1. 16 May, 2020 4 commits
  2. 15 May, 2020 23 commits
    • Linus Torvalds's avatar
      Merge tag 'nfs-for-5.7-5' of git://git.linux-nfs.org/projects/trondmy/linux-nfs · 12bf0b63
      Linus Torvalds authored
      Pull NFS client bugfixes from Trond Myklebust:
       "Highlights include:
      
        Stable fixes:
         - nfs: fix NULL deference in nfs4_get_valid_delegation
      
        Bugfixes:
         - Fix corruption of the return value in cachefiles_read_or_alloc_pages()
         - Fix several fscache cookie issues
         - Fix a fscache queuing race that can trigger a BUG_ON
         - NFS: Fix two use-after-free regressions due to the RPC_TASK_CRED_NOREF flag
         - SUNRPC: Fix a use-after-free regression in rpc_free_client_work()
         - SUNRPC: Fix a race when tearing down the rpc client debugfs directory
         - SUNRPC: Signalled ASYNC tasks need to exit
         - NFSv3: fix rpc receive buffer size for MOUNT call"
      
      * tag 'nfs-for-5.7-5' of git://git.linux-nfs.org/projects/trondmy/linux-nfs:
        NFSv3: fix rpc receive buffer size for MOUNT call
        SUNRPC: 'Directory with parent 'rpc_clnt' already present!'
        NFS/pnfs: Don't use RPC_TASK_CRED_NOREF with pnfs
        NFS: Don't use RPC_TASK_CRED_NOREF with delegreturn
        SUNRPC: Signalled ASYNC tasks need to exit
        nfs: fix NULL deference in nfs4_get_valid_delegation
        SUNRPC: fix use-after-free in rpc_free_client_work()
        cachefiles: Fix race between read_waiter and read_copier involving op->to_do
        NFSv4: Fix fscache cookie aux_data to ensure change_attr is included
        NFS: Fix fscache super_cookie allocation
        NFS: Fix fscache super_cookie index_key from changing after umount
        cachefiles: Fix corruption of the return value in cachefiles_read_or_alloc_pages()
      12bf0b63
    • Linus Torvalds's avatar
      Merge git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net · f85c1598
      Linus Torvalds authored
      Pull networking fixes from David Miller:
      
       1) Fix sk_psock reference count leak on receive, from Xiyu Yang.
      
       2) CONFIG_HNS should be invisible, from Geert Uytterhoeven.
      
       3) Don't allow locking route MTUs in ipv6, RFCs actually forbid this,
          from Maciej Żenczykowski.
      
       4) ipv4 route redirect backoff wasn't actually enforced, from Paolo
          Abeni.
      
       5) Fix netprio cgroup v2 leak, from Zefan Li.
      
       6) Fix infinite loop on rmmod in conntrack, from Florian Westphal.
      
       7) Fix tcp SO_RCVLOWAT hangs, from Eric Dumazet.
      
       8) Various bpf probe handling fixes, from Daniel Borkmann.
      
      * git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net: (68 commits)
        selftests: mptcp: pm: rm the right tmp file
        dpaa2-eth: properly handle buffer size restrictions
        bpf: Restrict bpf_trace_printk()'s %s usage and add %pks, %pus specifier
        bpf: Add bpf_probe_read_{user, kernel}_str() to do_refine_retval_range
        bpf: Restrict bpf_probe_read{, str}() only to archs where they work
        MAINTAINERS: Mark networking drivers as Maintained.
        ipmr: Add lockdep expression to ipmr_for_each_table macro
        ipmr: Fix RCU list debugging warning
        drivers: net: hamradio: Fix suspicious RCU usage warning in bpqether.c
        net: phy: broadcom: fix BCM54XX_SHD_SCR3_TRDDAPD value for BCM54810
        tcp: fix error recovery in tcp_zerocopy_receive()
        MAINTAINERS: Add Jakub to networking drivers.
        MAINTAINERS: another add of Karsten Graul for S390 networking
        drivers: ipa: fix typos for ipa_smp2p structure doc
        pppoe: only process PADT targeted at local interfaces
        selftests/bpf: Enforce returning 0 for fentry/fexit programs
        bpf: Enforce returning 0 for fentry/fexit progs
        net: stmmac: fix num_por initialization
        security: Fix the default value of secid_to_secctx hook
        libbpf: Fix register naming in PT_REGS s390 macros
        ...
      f85c1598
    • Linus Torvalds's avatar
      Merge tag 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/rdma/rdma · d5dfe4f1
      Linus Torvalds authored
      Pull rdma fixes from Jason Gunthorpe:
       "A few minor bug fixes for user visible defects, and one regression:
      
         - Various bugs from static checkers and syzkaller
      
         - Add missing error checking in mlx4
      
         - Prevent RTNL lock recursion in i40iw
      
         - Fix segfault in cxgb4 in peer abort cases
      
         - Fix a regression added in 5.7 where the IB_EVENT_DEVICE_FATAL could
           be lost, and wasn't delivered to all the FDs"
      
      * tag 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/rdma/rdma:
        RDMA/uverbs: Move IB_EVENT_DEVICE_FATAL to destroy_uobj
        RDMA/uverbs: Do not discard the IB_EVENT_DEVICE_FATAL event
        RDMA/iw_cxgb4: Fix incorrect function parameters
        RDMA/core: Fix double put of resource
        IB/core: Fix potential NULL pointer dereference in pkey cache
        IB/hfi1: Fix another case where pq is left on waitlist
        IB/i40iw: Remove bogus call to netdev_master_upper_dev_get()
        IB/mlx4: Test return value of calls to ib_get_cached_pkey
        RDMA/rxe: Always return ERR_PTR from rxe_create_mmap_info()
        i40iw: Fix error handling in i40iw_manage_arp_cache()
      d5dfe4f1
    • Linus Torvalds's avatar
      Merge tag 'linux-kselftest-5.7-rc6' of... · ce247296
      Linus Torvalds authored
      Merge tag 'linux-kselftest-5.7-rc6' of git://git.kernel.org/pub/scm/linux/kernel/git/shuah/linux-kselftest
      
      Pull kselftest fixes from Shuah Khan:
      
       - lkdtm runner fixes to prevent dmesg clearing and shellcheck errors
      
       - ftrace test handling when test module doesn't exist
      
       - nsfs test fix to replace zero-length array with flexible-array
      
       - dmabuf-heaps test fix to return clear error value
      
      * tag 'linux-kselftest-5.7-rc6' of git://git.kernel.org/pub/scm/linux/kernel/git/shuah/linux-kselftest:
        selftests/lkdtm: Use grep -E instead of egrep
        selftests/lkdtm: Don't clear dmesg when running tests
        selftests/ftrace: mark irqsoff_tracer.tc test as unresolved if the test module does not exist
        tools/testing: Replace zero-length array with flexible-array
        kselftests: dmabuf-heaps: Fix confused return value on expected error testing
      ce247296
    • Linus Torvalds's avatar
      Merge tag 'riscv-for-linus-5.7-rc6' of git://git.kernel.org/pub/scm/linux/kernel/git/riscv/linux · 67e45621
      Linus Torvalds authored
      Pull RISC-V fixes from Palmer Dabbelt:
       "A handful of build fixes, all found by Huawei's autobuilder.
      
        None of these patches should have any functional impact on kernels
        that build, and they're mostly related to various features
        intermingling with !MMU.
      
        While some of these might be better hoisted to generic code, it seems
        better to have the simple fixes in the meanwhile.
      
        As far as I know these are the only outstanding patches for 5.7"
      
      * tag 'riscv-for-linus-5.7-rc6' of git://git.kernel.org/pub/scm/linux/kernel/git/riscv/linux:
        riscv: mmiowb: Fix implicit declaration of function 'smp_processor_id'
        riscv: pgtable: Fix __kernel_map_pages build error if NOMMU
        riscv: Make SYS_SUPPORTS_HUGETLBFS depends on MMU
        riscv: Disable ARCH_HAS_DEBUG_VIRTUAL if NOMMU
        riscv: Add pgprot_writecombine/device and PAGE_SHARED defination if NOMMU
        riscv: stacktrace: Fix undefined reference to `walk_stackframe'
        riscv: Fix unmet direct dependencies built based on SOC_VIRT
        riscv: perf: RISCV_BASE_PMU should be independent
        riscv: perf_event: Make some funciton static
      67e45621
    • Linus Torvalds's avatar
      Merge tag 'arm64-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/arm64/linux · 01d8a748
      Linus Torvalds authored
      Pull arm64 fix from Catalin Marinas:
       "Fix flush_icache_range() second argument in machine_kexec() to be an
        address rather than size"
      
      * tag 'arm64-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/arm64/linux:
        arm64: fix the flush_icache_range arguments in machine_kexec
      01d8a748
    • David S. Miller's avatar
      Merge git://git.kernel.org/pub/scm/linux/kernel/git/bpf/bpf · 8e138104
      David S. Miller authored
      Alexei Starovoitov says:
      
      ====================
      pull-request: bpf 2020-05-15
      
      The following pull-request contains BPF updates for your *net* tree.
      
      We've added 9 non-merge commits during the last 2 day(s) which contain
      a total of 14 files changed, 137 insertions(+), 43 deletions(-).
      
      The main changes are:
      
      1) Fix secid_to_secctx LSM hook default value, from Anders.
      
      2) Fix bug in mmap of bpf array, from Andrii.
      
      3) Restrict bpf_probe_read to archs where they work, from Daniel.
      
      4) Enforce returning 0 for fentry/fexit progs, from Yonghong.
      ====================
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      8e138104
    • Matthieu Baerts's avatar
      selftests: mptcp: pm: rm the right tmp file · 9a2dbb59
      Matthieu Baerts authored
      "$err" is a variable pointing to a temp file. "$out" is not: only used
      as a local variable in "check()" and representing the output of a
      command line.
      
      Fixes: eedbc685 (selftests: add PM netlink functional tests)
      Signed-off-by: default avatarMatthieu Baerts <matthieu.baerts@tessares.net>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      9a2dbb59
    • Ioana Ciornei's avatar
      dpaa2-eth: properly handle buffer size restrictions · efa6a7d0
      Ioana Ciornei authored
      Depending on the WRIOP version, the buffer size on the RX path must by a
      multiple of 64 or 256. Handle this restriction properly by aligning down
      the buffer size to the necessary value. Also, use the new buffer size
      dynamically computed instead of the compile time one.
      
      Fixes: 27c87486 ("dpaa2-eth: Use a single page per Rx buffer")
      Signed-off-by: default avatarIoana Ciornei <ioana.ciornei@nxp.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      efa6a7d0
    • Linus Torvalds's avatar
      Merge tag 'hwmon-for-v5.7-rc6' of... · 051e6b7e
      Linus Torvalds authored
      Merge tag 'hwmon-for-v5.7-rc6' of git://git.kernel.org/pub/scm/linux/kernel/git/groeck/linux-staging
      
      Pull hwmon fixes from Guenter Roeck:
      
       - Fix ADC access synchronization problem with da9052 driver
      
       - Fix temperature limit and status reporting in nct7904 driver
      
       - Fix drivetemp temperature reporting if SCT is supported but SCT data
         tables are not.
      
      * tag 'hwmon-for-v5.7-rc6' of git://git.kernel.org/pub/scm/linux/kernel/git/groeck/linux-staging:
        hwmon: (da9052) Synchronize access with mfd
        hwmon: (nct7904) Fix incorrect range of temperature limit registers
        hwmon: (nct7904) Read all SMI status registers in probe function
        hwmon: (drivetemp) Fix SCT support if SCT data tables are not supported
      051e6b7e
    • Linus Torvalds's avatar
      Merge tag 'sound-5.7-rc6' of git://git.kernel.org/pub/scm/linux/kernel/git/tiwai/sound · 1742bcd0
      Linus Torvalds authored
      Pull sound fixes from Takashi Iwai:
       "Things look good and calming down; the only change to ALSA core is the
        fix for racy rawmidi buffer accesses spotted by syzkaller, and the
        rest are all small device-specific quirks for HD-audio and USB-audio
        devices"
      
      * tag 'sound-5.7-rc6' of git://git.kernel.org/pub/scm/linux/kernel/git/tiwai/sound:
        ALSA: hda/realtek - Limit int mic boost for Thinkpad T530
        ALSA: hda/realtek - Add COEF workaround for ASUS ZenBook UX431DA
        ALSA: hda/realtek: Enable headset mic of ASUS UX581LV with ALC295
        ALSA: hda/realtek - Enable headset mic of ASUS UX550GE with ALC295
        ALSA: hda/realtek - Enable headset mic of ASUS GL503VM with ALC295
        ALSA: hda/realtek: Add quirk for Samsung Notebook
        ALSA: rawmidi: Fix racy buffer resize under concurrent accesses
        ALSA: usb-audio: add mapping for ASRock TRX40 Creator
        ALSA: hda/realtek - Fix S3 pop noise on Dell Wyse
        Revert "ALSA: hda/realtek: Fix pop noise on ALC225"
        ALSA: firewire-lib: fix 'function sizeof not defined' error of tracepoints format
        ALSA: usb-audio: Add control message quirk delay for Kingston HyperX headset
      1742bcd0
    • Linus Torvalds's avatar
      Merge tag 'drm-fixes-2020-05-15' of git://anongit.freedesktop.org/drm/drm · e7cea790
      Linus Torvalds authored
      Pull drm fixes from Dave Airlie:
       "As mentioned last week an i915 PR came in late, but I left it, so the
        i915 bits of this cover 2 weeks, which is why it's likely a bit larger
        than usual.
      
        Otherwise it's mostly amdgpu fixes, one tegra fix, one meson fix.
      
        i915:
         - Handle idling during i915_gem_evict_something busy loops (Chris)
         - Mark current submissions with a weak-dependency (Chris)
         - Propagate error from completed fences (Chris)
         - Fixes on execlist to avoid GPU hang situation (Chris)
         - Fixes couple deadlocks (Chris)
         - Timeslice preemption fixes (Chris)
         - Fix Display Port interrupt handling on Tiger Lake (Imre)
         - Reduce debug noise around Frame Buffer Compression (Peter)
         - Fix logic around IPC W/a for Coffee Lake and Kaby Lake (Sultan)
         - Avoid dereferencing a dead context (Chris)
      
        tegra:
         - tegra120/4 smmu fixes
      
        amdgpu:
         - Clockgating fixes
         - Fix fbdev with scatter/gather display
         - S4 fix for navi
         - Soft recovery for gfx10
         - Freesync fixes
         - Atomic check cursor fix
         - Add a gfxoff quirk
         - MST fix
      
        amdkfd:
         - Fix GEM reference counting
      
        meson:
         - error code propogation fix"
      
      * tag 'drm-fixes-2020-05-15' of git://anongit.freedesktop.org/drm/drm: (29 commits)
        drm/i915: Handle idling during i915_gem_evict_something busy loops
        drm/meson: pm resume add return errno branch
        drm/amd/amdgpu: Update update_config() logic
        drm/amd/amdgpu: add raven1 part to the gfxoff quirk list
        drm/i915: Mark concurrent submissions with a weak-dependency
        drm/i915: Propagate error from completed fences
        drm/i915/gvt: Fix kernel oops for 3-level ppgtt guest
        drm/i915/gvt: Init DPLL/DDI vreg for virtual display instead of inheritance.
        drm/amd/display: add basic atomic check for cursor plane
        drm/amd/display: Fix vblank and pageflip event handling for FreeSync
        drm/amdgpu: implement soft_recovery for gfx10
        drm/amdgpu: enable hibernate support on Navi1X
        drm/amdgpu: Use GEM obj reference for KFD BOs
        drm/amdgpu: force fbdev into vram
        drm/amd/powerplay: perform PG ungate prior to CG ungate
        drm/amdgpu: drop unnecessary cancel_delayed_work_sync on PG ungate
        drm/amdgpu: disable MGCG/MGLS also on gfx CG ungate
        drm/i915/execlists: Track inflight CCID
        drm/i915/execlists: Avoid reusing the same logical CCID
        drm/i915/gem: Remove object_is_locked assertion from unpin_from_display_plane
        ...
      e7cea790
    • Alexei Starovoitov's avatar
      Merge branch 'restrict-bpf_probe_read' · 59df9f1f
      Alexei Starovoitov authored
      Daniel Borkmann says:
      
      ====================
      Small set of fixes in order to restrict BPF helpers for tracing which are
      broken on archs with overlapping address ranges as per discussion in [0].
      I've targetted this for -bpf tree so they can be routed as fixes. Thanks!
      
      v1 -> v2:
        - switch to reusable %pks, %pus format specifiers (Yonghong)
          - fixate %s on kernel_ds probing for archs with overlapping addr space
      
            [0] https://lore.kernel.org/bpf/CAHk-=wjJKo0GVixYLmqPn-Q22WFu0xHaBSjKEo7e7Yw72y5SPQ@mail.gmail.com/T/
      ====================
      Signed-off-by: default avatarAlexei Starovoitov <ast@kernel.org>
      59df9f1f
    • Daniel Borkmann's avatar
      bpf: Restrict bpf_trace_printk()'s %s usage and add %pks, %pus specifier · b2a5212f
      Daniel Borkmann authored
      Usage of plain %s conversion specifier in bpf_trace_printk() suffers from the
      very same issue as bpf_probe_read{,str}() helpers, that is, it is broken on
      archs with overlapping address ranges.
      
      While the helpers have been addressed through work in 6ae08ae3 ("bpf: Add
      probe_read_{user, kernel} and probe_read_{user, kernel}_str helpers"), we need
      an option for bpf_trace_printk() as well to fix it.
      
      Similarly as with the helpers, force users to make an explicit choice by adding
      %pks and %pus specifier to bpf_trace_printk() which will then pick the corresponding
      strncpy_from_unsafe*() variant to perform the access under KERNEL_DS or USER_DS.
      The %pk* (kernel specifier) and %pu* (user specifier) can later also be extended
      for other objects aside strings that are probed and printed under tracing, and
      reused out of other facilities like bpf_seq_printf() or BTF based type printing.
      
      Existing behavior of %s for current users is still kept working for archs where it
      is not broken and therefore gated through CONFIG_ARCH_HAS_NON_OVERLAPPING_ADDRESS_SPACE.
      For archs not having this property we fall-back to pick probing under KERNEL_DS as
      a sensible default.
      
      Fixes: 8d3b7dce ("bpf: add support for %s specifier to bpf_trace_printk()")
      Reported-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      Reported-by: default avatarChristoph Hellwig <hch@lst.de>
      Signed-off-by: default avatarDaniel Borkmann <daniel@iogearbox.net>
      Signed-off-by: default avatarAlexei Starovoitov <ast@kernel.org>
      Cc: Masami Hiramatsu <mhiramat@kernel.org>
      Cc: Brendan Gregg <brendan.d.gregg@gmail.com>
      Link: https://lore.kernel.org/bpf/20200515101118.6508-4-daniel@iogearbox.net
      b2a5212f
    • Daniel Borkmann's avatar
      bpf: Add bpf_probe_read_{user, kernel}_str() to do_refine_retval_range · 47cc0ed5
      Daniel Borkmann authored
      Given bpf_probe_read{,str}() BPF helpers are now only available under
      CONFIG_ARCH_HAS_NON_OVERLAPPING_ADDRESS_SPACE, we need to add the drop-in
      replacements of bpf_probe_read_{kernel,user}_str() to do_refine_retval_range()
      as well to avoid hitting the same issue as in 849fa506 ("bpf/verifier:
      refine retval R0 state for bpf_get_stack helper").
      Signed-off-by: default avatarDaniel Borkmann <daniel@iogearbox.net>
      Signed-off-by: default avatarAlexei Starovoitov <ast@kernel.org>
      Acked-by: default avatarJohn Fastabend <john.fastabend@gmail.com>
      Acked-by: default avatarYonghong Song <yhs@fb.com>
      Link: https://lore.kernel.org/bpf/20200515101118.6508-3-daniel@iogearbox.net
      47cc0ed5
    • Daniel Borkmann's avatar
      bpf: Restrict bpf_probe_read{, str}() only to archs where they work · 0ebeea8c
      Daniel Borkmann authored
      Given the legacy bpf_probe_read{,str}() BPF helpers are broken on archs
      with overlapping address ranges, we should really take the next step to
      disable them from BPF use there.
      
      To generally fix the situation, we've recently added new helper variants
      bpf_probe_read_{user,kernel}() and bpf_probe_read_{user,kernel}_str().
      For details on them, see 6ae08ae3 ("bpf: Add probe_read_{user, kernel}
      and probe_read_{user,kernel}_str helpers").
      
      Given bpf_probe_read{,str}() have been around for ~5 years by now, there
      are plenty of users at least on x86 still relying on them today, so we
      cannot remove them entirely w/o breaking the BPF tracing ecosystem.
      
      However, their use should be restricted to archs with non-overlapping
      address ranges where they are working in their current form. Therefore,
      move this behind a CONFIG_ARCH_HAS_NON_OVERLAPPING_ADDRESS_SPACE and
      have x86, arm64, arm select it (other archs supporting it can follow-up
      on it as well).
      
      For the remaining archs, they can workaround easily by relying on the
      feature probe from bpftool which spills out defines that can be used out
      of BPF C code to implement the drop-in replacement for old/new kernels
      via: bpftool feature probe macro
      Suggested-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      Signed-off-by: default avatarDaniel Borkmann <daniel@iogearbox.net>
      Signed-off-by: default avatarAlexei Starovoitov <ast@kernel.org>
      Reviewed-by: default avatarMasami Hiramatsu <mhiramat@kernel.org>
      Acked-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      Cc: Brendan Gregg <brendan.d.gregg@gmail.com>
      Cc: Christoph Hellwig <hch@lst.de>
      Link: https://lore.kernel.org/bpf/20200515101118.6508-2-daniel@iogearbox.net
      0ebeea8c
    • Dave Airlie's avatar
      Merge tag 'drm-misc-fixes-2020-05-14' of git://anongit.freedesktop.org/drm/drm-misc into drm-fixes · 1d2a1eb1
      Dave Airlie authored
      Just one meson patch this time to propagate an error code
      Signed-off-by: default avatarDave Airlie <airlied@redhat.com>
      
      From: Maxime Ripard <maxime@cerno.tech>
      Link: https://patchwork.freedesktop.org/patch/msgid/20200514073538.wvdtv5s2mt4wdrdj@gilmour.lan
      1d2a1eb1
    • Dave Airlie's avatar
      Merge tag 'drm-intel-fixes-2020-05-13-1' of... · 27db6f7b
      Dave Airlie authored
      Merge tag 'drm-intel-fixes-2020-05-13-1' of git://anongit.freedesktop.org/drm/drm-intel into drm-fixes
      
      - Handle idling during i915_gem_evict_something busy loops (Chris)
      - Mark current submissions with a weak-dependency (Chris)
      - Propagate errror from completed fences (Chris)
      - Fixes on execlist to avoid GPU hang situation (Chris)
      - Fixes couple deadlocks (Chris)
      - Timeslice preemption fixes (Chris)
      - Fix Display Port interrupt handling on Tiger Lake (Imre)
      - Reduce debug noise around Frame Buffer Compression
      +(Peter)
      - Fix logic around IPC W/a for Coffee Lake and Kaby Lake
      +(Sultan)
      - Avoid dereferencing a dead context (Chris)
      Signed-off-by: default avatarDave Airlie <airlied@redhat.com>
      
      From: Rodrigo Vivi <rodrigo.vivi@intel.com>
      Link: https://patchwork.freedesktop.org/patch/msgid/20200514040235.GA2164266@intel.com
      27db6f7b
    • David S. Miller's avatar
    • Amol Grover's avatar
      ipmr: Add lockdep expression to ipmr_for_each_table macro · 7013908c
      Amol Grover authored
      During the initialization process, ipmr_new_table() is called
      to create new tables which in turn calls ipmr_get_table() which
      traverses net->ipv4.mr_tables without holding the writer lock.
      However, this is safe to do so as no tables exist at this time.
      Hence add a suitable lockdep expression to silence the following
      false-positive warning:
      
      =============================
      WARNING: suspicious RCU usage
      5.7.0-rc3-next-20200428-syzkaller #0 Not tainted
      -----------------------------
      net/ipv4/ipmr.c:136 RCU-list traversed in non-reader section!!
      
      ipmr_get_table+0x130/0x160 net/ipv4/ipmr.c:136
      ipmr_new_table net/ipv4/ipmr.c:403 [inline]
      ipmr_rules_init net/ipv4/ipmr.c:248 [inline]
      ipmr_net_init+0x133/0x430 net/ipv4/ipmr.c:3089
      
      Fixes: f0ad0860 ("ipv4: ipmr: support multiple tables")
      Reported-by: syzbot+1519f497f2f9f08183c6@syzkaller.appspotmail.com
      Suggested-by: default avatarJakub Kicinski <kuba@kernel.org>
      Signed-off-by: default avatarAmol Grover <frextrite@gmail.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      7013908c
    • Amol Grover's avatar
      ipmr: Fix RCU list debugging warning · a14fbcd4
      Amol Grover authored
      ipmr_for_each_table() macro uses list_for_each_entry_rcu()
      for traversing outside of an RCU read side critical section
      but under the protection of rtnl_mutex. Hence, add the
      corresponding lockdep expression to silence the following
      false-positive warning at boot:
      
      [    4.319347] =============================
      [    4.319349] WARNING: suspicious RCU usage
      [    4.319351] 5.5.4-stable #17 Tainted: G            E
      [    4.319352] -----------------------------
      [    4.319354] net/ipv4/ipmr.c:1757 RCU-list traversed in non-reader section!!
      
      Fixes: f0ad0860 ("ipv4: ipmr: support multiple tables")
      Signed-off-by: default avatarAmol Grover <frextrite@gmail.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      a14fbcd4
    • Madhuparna Bhowmik's avatar
      drivers: net: hamradio: Fix suspicious RCU usage warning in bpqether.c · 95f59bf8
      Madhuparna Bhowmik authored
      This patch fixes the following warning:
      =============================
      WARNING: suspicious RCU usage
      5.7.0-rc5-next-20200514-syzkaller #0 Not tainted
      -----------------------------
      drivers/net/hamradio/bpqether.c:149 RCU-list traversed in non-reader section!!
      
      Since rtnl lock is held, pass this cond in list_for_each_entry_rcu().
      
      Reported-by: syzbot+bb82cafc737c002d11ca@syzkaller.appspotmail.com
      Signed-off-by: default avatarMadhuparna Bhowmik <madhuparnabhowmik10@gmail.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      95f59bf8
    • Kevin Lo's avatar
      net: phy: broadcom: fix BCM54XX_SHD_SCR3_TRDDAPD value for BCM54810 · cc8a677a
      Kevin Lo authored
      Set the correct bit when checking for PHY_BRCM_DIS_TXCRXC_NOENRGY on the
      BCM54810 PHY.
      
      Fixes: 0ececcfc ("net: phy: broadcom: Allow BCM54810 to use bcm54xx_adjust_rxrefclk()")
      Signed-off-by: default avatarKevin Lo <kevlo@kevlo.org>
      Reviewed-by: default avatarFlorian Fainelli <f.fainelli@gmail.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      cc8a677a
  3. 14 May, 2020 13 commits
    • Olga Kornievskaia's avatar
      NFSv3: fix rpc receive buffer size for MOUNT call · 8eed292b
      Olga Kornievskaia authored
      Prior to commit e3d3ab64dd66 ("SUNRPC: Use au_rslack when
      computing reply buffer size"), there was enough slack in the reply
      buffer to commodate filehandles of size 60bytes. However, the real
      problem was that the reply buffer size for the MOUNT operation was
      not correctly calculated. Received buffer size used the filehandle
      size for NFSv2 (32bytes) which is much smaller than the allowed
      filehandle size for the v3 mounts.
      
      Fix the reply buffer size (decode arguments size) for the MNT command.
      
      Fixes: 2c94b8ec ("SUNRPC: Use au_rslack when computing reply buffer size")
      Signed-off-by: default avatarOlga Kornievskaia <kolga@netapp.com>
      Signed-off-by: default avatarTrond Myklebust <trond.myklebust@hammerspace.com>
      8eed292b
    • Eric Dumazet's avatar
      tcp: fix error recovery in tcp_zerocopy_receive() · e776af60
      Eric Dumazet authored
      If user provides wrong virtual address in TCP_ZEROCOPY_RECEIVE
      operation we want to return -EINVAL error.
      
      But depending on zc->recv_skip_hint content, we might return
      -EIO error if the socket has SOCK_DONE set.
      
      Make sure to return -EINVAL in this case.
      
      BUG: KMSAN: uninit-value in tcp_zerocopy_receive net/ipv4/tcp.c:1833 [inline]
      BUG: KMSAN: uninit-value in do_tcp_getsockopt+0x4494/0x6320 net/ipv4/tcp.c:3685
      CPU: 1 PID: 625 Comm: syz-executor.0 Not tainted 5.7.0-rc4-syzkaller #0
      Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
      Call Trace:
       __dump_stack lib/dump_stack.c:77 [inline]
       dump_stack+0x1c9/0x220 lib/dump_stack.c:118
       kmsan_report+0xf7/0x1e0 mm/kmsan/kmsan_report.c:121
       __msan_warning+0x58/0xa0 mm/kmsan/kmsan_instr.c:215
       tcp_zerocopy_receive net/ipv4/tcp.c:1833 [inline]
       do_tcp_getsockopt+0x4494/0x6320 net/ipv4/tcp.c:3685
       tcp_getsockopt+0xf8/0x1f0 net/ipv4/tcp.c:3728
       sock_common_getsockopt+0x13f/0x180 net/core/sock.c:3131
       __sys_getsockopt+0x533/0x7b0 net/socket.c:2177
       __do_sys_getsockopt net/socket.c:2192 [inline]
       __se_sys_getsockopt+0xe1/0x100 net/socket.c:2189
       __x64_sys_getsockopt+0x62/0x80 net/socket.c:2189
       do_syscall_64+0xb8/0x160 arch/x86/entry/common.c:297
       entry_SYSCALL_64_after_hwframe+0x44/0xa9
      RIP: 0033:0x45c829
      Code: 0d b7 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 db b6 fb ff c3 66 2e 0f 1f 84 00 00 00 00
      RSP: 002b:00007f1deeb72c78 EFLAGS: 00000246 ORIG_RAX: 0000000000000037
      RAX: ffffffffffffffda RBX: 00000000004e01e0 RCX: 000000000045c829
      RDX: 0000000000000023 RSI: 0000000000000006 RDI: 0000000000000009
      RBP: 000000000078bf00 R08: 0000000020000200 R09: 0000000000000000
      R10: 00000000200001c0 R11: 0000000000000246 R12: 00000000ffffffff
      R13: 00000000000001d8 R14: 00000000004d3038 R15: 00007f1deeb736d4
      
      Local variable ----zc@do_tcp_getsockopt created at:
       do_tcp_getsockopt+0x1a74/0x6320 net/ipv4/tcp.c:3670
       do_tcp_getsockopt+0x1a74/0x6320 net/ipv4/tcp.c:3670
      
      Fixes: 05255b82 ("tcp: add TCP_ZEROCOPY_RECEIVE support for zerocopy receive")
      Signed-off-by: default avatarEric Dumazet <edumazet@google.com>
      Reported-by: default avatarsyzbot <syzkaller@googlegroups.com>
      Acked-by: default avatarSoheil Hassas Yeganeh <soheil@google.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      e776af60
    • J. Bruce Fields's avatar
      SUNRPC: 'Directory with parent 'rpc_clnt' already present!' · 933496e9
      J. Bruce Fields authored
      Each rpc_client has a cl_clid which is allocated from a global ida, and
      a debugfs directory which is named after cl_clid.
      
      We're releasing the cl_clid before we free the debugfs directory named
      after it.  As soon as the cl_clid is released, that value is available
      for another newly created client.
      
      That leaves a window where another client may attempt to create a new
      debugfs directory with the same name as the not-yet-deleted debugfs
      directory from the dying client.  Symptoms are log messages like
      
      	Directory 4 with parent 'rpc_clnt' already present!
      
      Fixes: 7c4310ff "SUNRPC: defer slow parts of rpc_free_client() to a workqueue."
      Signed-off-by: default avatarJ. Bruce Fields <bfields@redhat.com>
      Signed-off-by: default avatarTrond Myklebust <trond.myklebust@hammerspace.com>
      933496e9
    • Linus Torvalds's avatar
      Merge tag 'mmc-v5.7-rc4' of git://git.kernel.org/pub/scm/linux/kernel/git/ulfh/mmc · 1ae7efb3
      Linus Torvalds authored
      Pull MMC fixes from Ulf Hansson:
       "MMC core:
         - Fix a couple of quite severe issues for the CQE request path
      
        MMC host:
         - alcor: Fix a resource leak in the error path for ->probe()
         - sdhci-acpi: Fix the DMA support for the AMD eMMC v5.0 variant
         - sdhci-pci-gli: Fix system resume support for GL975x
         - sdhci-pci-gli: Fix reboot error for GL9750"
      
      * tag 'mmc-v5.7-rc4' of git://git.kernel.org/pub/scm/linux/kernel/git/ulfh/mmc:
        mmc: sdhci-acpi: Add SDHCI_QUIRK2_BROKEN_64_BIT_DMA for AMDI0040
        mmc: block: Fix request completion in the CQE timeout path
        mmc: core: Fix recursive locking issue in CQE recovery path
        mmc: core: Check request type before completing the request
        mmc: sdhci-pci-gli: Fix can not access GL9750 after reboot from Windows 10
        mmc: alcor: Fix a resource leak in the error path for ->probe()
        mmc: sdhci-pci-gli: Fix no irq handler from suspend
      1ae7efb3
    • David S. Miller's avatar
      Merge git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf · 1b54f4fa
      David S. Miller authored
      Pablo Neira Ayuso says:
      
      ====================
      Netfilter fixes for net
      
      The following patchset contains Netfilter fixes for net:
      
      1) Fix gcc-10 compilation warning in nf_conntrack, from Arnd Bergmann.
      
      2) Add NF_FLOW_HW_PENDING to avoid races between stats and deletion
         commands, from Paul Blakey.
      
      3) Remove WQ_MEM_RECLAIM from the offload workqueue, from Roi Dayan.
      
      4) Infinite loop when removing nf_conntrack module, from Florian Westphal.
      
      5) Set NF_FLOW_TEARDOWN bit on expiration to avoid races when refreshing
         the timeout from the software path.
      
      6) Missing nft_set_elem_expired() check in the rbtree, from Phil Sutter.
      ====================
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      1b54f4fa
    • David S. Miller's avatar
      c9e2053d
    • Ursula Braun's avatar
      MAINTAINERS: another add of Karsten Graul for S390 networking · 865e525d
      Ursula Braun authored
      Complete adding of Karsten as maintainer for all S390 networking
      parts in the kernel.
      
      Cc: Julian Wiedmann <jwi@linux.ibm.com>
      Acked-by: default avatarJulian Wiedmann <jwi@linux.ibm.com>
      Signed-off-by: default avatarUrsula Braun <ubraun@linux.ibm.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      865e525d
    • Wang Wenhu's avatar
      drivers: ipa: fix typos for ipa_smp2p structure doc · 16bb1b50
      Wang Wenhu authored
      Remove the duplicate "mutex", and change "Motex" to "Mutex". Also I
      recommend it's easier for understanding to make the "ready-interrupt"
      a bundle for it is a parallel description as "shutdown" which is appended
      after the slash.
      Signed-off-by: default avatarWang Wenhu <wenhu.wang@vivo.com>
      Cc: Alex Elder <elder@kernel.org>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      16bb1b50
    • Guillaume Nault's avatar
      pppoe: only process PADT targeted at local interfaces · b8c15839
      Guillaume Nault authored
      We don't want to disconnect a session because of a stray PADT arriving
      while the interface is in promiscuous mode.
      Furthermore, multicast and broadcast packets make no sense here, so
      only PACKET_HOST is accepted.
      Reported-by: default avatarDavid Balažic <xerces9@gmail.com>
      Fixes: 1da177e4 ("Linux-2.6.12-rc2")
      Signed-off-by: default avatarGuillaume Nault <gnault@redhat.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      b8c15839
    • Yonghong Song's avatar
      selftests/bpf: Enforce returning 0 for fentry/fexit programs · 6d74f64b
      Yonghong Song authored
      There are a few fentry/fexit programs returning non-0.
      The tests with these programs will break with the previous
      patch which enfoced return-0 rules. Fix them properly.
      
      Fixes: ac065870 ("selftests/bpf: Add BPF_PROG, BPF_KPROBE, and BPF_KRETPROBE macros")
      Signed-off-by: default avatarYonghong Song <yhs@fb.com>
      Signed-off-by: default avatarAlexei Starovoitov <ast@kernel.org>
      Acked-by: default avatarAndrii Nakryiko <andriin@fb.com>
      Link: https://lore.kernel.org/bpf/20200514053207.1298479-1-yhs@fb.com
      6d74f64b
    • Yonghong Song's avatar
      bpf: Enforce returning 0 for fentry/fexit progs · e92888c7
      Yonghong Song authored
      Currently, tracing/fentry and tracing/fexit prog
      return values are not enforced. In trampoline codes,
      the fentry/fexit prog return values are ignored.
      Let us enforce it to be 0 to avoid confusion and
      allows potential future extension.
      
      This patch also explicitly added return value
      checking for tracing/raw_tp, tracing/fmod_ret,
      and freplace programs such that these program
      return values can be anything. The purpose are
      two folds:
       1. to make it explicit about return value expectations
          for these programs in verifier.
       2. for tracing prog_type, if a future attach type
          is added, the default is -ENOTSUPP which will
          enforce to specify return value ranges explicitly.
      
      Fixes: fec56f58 ("bpf: Introduce BPF trampoline")
      Signed-off-by: default avatarYonghong Song <yhs@fb.com>
      Signed-off-by: default avatarAlexei Starovoitov <ast@kernel.org>
      Acked-by: default avatarAndrii Nakryiko <andriin@fb.com>
      Link: https://lore.kernel.org/bpf/20200514053206.1298415-1-yhs@fb.com
      e92888c7
    • Vinod Koul's avatar
      net: stmmac: fix num_por initialization · fd4a5177
      Vinod Koul authored
      Driver missed initializing num_por which is one of the por values that
      driver configures to hardware. In order to get these values, add a new
      structure ethqos_emac_driver_data which holds por and num_por values
      and populate that in driver probe.
      
      Fixes: a7c30e62 ("net: stmmac: Add driver for Qualcomm ethqos")
      Reported-by: default avatarRahul Ankushrao Kawadgave <rahulak@qti.qualcomm.com>
      Signed-off-by: default avatarVinod Koul <vkoul@kernel.org>
      Reviewed-by: default avatarAmit Kucheria <amit.kucheria@linaro.org>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      fd4a5177
    • Anders Roxell's avatar
      security: Fix the default value of secid_to_secctx hook · 625236ba
      Anders Roxell authored
      security_secid_to_secctx is called by the bpf_lsm hook and a successful
      return value (i.e 0) implies that the parameter will be consumed by the
      LSM framework. The current behaviour return success when the pointer
      isn't initialized when CONFIG_BPF_LSM is enabled, with the default
      return from kernel/bpf/bpf_lsm.c.
      
      This is the internal error:
      
      [ 1229.341488][ T2659] usercopy: Kernel memory exposure attempt detected from null address (offset 0, size 280)!
      [ 1229.374977][ T2659] ------------[ cut here ]------------
      [ 1229.376813][ T2659] kernel BUG at mm/usercopy.c:99!
      [ 1229.378398][ T2659] Internal error: Oops - BUG: 0 [#1] PREEMPT SMP
      [ 1229.380348][ T2659] Modules linked in:
      [ 1229.381654][ T2659] CPU: 0 PID: 2659 Comm: systemd-journal Tainted: G    B   W         5.7.0-rc5-next-20200511-00019-g864e0c6319b8-dirty #13
      [ 1229.385429][ T2659] Hardware name: linux,dummy-virt (DT)
      [ 1229.387143][ T2659] pstate: 80400005 (Nzcv daif +PAN -UAO BTYPE=--)
      [ 1229.389165][ T2659] pc : usercopy_abort+0xc8/0xcc
      [ 1229.390705][ T2659] lr : usercopy_abort+0xc8/0xcc
      [ 1229.392225][ T2659] sp : ffff000064247450
      [ 1229.393533][ T2659] x29: ffff000064247460 x28: 0000000000000000
      [ 1229.395449][ T2659] x27: 0000000000000118 x26: 0000000000000000
      [ 1229.397384][ T2659] x25: ffffa000127049e0 x24: ffffa000127049e0
      [ 1229.399306][ T2659] x23: ffffa000127048e0 x22: ffffa000127048a0
      [ 1229.401241][ T2659] x21: ffffa00012704b80 x20: ffffa000127049e0
      [ 1229.403163][ T2659] x19: ffffa00012704820 x18: 0000000000000000
      [ 1229.405094][ T2659] x17: 0000000000000000 x16: 0000000000000000
      [ 1229.407008][ T2659] x15: 0000000000000000 x14: 003d090000000000
      [ 1229.408942][ T2659] x13: ffff80000d5b25b2 x12: 1fffe0000d5b25b1
      [ 1229.410859][ T2659] x11: 1fffe0000d5b25b1 x10: ffff80000d5b25b1
      [ 1229.412791][ T2659] x9 : ffffa0001034bee0 x8 : ffff00006ad92d8f
      [ 1229.414707][ T2659] x7 : 0000000000000000 x6 : ffffa00015eacb20
      [ 1229.416642][ T2659] x5 : ffff0000693c8040 x4 : 0000000000000000
      [ 1229.418558][ T2659] x3 : ffffa0001034befc x2 : d57a7483a01c6300
      [ 1229.420610][ T2659] x1 : 0000000000000000 x0 : 0000000000000059
      [ 1229.422526][ T2659] Call trace:
      [ 1229.423631][ T2659]  usercopy_abort+0xc8/0xcc
      [ 1229.425091][ T2659]  __check_object_size+0xdc/0x7d4
      [ 1229.426729][ T2659]  put_cmsg+0xa30/0xa90
      [ 1229.428132][ T2659]  unix_dgram_recvmsg+0x80c/0x930
      [ 1229.429731][ T2659]  sock_recvmsg+0x9c/0xc0
      [ 1229.431123][ T2659]  ____sys_recvmsg+0x1cc/0x5f8
      [ 1229.432663][ T2659]  ___sys_recvmsg+0x100/0x160
      [ 1229.434151][ T2659]  __sys_recvmsg+0x110/0x1a8
      [ 1229.435623][ T2659]  __arm64_sys_recvmsg+0x58/0x70
      [ 1229.437218][ T2659]  el0_svc_common.constprop.1+0x29c/0x340
      [ 1229.438994][ T2659]  do_el0_svc+0xe8/0x108
      [ 1229.440587][ T2659]  el0_svc+0x74/0x88
      [ 1229.441917][ T2659]  el0_sync_handler+0xe4/0x8b4
      [ 1229.443464][ T2659]  el0_sync+0x17c/0x180
      [ 1229.444920][ T2659] Code: aa1703e2 aa1603e1 910a8260 97ecc860 (d4210000)
      [ 1229.447070][ T2659] ---[ end trace 400497d91baeaf51 ]---
      [ 1229.448791][ T2659] Kernel panic - not syncing: Fatal exception
      [ 1229.450692][ T2659] Kernel Offset: disabled
      [ 1229.452061][ T2659] CPU features: 0x240002,20002004
      [ 1229.453647][ T2659] Memory Limit: none
      [ 1229.455015][ T2659] ---[ end Kernel panic - not syncing: Fatal exception ]---
      
      Rework the so the default return value is -EOPNOTSUPP.
      
      There are likely other callbacks such as security_inode_getsecctx() that
      may have the same problem, and that someone that understand the code
      better needs to audit them.
      
      Thank you Arnd for helping me figure out what went wrong.
      
      Fixes: 98e828a0 ("security: Refactor declaration of LSM hooks")
      Signed-off-by: default avatarAnders Roxell <anders.roxell@linaro.org>
      Signed-off-by: default avatarAlexei Starovoitov <ast@kernel.org>
      Acked-by: default avatarJames Morris <jamorris@linux.microsoft.com>
      Cc: Arnd Bergmann <arnd@arndb.de>
      Link: https://lore.kernel.org/bpf/20200512174607.9630-1-anders.roxell@linaro.org
      625236ba