1. 15 Jun, 2017 11 commits
    • xypron.glpk@gmx.de's avatar
      Doc: net: dsa: b53: update location of referenced dsa.txt · 3b1bbafb
      xypron.glpk@gmx.de authored
      The referenced file dsa.txt is located at
      Documentation/devicetree/bindings/net/dsa/dsa.txt
      Reviewed-by: default avatarFlorian Fainelli <f.fainelli@gmail.com>
      Signed-off-by: default avatarHeinrich Schuchardt <xypron.glpk@gmx.de>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      3b1bbafb
    • Xin Long's avatar
      sctp: return next obj by passing pos + 1 into sctp_transport_get_idx · 988c7322
      Xin Long authored
      In sctp_for_each_transport, pos is used to save how many objs it has
      dumped. Now it gets the last obj by sctp_transport_get_idx, then gets
      the next obj by sctp_transport_get_next.
      
      The issue is that in the meanwhile if some objs in transport hashtable
      are removed and the objs nums are less than pos, sctp_transport_get_idx
      would return NULL and hti.walker.tbl is NULL as well. At this moment
      it should stop hti, instead of continue getting the next obj. Or it
      would cause a NULL pointer dereference in sctp_transport_get_next.
      
      This patch is to pass pos + 1 into sctp_transport_get_idx to get the
      next obj directly, even if pos > objs nums, it would return NULL and
      stop hti.
      
      Fixes: 626d16f5 ("sctp: export some apis or variables for sctp_diag and reuse some for proc")
      Signed-off-by: default avatarXin Long <lucien.xin@gmail.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      988c7322
    • David Howells's avatar
      rxrpc: Fix several cases where a padded len isn't checked in ticket decode · 5f2f9765
      David Howells authored
      This fixes CVE-2017-7482.
      
      When a kerberos 5 ticket is being decoded so that it can be loaded into an
      rxrpc-type key, there are several places in which the length of a
      variable-length field is checked to make sure that it's not going to
      overrun the available data - but the data is padded to the nearest
      four-byte boundary and the code doesn't check for this extra.  This could
      lead to the size-remaining variable wrapping and the data pointer going
      over the end of the buffer.
      
      Fix this by making the various variable-length data checks use the padded
      length.
      Reported-by: default avatar石磊 <shilei-c@360.cn>
      Signed-off-by: default avatarDavid Howells <dhowells@redhat.com>
      Reviewed-by: default avatarMarc Dionne <marc.c.dionne@auristor.com>
      Reviewed-by: default avatarDan Carpenter <dan.carpenter@oracle.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      5f2f9765
    • Xin Long's avatar
      ipv6: fix calling in6_ifa_hold incorrectly for dad work · f8a894b2
      Xin Long authored
      Now when starting the dad work in addrconf_mod_dad_work, if the dad work
      is idle and queued, it needs to hold ifa.
      
      The problem is there's one gap in [1], during which if the pending dad work
      is removed elsewhere. It will miss to hold ifa, but the dad word is still
      idea and queue.
      
              if (!delayed_work_pending(&ifp->dad_work))
                      in6_ifa_hold(ifp);
                          <--------------[1]
              mod_delayed_work(addrconf_wq, &ifp->dad_work, delay);
      
      An use-after-free issue can be caused by this.
      
      Chen Wei found this issue when WARN_ON(!hlist_unhashed(&ifp->addr_lst)) in
      net6_ifa_finish_destroy was hit because of it.
      
      As Hannes' suggestion, this patch is to fix it by holding ifa first in
      addrconf_mod_dad_work, then calling mod_delayed_work and putting ifa if
      the dad_work is already in queue.
      
      Note that this patch did not choose to fix it with:
      
        if (!mod_delayed_work(delay))
                in6_ifa_hold(ifp);
      
      As with it, when delay == 0, dad_work would be scheduled immediately, all
      addrconf_mod_dad_work(0) callings had to be moved under ifp->lock.
      Reported-by: default avatarWei Chen <weichen@redhat.com>
      Suggested-by: default avatarHannes Frederic Sowa <hannes@stressinduktion.org>
      Acked-by: default avatarHannes Frederic Sowa <hannes@stressinduktion.org>
      Signed-off-by: default avatarXin Long <lucien.xin@gmail.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      f8a894b2
    • Linus Torvalds's avatar
      Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net · a090bd4f
      Linus Torvalds authored
      Pull networking fixes from David Miller:
      
       1) The netlink attribute passed in to dev_set_alias() is not
          necessarily NULL terminated, don't use strlcpy() on it. From
          Alexander Potapenko.
      
       2) Fix implementation of atomics in arm64 bpf JIT, from Daniel
          Borkmann.
      
       3) Correct the release of netdevs and driver private data in certain
          circumstances.
      
       4) Sanitize netlink message length properly in decnet, from Mateusz
          Jurczyk.
      
       5) Don't leak kernel data in rtnl_fill_vfinfo() netlink blobs. From
          Yuval Mintz.
      
       6) Hash secret is never initialized in ipv6 ILA translation code, from
          Arnd Bergmann. I guess those clang warnings about unused inline
          functions are useful for something!
      
       7) Fix endian selection in bpf_endian.h, from Daniel Borkmann.
      
       8) Sanitize sockaddr length before dereferncing any fields in AF_UNIX
          and CAIF. From Mateusz Jurczyk.
      
       9) Fix timestamping for GMAC3 chips in stmmac driver, from Mario
          Molitor.
      
      10) Do not leak netdev on dev_alloc_name() errors in mac80211, from
          Johannes Berg.
      
      11) Fix locking in sctp_for_each_endpoint(), from Xin Long.
      
      12) Fix wrong memset size on 32-bit in snmp6, from Christian Perle.
      
      13) Fix use after free in ip_mc_clear_src(), from WANG Cong.
      
      14) Fix regressions caused by ICMP rate limiting changes in 4.11, from
          Jesper Dangaard Brouer.
      
      * git://git.kernel.org/pub/scm/linux/kernel/git/davem/net: (91 commits)
        i40e: Fix a sleep-in-atomic bug
        net: don't global ICMP rate limit packets originating from loopback
        net/act_pedit: fix an error code
        net: update undefined ->ndo_change_mtu() comment
        net_sched: move tcf_lock down after gen_replace_estimator()
        caif: Add sockaddr length check before accessing sa_family in connect handler
        qed: fix dump of context data
        qmi_wwan: new Telewell and Sierra device IDs
        net: phy: Fix MDIO_THUNDER dependencies
        netconsole: Remove duplicate "netconsole: " logging prefix
        igmp: acquire pmc lock for ip_mc_clear_src()
        r8152: give the device version
        net: rps: fix uninitialized symbol warning
        mac80211: don't send SMPS action frame in AP mode when not needed
        mac80211/wpa: use constant time memory comparison for MACs
        mac80211: set bss_info data before configuring the channel
        mac80211: remove 5/10 MHz rate code from station MLME
        mac80211: Fix incorrect condition when checking rx timestamp
        mac80211: don't look at the PM bit of BAR frames
        i40e: fix handling of HW ATR eviction
        ...
      a090bd4f
    • Linus Torvalds's avatar
      Merge branch 'linus' of git://git.kernel.org/pub/scm/linux/kernel/git/herbert/crypto-2.6 · 54ed0f71
      Linus Torvalds authored
      Pull crypto fix from Herbert Xu:
       "This fixes a bug on sparc where we may dereference freed stack memory"
      
      * 'linus' of git://git.kernel.org/pub/scm/linux/kernel/git/herbert/crypto-2.6:
        crypto: Work around deallocated stack frame reference gcc bug on sparc.
      54ed0f71
    • Linus Torvalds's avatar
      Merge tag 'acpi-4.12-rc6' of git://git.kernel.org/pub/scm/linux/kernel/git/rafael/linux-pm · 35e60a6b
      Linus Torvalds authored
      Pull ACPI fixes from Rafael Wysocki:
       "These revert an ACPICA commit from the 4.11 cycle that causes problems
        to happen on some systems and add a protection against possible kernel
        crashes due to table reference counter imbalance.
      
        Specifics:
      
         - Revert a 4.11 ACPICA change that made assumptions which are not
           satisfied on some systems and caused the enumeration of resources
           to fail on them (Rafael Wysocki).
      
         - Add a mechanism to prevent tables from being unmapped prematurely
           due to reference counter overflows (Lv Zheng)"
      
      * tag 'acpi-4.12-rc6' of git://git.kernel.org/pub/scm/linux/kernel/git/rafael/linux-pm:
        ACPICA: Tables: Mechanism to handle late stage acpi_get_table() imbalance
        Revert "ACPICA: Disassembler: Enhance resource descriptor detection"
      35e60a6b
    • Linus Torvalds's avatar
      Merge tag 'pm-4.12-rc6' of git://git.kernel.org/pub/scm/linux/kernel/git/rafael/linux-pm · 92091c43
      Linus Torvalds authored
      Pull power management fixes from Rafael Wysocki:
       "These revert a recent cpufreq schedutil governor change that turned
        out to be problematic and fix a few minor issues in cpufreq, cpuidle
        and the Exynos devfreq drivers.
      
        Specifics:
      
         - Revert a recent cpufreq schedutil governor change that caused some
           systems to behave undesirably (Rafael Wysocki).
      
         - Fix a cpufreq conservative governor issue introduced during the
           3.10 cycle that prevents it from working as expected in some
           situations (Tomasz Wilczyński).
      
         - Fix an error code path in the generic cpuidle driver for DT-based
           systems (Christophe Jaillet).
      
         - Fix three minor issues in devfreq drivers for Exynos (Arvind Yadav,
           Krzysztof Kozlowski)"
      
      * tag 'pm-4.12-rc6' of git://git.kernel.org/pub/scm/linux/kernel/git/rafael/linux-pm:
        cpuidle: dt: Add missing 'of_node_put()'
        cpufreq: conservative: Allow down_threshold to take values from 1 to 10
        Revert "cpufreq: schedutil: Reduce frequencies slower"
        PM / devfreq: exynos-ppmu: Staticize event list
        PM / devfreq: exynos-ppmu: Handle return value of clk_prepare_enable
        PM / devfreq: exynos-nocp: Handle return value of clk_prepare_enable
      92091c43
    • Linus Torvalds's avatar
      Merge branch 'for-4.12/driver-matching-fix' of... · b45edc2d
      Linus Torvalds authored
      Merge branch 'for-4.12/driver-matching-fix' of git://git.kernel.org/pub/scm/linux/kernel/git/jikos/hid
      
      Pull HID fix from Jiri Kosina:
      
       - ifdef-based bandaid for a long-standing issue with HID driver
         matching, avoiding regressions in cases where specific driver is not
         enabled in kernel .config, from Jiri Kosina
      
      * 'for-4.12/driver-matching-fix' of git://git.kernel.org/pub/scm/linux/kernel/git/jikos/hid:
        HID: let generic driver yield control iff specific driver has been enabled
      b45edc2d
    • Linus Torvalds's avatar
      Merge tag 'media/v4.12-3' of git://git.kernel.org/pub/scm/linux/kernel/git/mchehab/linux-media · 906e0c5b
      Linus Torvalds authored
      Pull media fixes from Mauro Carvalho Chehab:
      
       - some build dependency issues at CEC core with randconfigs
      
       - fix an off by one error at vb2
      
       - a race fix at cec core
      
       - driver fixes at tc358743, sir_ir and rainshadow-cec
      
      * tag 'media/v4.12-3' of git://git.kernel.org/pub/scm/linux/kernel/git/mchehab/linux-media:
        [media] media/cec.h: use IS_REACHABLE instead of IS_ENABLED
        [media] cec: race fix: don't return -ENONET in cec_receive()
        [media] sir_ir: infinite loop in interrupt handler
        [media] cec-notifier.h: handle unreachable CONFIG_CEC_CORE
        [media] cec: improve MEDIA_CEC_RC dependencies
        [media] vb2: Fix an off by one error in 'vb2_plane_vaddr'
        [media] rainshadow-cec: Fix missing spin_lock_init()
        [media] tc358743: fix register i2c_rd/wr function fix
      906e0c5b
    • Jia-Ju Bai's avatar
      i40e: Fix a sleep-in-atomic bug · 640f93cc
      Jia-Ju Bai authored
      The driver may sleep under a spin lock, and the function call path is:
      i40e_ndo_set_vf_port_vlan (acquire the lock by spin_lock_bh)
        i40e_vsi_remove_pvid
          i40e_vlan_stripping_disable
            i40e_aq_update_vsi_params
              i40e_asq_send_command
                mutex_lock --> may sleep
      
      To fixed it, the spin lock is released before "i40e_vsi_remove_pvid", and
      the lock is acquired again after this function.
      Signed-off-by: default avatarJia-Ju Bai <baijiaju1990@163.com>
      Tested-by: default avatarAndrew Bowers <andrewx.bowers@intel.com>
      Signed-off-by: default avatarJeff Kirsher <jeffrey.t.kirsher@intel.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      640f93cc
  2. 14 Jun, 2017 6 commits
  3. 13 Jun, 2017 19 commits
  4. 12 Jun, 2017 4 commits
    • Jacob Keller's avatar
      i40e: fix handling of HW ATR eviction · 6964e53f
      Jacob Keller authored
      A recent commit to refactor the driver and remove the hw_disabled_flags
      field accidentally introduced two regressions. First, we overwrote
      pf->flags which removed various key flags including the MSI-X settings.
      
      Additionally, it was intended that we have now two flags,
      HW_ATR_EVICT_CAPABLE and HW_ATR_EVICT_ENABLED, but this was not done,
      and we accidentally were mis-using HW_ATR_EVICT_CAPABLE everywhere.
      
      This patch adds the missing piece, HW_ATR_EVICT_ENABLED, and safely
      updates pf->flags instead of overwriting it.
      
      Without this patch we will have many problems including disabling MSI-X
      support, and we'll attempt to use HW ATR eviction on devices which do
      not support it.
      
      Fixes: 47994c11 ("i40e: remove hw_disabled_flags in favor of using separate flag bits", 2017-04-19)
      Signed-off-by: default avatarJacob Keller <jacob.e.keller@intel.com>
      Tested-by: default avatarAndrew Bowers <andrewx.bowers@intel.com>
      Signed-off-by: default avatarJeff Kirsher <jeffrey.t.kirsher@intel.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      6964e53f
    • Karicheri, Muralidharan's avatar
      hsr: fix incorrect warning · 675c8da0
      Karicheri, Muralidharan authored
      When HSR interface is setup using ip link command, an annoying warning
      appears with the trace as below:-
      
      [  203.019828] hsr_get_node: Non-HSR frame
      [  203.019833] Modules linked in:
      [  203.019848] CPU: 0 PID: 158 Comm: sd-resolve Tainted: G        W       4.12.0-rc3-00052-g9fa6bf70 #2
      [  203.019853] Hardware name: Generic DRA74X (Flattened Device Tree)
      [  203.019869] [<c0110280>] (unwind_backtrace) from [<c010c2f4>] (show_stack+0x10/0x14)
      [  203.019880] [<c010c2f4>] (show_stack) from [<c04b9f64>] (dump_stack+0xac/0xe0)
      [  203.019894] [<c04b9f64>] (dump_stack) from [<c01374e8>] (__warn+0xd8/0x104)
      [  203.019907] [<c01374e8>] (__warn) from [<c0137548>] (warn_slowpath_fmt+0x34/0x44)
      root@am57xx-evm:~# [  203.019921] [<c0137548>] (warn_slowpath_fmt) from [<c081126c>] (hsr_get_node+0x148/0x170)
      [  203.019932] [<c081126c>] (hsr_get_node) from [<c0814240>] (hsr_forward_skb+0x110/0x7c0)
      [  203.019942] [<c0814240>] (hsr_forward_skb) from [<c0811d64>] (hsr_dev_xmit+0x2c/0x34)
      [  203.019954] [<c0811d64>] (hsr_dev_xmit) from [<c06c0828>] (dev_hard_start_xmit+0xc4/0x3bc)
      [  203.019963] [<c06c0828>] (dev_hard_start_xmit) from [<c06c13d8>] (__dev_queue_xmit+0x7c4/0x98c)
      [  203.019974] [<c06c13d8>] (__dev_queue_xmit) from [<c0782f54>] (ip6_finish_output2+0x330/0xc1c)
      [  203.019983] [<c0782f54>] (ip6_finish_output2) from [<c0788f0c>] (ip6_output+0x58/0x454)
      [  203.019994] [<c0788f0c>] (ip6_output) from [<c07b16cc>] (mld_sendpack+0x420/0x744)
      
      As this is an expected path to hsr_get_node() with frame coming from
      the master interface, add a check to ensure packet is not from the
      master port and then warn.
      Signed-off-by: default avatarMurali Karicheri <m-karicheri2@ti.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      675c8da0
    • Christian Perle's avatar
      proc: snmp6: Use correct type in memset · 3500cd73
      Christian Perle authored
      Reading /proc/net/snmp6 yields bogus values on 32 bit kernels.
      Use "u64" instead of "unsigned long" in sizeof().
      
      Fixes: 4a4857b1 ("proc: Reduce cache miss in snmp6_seq_show")
      Signed-off-by: default avatarChristian Perle <christian.perle@secunet.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      3500cd73
    • Rafael J. Wysocki's avatar
      Merge branch 'for-next' of https://git.kernel.org/pub/scm/linux/kernel/git/mzx/devfreq · 74b2c983
      Rafael J. Wysocki authored
      Pull devfreq fixes from MyungJoo Ham.
      
      * 'for-next' of https://git.kernel.org/pub/scm/linux/kernel/git/mzx/devfreq:
        PM / devfreq: exynos-ppmu: Staticize event list
        PM / devfreq: exynos-ppmu: Handle return value of clk_prepare_enable
        PM / devfreq: exynos-nocp: Handle return value of clk_prepare_enable
      74b2c983