3
    • Dmitry Goldin's avatar
      kheaders: make headers archive reproducible · 86cdd2fd
      Dmitry Goldin authored
      In commit 43d8ce9d ("Provide in-kernel headers to make
      extending kernel easier") a new mechanism was introduced, for kernels
      >=5.2, which embeds the kernel headers in the kernel image or a module
      and exposes them in procfs for use by userland tools.
      
      The archive containing the header files has nondeterminism caused by
      header files metadata. This patch normalizes the metadata and utilizes
      KBUILD_BUILD_TIMESTAMP if provided and otherwise falls back to the
      default behaviour.
      
      In commit f7b101d3 ("kheaders: Move from proc to sysfs") it was
      modified to use sysfs and the script for generation of the archive was
      renamed to what is being patched.
      Signed-off-by: default avatarDmitry Goldin <dgoldin+lkml@protonmail.ch>
      Reviewed-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      Reviewed-by: default avatarJoel Fernandes (Google) <joel@joelfernandes.org>
      Signed-off-by: default avatarMasahiro Yamada <yamada.masahiro@socionext.com>
      86cdd2fd
    • Masahiro Yamada's avatar
      kbuild: update compile-test header list for v5.4-rc2 · d188b8c9
      Masahiro Yamada authored
      Commit 6dc280eb ("coda: remove uapi/linux/coda_psdev.h") removed
      a header in question. Some more build errors were fixed. Add more
      headers into the test coverage.
      Signed-off-by: default avatarMasahiro Yamada <yamada.masahiro@socionext.com>
      d188b8c9
    • Masahiro Yamada's avatar
      kbuild: two minor updates for Documentation/kbuild/modules.rst · 43496709
      Masahiro Yamada authored
      Capitalize the first word in the sentence.
      
      Use obj-m instead of obj-y. obj-y still works, but we have no built-in
      objects in external module builds. So, obj-m is better IMHO.
      Signed-off-by: default avatarMasahiro Yamada <yamada.masahiro@socionext.com>
      43496709
    • Masahiro Yamada's avatar
      scripts/setlocalversion: clear local variable to make it work for sh · 7a82e3fa
      Masahiro Yamada authored
      Geert Uytterhoeven reports a strange side-effect of commit 858805b3
      ("kbuild: add $(BASH) to run scripts with bash-extension"), which
      inserts the contents of a localversion file in the build directory twice.
      
      [Steps to Reproduce]
        $ echo bar > localversion
        $ mkdir build
        $ cd build/
        $ echo foo > localversion
        $ make -s -f ../Makefile defconfig include/config/kernel.release
        $ cat include/config/kernel.release
        5.4.0-rc1foofoobar
      
      This comes down to the behavior change of local variables.
      
      The 'man sh' on my Ubuntu machine, where sh is an alias to dash,
      explains as follows:
        When a variable is made local, it inherits the initial value and
        exported and readonly flags from the variable with the same name
        in the surrounding scope, if there is one. Otherwise, the variable
        is initially unset.
      
      [Test Code]
      
        foo ()
        {
                local res
                echo "res: $res"
        }
      
        res=1
        foo
      
      [Result]
      
        $ sh test.sh
        res: 1
        $ bash test.sh
        res:
      
      So, scripts/setlocalversion correctly works only for bash in spite of
      its hashbang being #!/bin/sh. Nobody had noticed it before because
      CONFIG_SHELL was previously set to bash almost all the time.
      
      Now that CONFIG_SHELL is set to sh, we must write portable and correct
      code. I gave the Fixes tag to the commit that uncovered the issue.
      
      Clear the variable 'res' in collect_files() to make it work for sh
      (and it also works on distributions where sh is an alias to bash).
      
      Fixes: 858805b3 ("kbuild: add $(BASH) to run scripts with bash-extension")
      Reported-by: default avatarGeert Uytterhoeven <geert+renesas@glider.be>
      Signed-off-by: default avatarMasahiro Yamada <yamada.masahiro@socionext.com>
      Tested-by: default avatarGeert Uytterhoeven <geert+renesas@glider.be>
      7a82e3fa
    • Jacob Keller's avatar
      namespace: fix namespace.pl script to support relative paths · 82fdd12b
      Jacob Keller authored
      The namespace.pl script does not work properly if objtree is not set to
      an absolute path. The do_nm function is run from within the find
      function, which changes directories.
      
      Because of this, appending objtree, $File::Find::dir, and $source, will
      return a path which is not valid from the current directory.
      
      This used to work when objtree was set to an absolute path when using
      "make namespacecheck". It appears to have not worked when calling
      ./scripts/namespace.pl directly.
      
      This behavior was changed in 7e1c0477 ("kbuild: Use relative path
      for $(objtree)", 2014-05-14)
      
      Rather than fixing the Makefile to set objtree to an absolute path, just
      fix namespace.pl to work when srctree and objtree are relative. Also fix
      the script to use an absolute path for these by default.
      
      Use the File::Spec module for this purpose. It's been part of perl
      5 since 5.005.
      
      The curdir() function is used to get the current directory when the
      objtree and srctree aren't set in the environment.
      
      rel2abs() is used to convert possibly relative objtree and srctree
      environment variables to absolute paths.
      
      Finally, the catfile() function is used instead of string appending
      paths together, since this is more robust when joining paths together.
      Signed-off-by: default avatarJacob Keller <jacob.e.keller@intel.com>
      Acked-by: default avatarRandy Dunlap <rdunlap@infradead.org>
      Tested-by: default avatarRandy Dunlap <rdunlap@infradead.org>
      Signed-off-by: default avatarMasahiro Yamada <yamada.masahiro@socionext.com>
      82fdd12b
    • Masahiro Yamada's avatar
      video/logo: do not generate unneeded logo C files · 01bb2515
      Masahiro Yamada authored
      Currently, all the logo C files are generated irrespective of the
      CONFIG options. Adding them to extra-y is wrong. What we need to do
      here is to add them to 'targets' so that if_changed works properly.
      
      Files listed in 'targets' are cleaned, so clean-files is unneeded.
      Signed-off-by: default avatarMasahiro Yamada <yamada.masahiro@socionext.com>
      01bb2515
    • Masahiro Yamada's avatar
      video/logo: remove unneeded *.o pattern from clean-files · a9bbe79f
      Masahiro Yamada authored
      The pattern *.o is cleaned up globally by the top Makefile.
      Signed-off-by: default avatarMasahiro Yamada <yamada.masahiro@socionext.com>
      a9bbe79f
    • Masahiro Yamada's avatar
      integrity: remove pointless subdir-$(CONFIG_...) · 7a8beb7a
      Masahiro Yamada authored
      The ima/ and evm/ sub-directories contain built-in objects, so
      obj-$(CONFIG_...) is the correct way to descend into them.
      
      subdir-$(CONFIG_...) is redundant.
      Signed-off-by: default avatarMasahiro Yamada <yamada.masahiro@socionext.com>
      7a8beb7a
    • Masahiro Yamada's avatar
      integrity: remove unneeded, broken attempt to add -fshort-wchar · 6b190d3c
      Masahiro Yamada authored
      I guess commit 15ea0e1e ("efi: Import certificates from UEFI Secure
      Boot") attempted to add -fshort-wchar for building load_uefi.o, but it
      has never worked as intended.
      
      load_uefi.o is created in the platform_certs/ sub-directory. If you
      really want to add -fshort-wchar, the correct code is:
      
        $(obj)/platform_certs/load_uefi.o: KBUILD_CFLAGS += -fshort-wchar
      
      But, you do not need to fix it.
      
      Commit 8c97023c ("Kbuild: use -fshort-wchar globally") had already
      added -fshort-wchar globally. This code was unneeded in the first place.
      Signed-off-by: default avatarMasahiro Yamada <yamada.masahiro@socionext.com>
      6b190d3c
    • Jakub Kicinski's avatar
      selftests/net: add nettest to .gitignore · ef129d34
      Jakub Kicinski authored
      nettest is missing from gitignore.
      
      Fixes: acda655f ("selftests: Add nettest")
      Signed-off-by: default avatarJakub Kicinski <jakub.kicinski@netronome.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      ef129d34
    • Navid Emamdoost's avatar
      net: qlogic: Fix memory leak in ql_alloc_large_buffers · 1acb8f2a
      Navid Emamdoost authored
      In ql_alloc_large_buffers, a new skb is allocated via netdev_alloc_skb.
      This skb should be released if pci_dma_mapping_error fails.
      
      Fixes: 0f8ab89e ("qla3xxx: Check return code from pci_map_single() in ql_release_to_lrg_buf_free_list(), ql_populate_free_queue(), ql_alloc_large_buffers(), and ql3xxx_send()")
      Signed-off-by: default avatarNavid Emamdoost <navid.emamdoost@gmail.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      1acb8f2a
    • Eric Dumazet's avatar
      nfc: fix memory leak in llcp_sock_bind() · a0c2dc1f
      Eric Dumazet authored
      sysbot reported a memory leak after a bind() has failed.
      
      While we are at it, abort the operation if kmemdup() has failed.
      
      BUG: memory leak
      unreferenced object 0xffff888105d83ec0 (size 32):
        comm "syz-executor067", pid 7207, jiffies 4294956228 (age 19.430s)
        hex dump (first 32 bytes):
          00 69 6c 65 20 72 65 61 64 00 6e 65 74 3a 5b 34  .ile read.net:[4
          30 32 36 35 33 33 30 39 37 5d 00 00 00 00 00 00  026533097]......
        backtrace:
          [<0000000036bac473>] kmemleak_alloc_recursive /./include/linux/kmemleak.h:43 [inline]
          [<0000000036bac473>] slab_post_alloc_hook /mm/slab.h:522 [inline]
          [<0000000036bac473>] slab_alloc /mm/slab.c:3319 [inline]
          [<0000000036bac473>] __do_kmalloc /mm/slab.c:3653 [inline]
          [<0000000036bac473>] __kmalloc_track_caller+0x169/0x2d0 /mm/slab.c:3670
          [<000000000cd39d07>] kmemdup+0x27/0x60 /mm/util.c:120
          [<000000008e57e5fc>] kmemdup /./include/linux/string.h:432 [inline]
          [<000000008e57e5fc>] llcp_sock_bind+0x1b3/0x230 /net/nfc/llcp_sock.c:107
          [<000000009cb0b5d3>] __sys_bind+0x11c/0x140 /net/socket.c:1647
          [<00000000492c3bbc>] __do_sys_bind /net/socket.c:1658 [inline]
          [<00000000492c3bbc>] __se_sys_bind /net/socket.c:1656 [inline]
          [<00000000492c3bbc>] __x64_sys_bind+0x1e/0x30 /net/socket.c:1656
          [<0000000008704b2a>] do_syscall_64+0x76/0x1a0 /arch/x86/entry/common.c:296
          [<000000009f4c57a4>] entry_SYSCALL_64_after_hwframe+0x44/0xa9
      
      Fixes: 30cc4587 ("NFC: Move LLCP code to the NFC top level diirectory")
      Signed-off-by: default avatarEric Dumazet <edumazet@google.com>
      Reported-by: default avatarsyzbot <syzkaller@googlegroups.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      a0c2dc1f