1. 15 Nov, 2015 1 commit
    • Hannes Frederic Sowa's avatar
      af-unix: fix use-after-free with concurrent readers while splicing · 73ed5d25
      Hannes Frederic Sowa authored
      During splicing an af-unix socket to a pipe we have to drop all
      af-unix socket locks. While doing so we allow another reader to enter
      unix_stream_read_generic which can read, copy and finally free another
      skb. If exactly this skb is just in process of being spliced we get a
      use-after-free report by kasan.
      
      First, we must make sure to not have a free while the skb is used during
      the splice operation. We simply increment its use counter before unlocking
      the reader lock.
      
      Stream sockets have the nice characteristic that we don't care about
      zero length writes and they never reach the peer socket's queue. That
      said, we can take the UNIXCB.consumed field as the indicator if the
      skb was already freed from the socket's receive queue. If the skb was
      fully consumed after we locked the reader side again we know it has been
      dropped by a second reader. We indicate a short read to user space and
      abort the current splice operation.
      
      This bug has been found with syzkaller
      (http://github.com/google/syzkaller) by Dmitry Vyukov.
      
      Fixes: 2b514574 ("net: af_unix: implement splice for stream af_unix sockets")
      Reported-by: default avatarDmitry Vyukov <dvyukov@google.com>
      Cc: Dmitry Vyukov <dvyukov@google.com>
      Cc: Eric Dumazet <eric.dumazet@gmail.com>
      Acked-by: default avatarEric Dumazet <edumazet@google.com>
      Signed-off-by: default avatarHannes Frederic Sowa <hannes@stressinduktion.org>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      73ed5d25
  2. 12 Nov, 2015 3 commits
    • Arnd Bergmann's avatar
      stmmac: avoid ipq806x constant overflow warning · 49e4a229
      Arnd Bergmann authored
      Building dwmac-ipq806x on a 64-bit architecture produces a harmless
      warning from gcc:
      
      stmmac/dwmac-ipq806x.c: In function 'ipq806x_gmac_probe':
      include/linux/bitops.h:6:19: warning: overflow in implicit constant conversion [-Woverflow]
        val = QSGMII_PHY_CDR_EN |
      stmmac/dwmac-ipq806x.c:333:8: note: in expansion of macro 'QSGMII_PHY_CDR_EN'
       #define QSGMII_PHY_CDR_EN   BIT(0)
       #define BIT(nr)   (1UL << (nr))
      
      This is a result of the type conversion rules in C, when we take the
      logical OR of multiple different types. In particular, we have
      and unsigned long
      
      	QSGMII_PHY_CDR_EN == BIT(0) == (1ul << 0) == 0x0000000000000001ul
      
      and a signed int
      
      	0xC << QSGMII_PHY_TX_DRV_AMP_OFFSET == 0xc0000000
      
      which together gives a signed long value
      
      	0xffffffffc0000001l
      
      and when this is passed into a function that takes an unsigned int type,
      gcc warns about the signed overflow and the loss of the upper 32-bits that
      are all ones.
      
      This patch adds 'ul' type modifiers to the literal numbers passed in
      here, so now the expression remains an 'unsigned long' with the upper
      bits all zero, and that avoids the signed overflow and the warning.
      Signed-off-by: default avatarArnd Bergmann <arnd@arndb.de>
      Fixes: b1c17215 ("stmmac: add ipq806x glue layer")
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      49e4a229
    • David S. Miller's avatar
      Merge git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf · 382a483e
      David S. Miller authored
      Pablo Neira Ayuso:
      
      ====================
      Netfilter fixes for net
      
      The following patchset contains Netfilter fixes for your net tree. This
      large batch that includes fixes for ipset, netfilter ingress, nf_tables
      dynamic set instantiation and a longstanding Kconfig dependency problem.
      More specifically, they are:
      
      1) Add missing check for empty hook list at the ingress hook, from
         Florian Westphal.
      
      2) Input and output interface are swapped at the ingress hook,
         reported by Patrick McHardy.
      
      3) Resolve ipset extension alignment issues on ARM, patch from Jozsef
         Kadlecsik.
      
      4) Fix bit check on bitmap in ipset hash type, also from Jozsef.
      
      5) Release buckets when all entries have expired in ipset hash type,
         again from Jozsef.
      
      6) Oneliner to initialize conntrack tuple object in the PPTP helper,
         otherwise the conntrack lookup may fail due to random bits in the
         structure holes, patch from Anthony Lineham.
      
      7) Silence a bogus gcc warning in nfnetlink_log, from Arnd Bergmann.
      
      8) Fix Kconfig dependency problems with TPROXY, socket and dup, also
         from Arnd.
      
      9) Add __netdev_alloc_pcpu_stats() to allow creating percpu counters
         from atomic context, this is required by the follow up fix for
         nf_tables.
      
      10) Fix crash from the dynamic set expression, we have to add new clone
          operation that should be defined when a simple memcpy is not enough.
          This resolves a crash when using per-cpu counters with new Patrick
          McHardy's flow table nft support.
      ====================
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      382a483e
    • françois romieu's avatar
      r8169: fix kasan reported skb use-after-free. · 39174291
      françois romieu authored
      Signed-off-by: default avatarFrancois Romieu <romieu@fr.zoreil.com>
      Reported-by: default avatarDave Jones <davej@codemonkey.org.uk>
      Fixes: d7d2d89d ("r8169: Add software counter for multicast packages")
      Acked-by: default avatarEric Dumazet <edumazet@google.com>
      Acked-by: default avatarCorinna Vinschen <vinschen@redhat.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      39174291
  3. 11 Nov, 2015 30 commits
  4. 10 Nov, 2015 6 commits
    • Linus Torvalds's avatar
      Merge tag 'armsoc-defconfig' of git://git.kernel.org/pub/scm/linux/kernel/git/arm/arm-soc · 52e9a333
      Linus Torvalds authored
      Pull ARM SoC defconfig updates from Olof Johansson:
       "Defconfig updates are kept separate from other branches mostly to
        avoid conflicts between the different categories (driver branch
        enabling something that has context conflict with SoC options, etc).
      
        A lot of this again is scattered across the various hardware
        platforms.  multi_v7_defconfig, our "generic" config for most 32-bit
        platforms has been gone through by Marvell Berlin maintainers and
        added most options they need to run on their hardware.  Broadcom NSP
        is also added there, and the new Atmel SAMA5D2 (added last release).
        Rockchip also has display and other devices supported in that config.
      
        In addition to that, the usual small churn of new options being added
        here and there"
      
      * tag 'armsoc-defconfig' of git://git.kernel.org/pub/scm/linux/kernel/git/arm/arm-soc: (45 commits)
        ARM: multi_v7_defconfig: enable UniPhier I2C drivers
        ARM: multi_v7_defconfig: Enable rtl8152 ethernet driver for Odroid-XU4
        ARM: exynos_defconfig: Enable rtl8152 ethernet driver for Odroid-XU4
        ARM: exynos_defconfig: Enable WiFi-Ex as a module instead built-in
        ARM: exynos_defconfig: Disable simplefb support
        ARM: exynos_defconfig: Enable LEDS for Odroid-XU3/XU4
        ARM: multi_v7_defconfig: Enable DWC2 USB driver and USB ethernet gadget
        ARM: exynos_defconfig: Enable DWC2 USB driver and USB ethernet gadget
        ARM: exynos_defconfig: Enable USB Video Class support
        ARM: multi_v7_defconfig: improve multi_v7_defconfig support for Berlin
        ARM: tegra: Update multi_v7_defconfig
        ARM: multi_v7_defconfig: Add Atmel SDHCI device
        ARM: multi_v7_defconfig: Add Atmel Flexcom device
        ARM: multi_v7_defconfig: Add Atmel SAMA5D2 SoC
        ARM: at91/defconfig: add sama5d2 and its new devices to sama5 defconfig
        ARM: at91/defconfig: update at91_dt defconfig
        ARM: at91/defconfig: update sama5 defconfig
        ARM: configs: Enable FIXED_PHY in multi_v7 defconfig
        ARM: configs: update lpc18xx defconfig
        ARM: socfpga_defconfig: enable fpga manager
        ...
      52e9a333
    • Linus Torvalds's avatar
      Merge tag 'armsoc-dt' of git://git.kernel.org/pub/scm/linux/kernel/git/arm/arm-soc · c0d6fe2f
      Linus Torvalds authored
      Pull ARM DT updates from Olof Johansson:
       "As usual, this is the massive branch we have for each release.  Lots
        of various updates and additions of hardware descriptions on existing
        hardware, as well as the usual additions of new boards and SoCs.
      
        This is also the first release where we've started mixing 64- and
        32-bit DT updates in one branch.
      
        (Specific details on what's actually here and new is pretty easy to
        tell from the diffstat, so there's little point in duplicating listing
        it here)"
      
      * tag 'armsoc-dt' of git://git.kernel.org/pub/scm/linux/kernel/git/arm/arm-soc: (499 commits)
        ARM: dts: uniphier: add system-bus-controller nodes
        ARM64: juno: disable NOR flash node by default
        ARM: dts: uniphier: add outer cache controller nodes
        arm64: defconfig: Enable PCI generic host bridge by default
        arm64: Juno: Add support for the PCIe host bridge on Juno R1
        Documentation: of: Document the bindings used by Juno R1 PCIe host bridge
        ARM: dts: uniphier: add I2C aliases for ProXstream2 boards
        dts/Makefile: Add build support for LS2080a QDS & RDB board DTS
        dts/ls2080a: Add DTS support for LS2080a QDS & RDB boards
        dts/ls2080a: Update Simulator DTS to add support of various peripherals
        dts/ls2080a: Remove text about writing to Free Software Foundation
        dts/ls2080a: Update DTSI to add support of various peripherals
        doc: DTS: Update DWC3 binding to provide reference to generic bindings
        doc/bindings: Update GPIO devicetree binding documentation for LS2080A
        Documentation/dts: Move FSL board-specific bindings out of /powerpc
        Documentation: DT: Add entry for FSL LS2080A QDS and RDB boards
        arm64: Rename FSL LS2085A SoC support code to LS2080A
        arm64: Use generic Layerscape SoC family naming
        ARM: dts: uniphier: add ProXstream2 Vodka board support
        ARM: dts: uniphier: add ProXstream2 Gentil board support
        ...
      c0d6fe2f
    • Linus Torvalds's avatar
      Merge tag 'armsoc-drivers' of git://git.kernel.org/pub/scm/linux/kernel/git/arm/arm-soc · b44a3d2a
      Linus Torvalds authored
      Pull ARM SoC driver updates from Olof Johansson:
       "As we've enabled multiplatform kernels on ARM, and greatly done away
        with the contents under arch/arm/mach-*, there's still need for
        SoC-related drivers to go somewhere.
      
        Many of them go in through other driver trees, but we still have
        drivers/soc to hold some of the "doesn't fit anywhere" lowlevel code
        that might be shared between ARM and ARM64 (or just in general makes
        sense to not have under the architecture directory).
      
        This branch contains mostly such code:
      
         - Drivers for qualcomm SoCs for SMEM, SMD and SMD-RPM, used to
           communicate with power management blocks on these SoCs for use by
           clock, regulator and bus frequency drivers.
      
         - Allwinner Reduced Serial Bus driver, again used to communicate with
           PMICs.
      
         - Drivers for ARM's SCPI (System Control Processor).  Not to be
           confused with PSCI (Power State Coordination Interface).  SCPI is
           used to communicate with the assistant embedded cores doing power
           management, and we have yet to see how many of them will implement
           this for their hardware vs abstracting in other ways (or not at all
           like in the past).
      
         - To make confusion between SCPI and PSCI more likely, this release
           also includes an update of PSCI to interface version 1.0.
      
         - Rockchip support for power domains.
      
         - A driver to talk to the firmware on Raspberry Pi"
      
      * tag 'armsoc-drivers' of git://git.kernel.org/pub/scm/linux/kernel/git/arm/arm-soc: (57 commits)
        soc: qcom: smd-rpm: Correct size of outgoing message
        bus: sunxi-rsb: Add driver for Allwinner Reduced Serial Bus
        bus: sunxi-rsb: Add Allwinner Reduced Serial Bus (RSB) controller bindings
        ARM: bcm2835: add mutual inclusion protection
        drivers: psci: make PSCI 1.0 functions initialization version dependent
        dt-bindings: Correct paths in Rockchip power domains binding document
        soc: rockchip: power-domain: don't try to print the clock name in error case
        soc: qcom/smem: add HWSPINLOCK dependency
        clk: berlin: add cpuclk
        ARM: berlin: dts: add CLKID_CPU for BG2Q
        ARM: bcm2835: Add the Raspberry Pi firmware driver
        soc: qcom: smem: Move RPM message ram out of smem DT node
        soc: qcom: smd-rpm: Correct the active vs sleep state flagging
        soc: qcom: smd: delete unneeded of_node_put
        firmware: qcom-scm: build for correct architecture level
        soc: qcom: smd: Correct SMEM items for upper channels
        qcom-scm: add missing prototype for qcom_scm_is_available()
        qcom-scm: fix endianess issue in __qcom_scm_is_call_available
        soc: qcom: smd: Reject send of too big packets
        soc: qcom: smd: Handle big endian CPUs
        ...
      b44a3d2a
    • Linus Torvalds's avatar
      Merge tag 'armsoc-soc' of git://git.kernel.org/pub/scm/linux/kernel/git/arm/arm-soc · 56e04649
      Linus Torvalds authored
      Pull ARM SoC platform updates from Olof Johansson:
       "New and/or improved SoC support for this release:
      
        Marvell Berlin:
           - Enable standard DT-based cpufreq
           - Add CPU hotplug support
      
        Freescale:
           - Ethernet init for i.MX7D
           - Suspend/resume support for i.MX6UL
      
        Allwinner:
           - Support for R8 chipset (used on NTC's $9 C.H.I.P board)
      
        Mediatek:
           - SMP support for some platforms
      
        Uniphier:
           - L2 support
           - Cleaned up SMP support, etc.
      
        plus a handful of other patches around above functionality, and a few
        other smaller changes"
      
      * tag 'armsoc-soc' of git://git.kernel.org/pub/scm/linux/kernel/git/arm/arm-soc: (42 commits)
        ARM: uniphier: rework SMP operations to use trampoline code
        ARM: uniphier: add outer cache support
        Documentation: EXYNOS: Update bootloader interface on exynos542x
        ARM: mvebu: add broken-idle option
        ARM: orion5x: use mac_pton() helper
        ARM: at91: pm: at91_pm_suspend_in_sram() must be 8-byte aligned
        ARM: sunxi: Add R8 support
        ARM: digicolor: select pinctrl/gpio driver
        arm: berlin: add CPU hotplug support
        arm: berlin: use non-self-cleared reset register to reset cpu
        ARM: mediatek: add smp bringup code
        ARM: mediatek: enable gpt6 on boot up to make arch timer working
        soc: mediatek: Fix random hang up issue while kernel init
        soc: ti: qmss: make acc queue support optional in the driver
        soc: ti: add firmware file name as part of the driver
        Documentation: dt: soc: Add description for knav qmss driver
        ARM: S3C64XX: Use PWM lookup table for mach-smartq
        ARM: S3C64XX: Use PWM lookup table for mach-hmt
        ARM: S3C64XX: Use PWM lookup table for mach-crag6410
        ARM: S3C64XX: Use PWM lookup table for smdk6410
        ...
      56e04649
    • Linus Torvalds's avatar
      Merge tag 'armsoc-cleanup' of git://git.kernel.org/pub/scm/linux/kernel/git/arm/arm-soc · a5e1d715
      Linus Torvalds authored
      Pull ARM SoC cleanups from Olof Johansson:
       "Again we have a sizable (but not huge) cleanup branch with a net delta
        of about -3k lines.
      
        Main contents here is:
      
         - A bunch of development/cleanup of a few PXA boards
         - Removal of bockw platforms on shmobile, since the platform has now
           gone completely multiplatform.  Whee!
         - move of the 32kHz timer on OMAP to a proper timesource
         - Misc cleanup of older OMAP material (incl removal of one board
           file)
         - Switch over to new common PWM lookup support for several platforms
      
        There's also a handful of other cleanups across the tree, but the
        above are the major pieces"
      
      * tag 'armsoc-cleanup' of git://git.kernel.org/pub/scm/linux/kernel/git/arm/arm-soc: (103 commits)
        ARM: OMAP3: hwmod data: Remove legacy mailbox data and addrs
        ARM: DRA7: hwmod data: Remove spinlock hwmod addrs
        ARM: OMAP4: hwmod data: Remove spinlock hwmod addrs
        ARM: DRA7/AM335x/AM437x: hwmod: Remove gpmc address space from hwmod data
        ARM: Remove __ref on hotplug cpu die path
        ARM: Remove open-coded version of IRQCHIP_DECLARE
        arm: omap2: board-generic: use omap4_local_timer_init for AM437x
        ARM: DRA7/AM335x/AM437x: hwmod: Remove elm address space from hwmod data
        ARM: OMAP: Remove duplicated operand in OR operation
        clocksource: ti-32k: make it depend on GENERIC_CLOCKSOURCE
        ARM: pxa: remove incorrect __init annotation on pxa27x_set_pwrmode
        ARM: pxa: raumfeld: make some variables static
        ARM: OMAP: Change all cpu_is_* occurences to soc_is_* for id.c
        ARM: OMAP2+: Rename cpu_is macros to soc_is
        arm: omap2: timer: limit hwmod usage to non-DT boots
        arm: omap2+: select 32k clocksource driver
        clocksource: add TI 32.768 Hz counter driver
        arm: omap2: timer: rename omap_sync32k_timer_init()
        arm: omap2: timer: always call clocksource_of_init() when DT
        arm: omap2: timer: move realtime_counter_init() around
        ...
      a5e1d715
    • Pablo Neira Ayuso's avatar
      netfilter: nf_tables: add clone interface to expression operations · 086f3321
      Pablo Neira Ayuso authored
      With the conversion of the counter expressions to make it percpu, we
      need to clone the percpu memory area, otherwise we crash when using
      counters from flow tables.
      Signed-off-by: default avatarPablo Neira Ayuso <pablo@netfilter.org>
      086f3321