1. 04 Sep, 2017 12 commits
  2. 03 Sep, 2017 2 commits
  3. 02 Sep, 2017 23 commits
  4. 01 Sep, 2017 3 commits
    • Oleg Nesterov's avatar
      epoll: fix race between ep_poll_callback(POLLFREE) and ep_free()/ep_remove() · 138e4ad6
      Oleg Nesterov authored
      The race was introduced by me in commit 971316f0 ("epoll:
      ep_unregister_pollwait() can use the freed pwq->whead").  I did not
      realize that nothing can protect eventpoll after ep_poll_callback() sets
      ->whead = NULL, only whead->lock can save us from the race with
      ep_free() or ep_remove().
      
      Move ->whead = NULL to the end of ep_poll_callback() and add the
      necessary barriers.
      
      TODO: cleanup the ewake/EPOLLEXCLUSIVE logic, it was confusing even
      before this patch.
      
      Hopefully this explains use-after-free reported by syzcaller:
      
      	BUG: KASAN: use-after-free in debug_spin_lock_before
      	...
      	 _raw_spin_lock_irqsave+0x4a/0x60 kernel/locking/spinlock.c:159
      	 ep_poll_callback+0x29f/0xff0 fs/eventpoll.c:1148
      
      this is spin_lock(eventpoll->lock),
      
      	...
      	Freed by task 17774:
      	...
      	 kfree+0xe8/0x2c0 mm/slub.c:3883
      	 ep_free+0x22c/0x2a0 fs/eventpoll.c:865
      
      Fixes: 971316f0 ("epoll: ep_unregister_pollwait() can use the freed pwq->whead")
      Reported-by: default avatar范龙飞 <long7573@126.com>
      Cc: stable@vger.kernel.org
      Signed-off-by: default avatarOleg Nesterov <oleg@redhat.com>
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      138e4ad6
    • Linus Torvalds's avatar
      Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net · 8cf9f2a2
      Linus Torvalds authored
      Pull networking fixes from David Miller:
      
       1) Fix handling of pinned BPF map nodes in hash of maps, from Daniel
          Borkmann.
      
       2) IPSEC ESP error paths leak memory, from Steffen Klassert.
      
       3) We need an RCU grace period before freeing fib6_node objects, from
          Wei Wang.
      
       4) Must check skb_put_padto() return value in HSR driver, from FLorian
          Fainelli.
      
       5) Fix oops on PHY probe failure in ftgmac100 driver, from Andrew
          Jeffery.
      
       6) Fix infinite loop in UDP queue when using SO_PEEK_OFF, from Eric
          Dumazet.
      
       7) Use after free when tcf_chain_destroy() called multiple times, from
          Jiri Pirko.
      
       8) Fix KSZ DSA tag layer multiple free of SKBS, from Florian Fainelli.
      
       9) Fix leak of uninitialized memory in sctp_get_sctp_info(),
          inet_diag_msg_sctpladdrs_fill() and inet_diag_msg_sctpaddrs_fill().
          From Stefano Brivio.
      
      10) L2TP tunnel refcount fixes from Guillaume Nault.
      
      11) Don't leak UDP secpath in udp_set_dev_scratch(), from Yossi
          Kauperman.
      
      12) Revert a PHY layer change wrt. handling of PHY_HALTED state in
          phy_stop_machine(), it causes regressions for multiple people. From
          Florian Fainelli.
      
      13) When packets are sent out of br0 we have to clear the
          offload_fwdq_mark value.
      
      14) Several NULL pointer deref fixes in packet schedulers when their
          ->init() routine fails. From Nikolay Aleksandrov.
      
      15) Aquantium devices cannot checksum offload correctly when the packet
          is <= 60 bytes. From Pavel Belous.
      
      16) Fix vnet header access past end of buffer in AF_PACKET, from
          Benjamin Poirier.
      
      17) Double free in probe error paths of nfp driver, from Dan Carpenter.
      
      18) QOS capability not checked properly in DCB init paths of mlx5
          driver, from Huy Nguyen.
      
      19) Fix conflicts between firmware load failure and health_care timer in
          mlx5, also from Huy Nguyen.
      
      20) Fix dangling page pointer when DMA mapping errors occur in mlx5,
          from Eran Ben ELisha.
      
      21) ->ndo_setup_tc() in bnxt_en driver doesn't count rings properly,
          from Michael Chan.
      
      22) Missing MSIX vector free in bnxt_en, also from Michael Chan.
      
      23) Refcount leak in xfrm layer when using sk_policy, from Lorenzo
          Colitti.
      
      24) Fix copy of uninitialized data in qlge driver, from Arnd Bergmann.
      
      25) bpf_setsockopts() erroneously always returns -EINVAL even on
          success. Fix from Yuchung Cheng.
      
      26) tipc_rcv() needs to linearize the SKB before parsing the inner
          headers, from Parthasarathy Bhuvaragan.
      
      27) Fix deadlock between link status updates and link removal in netvsc
          driver, from Stephen Hemminger.
      
      28) Missed locking of page fragment handling in ESP output, from Steffen
          Klassert.
      
      29) Fix refcnt leak in ebpf congestion control code, from Sabrina
          Dubroca.
      
      30) sxgbe_probe_config_dt() doesn't check devm_kzalloc()'s return value,
          from Christophe Jaillet.
      
      31) Fix missing ipv6 rx_dst_cookie update when rx_dst is updated during
          early demux, from Paolo Abeni.
      
      32) Several info leaks in xfrm_user layer, from Mathias Krause.
      
      33) Fix out of bounds read in cxgb4 driver, from Stefano Brivio.
      
      34) Properly propagate obsolete state of route upwards in ipv6 so that
          upper holders like xfrm can see it. From Xin Long.
      
      * git://git.kernel.org/pub/scm/linux/kernel/git/davem/net: (118 commits)
        udp: fix secpath leak
        bridge: switchdev: Clear forward mark when transmitting packet
        mlxsw: spectrum: Forbid linking to devices that have uppers
        wl1251: add a missing spin_lock_init()
        Revert "net: phy: Correctly process PHY_HALTED in phy_stop_machine()"
        net: dsa: bcm_sf2: Fix number of CFP entries for BCM7278
        kcm: do not attach PF_KCM sockets to avoid deadlock
        sch_tbf: fix two null pointer dereferences on init failure
        sch_sfq: fix null pointer dereference on init failure
        sch_netem: avoid null pointer deref on init failure
        sch_fq_codel: avoid double free on init failure
        sch_cbq: fix null pointer dereferences on init failure
        sch_hfsc: fix null pointer deref and double free on init failure
        sch_hhf: fix null pointer dereference on init failure
        sch_multiq: fix double free on init failure
        sch_htb: fix crash on init failure
        net/mlx5e: Fix CQ moderation mode not set properly
        net/mlx5e: Fix inline header size for small packets
        net/mlx5: E-Switch, Unload the representors in the correct order
        net/mlx5e: Properly resolve TC offloaded ipv6 vxlan tunnel source address
        ...
      8cf9f2a2
    • Linus Torvalds's avatar
      Merge tag 'ceph-for-4.13-rc8' of git://github.com/ceph/ceph-client · b8a78bb4
      Linus Torvalds authored
      Pull ceph fix from Ilya Dryomov:
       "ceph fscache page locking fix from Zheng, marked for stable"
      
      * tag 'ceph-for-4.13-rc8' of git://github.com/ceph/ceph-client:
        ceph: fix readpage from fscache
      b8a78bb4