1. 25 Jul, 2018 37 commits
  2. 24 Jul, 2018 3 commits
    • Shubhrajyoti Datta's avatar
      net: axienet: Fix double deregister of mdio · 03bc7cab
      Shubhrajyoti Datta authored
      If the registration fails then mdio_unregister is called.
      However at unbind the unregister ia attempted again resulting
      in the below crash
      
      [   73.544038] kernel BUG at drivers/net/phy/mdio_bus.c:415!
      [   73.549362] Internal error: Oops - BUG: 0 [#1] SMP
      [   73.554127] Modules linked in:
      [   73.557168] CPU: 0 PID: 2249 Comm: sh Not tainted 4.14.0 #183
      [   73.562895] Hardware name: xlnx,zynqmp (DT)
      [   73.567062] task: ffffffc879e41180 task.stack: ffffff800cbe0000
      [   73.572973] PC is at mdiobus_unregister+0x84/0x88
      [   73.577656] LR is at axienet_mdio_teardown+0x18/0x30
      [   73.582601] pc : [<ffffff80085fa4cc>] lr : [<ffffff8008616858>]
      pstate: 20000145
      [   73.589981] sp : ffffff800cbe3c30
      [   73.593277] x29: ffffff800cbe3c30 x28: ffffffc879e41180
      [   73.598573] x27: ffffff8008a21000 x26: 0000000000000040
      [   73.603868] x25: 0000000000000124 x24: ffffffc879efe920
      [   73.609164] x23: 0000000000000060 x22: ffffffc879e02000
      [   73.614459] x21: ffffffc879e02800 x20: ffffffc87b0b8870
      [   73.619754] x19: ffffffc879e02800 x18: 000000000000025d
      [   73.625050] x17: 0000007f9a719ad0 x16: ffffff8008195bd8
      [   73.630345] x15: 0000007f9a6b3d00 x14: 0000000000000010
      [   73.635640] x13: 74656e7265687465 x12: 0000000000000030
      [   73.640935] x11: 0000000000000030 x10: 0101010101010101
      [   73.646231] x9 : 241f394f42533300 x8 : ffffffc8799f6e98
      [   73.651526] x7 : ffffffc8799f6f18 x6 : ffffffc87b0ba318
      [   73.656822] x5 : ffffffc87b0ba498 x4 : 0000000000000000
      [   73.662117] x3 : 0000000000000000 x2 : 0000000000000008
      [   73.667412] x1 : 0000000000000004 x0 : ffffffc8799f4000
      [   73.672708] Process sh (pid: 2249, stack limit = 0xffffff800cbe0000)
      
      Fix the same by making the bus NULL on unregister.
      Signed-off-by: default avatarShubhrajyoti Datta <shubhrajyoti.datta@xilinx.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      03bc7cab
    • Aleksander Morgado's avatar
      qmi_wwan: fix interface number for DW5821e production firmware · f25e1392
      Aleksander Morgado authored
      The original mapping for the DW5821e was done using a development
      version of the firmware. Confirmed with the vendor that the final
      USB layout ends up exposing the QMI control/data ports in USB
      config #1, interface #0, not in interface #1 (which is now a HID
      interface).
      
      T:  Bus=01 Lev=03 Prnt=04 Port=00 Cnt=01 Dev#= 16 Spd=480 MxCh= 0
      D:  Ver= 2.10 Cls=ef(misc ) Sub=02 Prot=01 MxPS=64 #Cfgs=  2
      P:  Vendor=413c ProdID=81d7 Rev=03.18
      S:  Manufacturer=DELL
      S:  Product=DW5821e Snapdragon X20 LTE
      S:  SerialNumber=0123456789ABCDEF
      C:  #Ifs= 6 Cfg#= 1 Atr=a0 MxPwr=500mA
      I:  If#= 0 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=ff Prot=ff Driver=qmi_wwan
      I:  If#= 1 Alt= 0 #EPs= 1 Cls=03(HID  ) Sub=00 Prot=00 Driver=usbhid
      I:  If#= 2 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=00 Prot=00 Driver=option
      I:  If#= 3 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=00 Prot=00 Driver=option
      I:  If#= 4 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=00 Prot=00 Driver=option
      I:  If#= 5 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=ff Prot=ff Driver=option
      
      Fixes: e7e197ed ("qmi_wwan: add support for the Dell Wireless 5821e module")
      Signed-off-by: default avatarAleksander Morgado <aleksander@aleksander.es>
      Acked-by: default avatarBjørn Mork <bjorn@mork.no>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      f25e1392
    • Willem de Bruijn's avatar
      ip: in cmsg IP(V6)_ORIGDSTADDR call pskb_may_pull · 2efd4fca
      Willem de Bruijn authored
      Syzbot reported a read beyond the end of the skb head when returning
      IPV6_ORIGDSTADDR:
      
        BUG: KMSAN: kernel-infoleak in put_cmsg+0x5ef/0x860 net/core/scm.c:242
        CPU: 0 PID: 4501 Comm: syz-executor128 Not tainted 4.17.0+ #9
        Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
        Google 01/01/2011
        Call Trace:
          __dump_stack lib/dump_stack.c:77 [inline]
          dump_stack+0x185/0x1d0 lib/dump_stack.c:113
          kmsan_report+0x188/0x2a0 mm/kmsan/kmsan.c:1125
          kmsan_internal_check_memory+0x138/0x1f0 mm/kmsan/kmsan.c:1219
          kmsan_copy_to_user+0x7a/0x160 mm/kmsan/kmsan.c:1261
          copy_to_user include/linux/uaccess.h:184 [inline]
          put_cmsg+0x5ef/0x860 net/core/scm.c:242
          ip6_datagram_recv_specific_ctl+0x1cf3/0x1eb0 net/ipv6/datagram.c:719
          ip6_datagram_recv_ctl+0x41c/0x450 net/ipv6/datagram.c:733
          rawv6_recvmsg+0x10fb/0x1460 net/ipv6/raw.c:521
          [..]
      
      This logic and its ipv4 counterpart read the destination port from
      the packet at skb_transport_offset(skb) + 4.
      
      With MSG_MORE and a local SOCK_RAW sender, syzbot was able to cook a
      packet that stores headers exactly up to skb_transport_offset(skb) in
      the head and the remainder in a frag.
      
      Call pskb_may_pull before accessing the pointer to ensure that it lies
      in skb head.
      
      Link: http://lkml.kernel.org/r/CAF=yD-LEJwZj5a1-bAAj2Oy_hKmGygV6rsJ_WOrAYnv-fnayiQ@mail.gmail.com
      Reported-by: syzbot+9adb4b567003cac781f0@syzkaller.appspotmail.com
      Signed-off-by: default avatarWillem de Bruijn <willemb@google.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      2efd4fca