1. 12 Oct, 2018 1 commit
    • Greg Kroah-Hartman's avatar
      Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net · 90ad1841
      Greg Kroah-Hartman authored
      David writes:
        "Networking
      
         1) RXRPC receive path fixes from David Howells.
      
         2) Re-export __skb_recv_udp(), from Jiri Kosina.
      
         3) Fix refcounting in u32 classificer, from Al Viro.
      
         4) Userspace netlink ABI fixes from Eugene Syromiatnikov.
      
         5) Don't double iounmap on rmmod in ena driver, from Arthur
            Kiyanovski.
      
         6) Fix devlink string attribute handling, we must pull a copy into a
            kernel buffer if the lifetime extends past the netlink request.
            From Moshe Shemesh.
      
         7) Fix hangs in RDS, from Ka-Cheong Poon.
      
         8) Fix recursive locking lockdep warnings in tipc, from Ying Xue.
      
         9) Clear RX irq correctly in socionext, from Ilias Apalodimas.
      
         10) bcm_sf2 fixes from Florian Fainelli."
      
      * git://git.kernel.org/pub/scm/linux/kernel/git/davem/net: (38 commits)
        net: dsa: bcm_sf2: Call setup during switch resume
        net: dsa: bcm_sf2: Fix unbind ordering
        net: phy: sfp: remove sfp_mutex's definition
        r8169: set RX_MULTI_EN bit in RxConfig for 8168F-family chips
        net: socionext: clear rx irq correctly
        net/mlx4_core: Fix warnings during boot on driverinit param set failures
        tipc: eliminate possible recursive locking detected by LOCKDEP
        selftests: udpgso_bench.sh explicitly requires bash
        selftests: rtnetlink.sh explicitly requires bash.
        qmi_wwan: Added support for Gemalto's Cinterion ALASxx WWAN interface
        tipc: queue socket protocol error messages into socket receive buffer
        tipc: set link tolerance correctly in broadcast link
        net: ipv4: don't let PMTU updates increase route MTU
        net: ipv4: update fnhe_pmtu when first hop's MTU changes
        net/ipv6: stop leaking percpu memory in fib6 info
        rds: RDS (tcp) hangs on sendto() to unresponding address
        net: make skb_partial_csum_set() more robust against overflows
        devlink: Add helper function for safely copy string param
        devlink: Fix param cmode driverinit for string type
        devlink: Fix param set handling for string type
        ...
      90ad1841
  2. 11 Oct, 2018 29 commits
  3. 10 Oct, 2018 10 commits
    • Greg Kroah-Hartman's avatar
      Merge tag 'for-4.19/dm-fixes-3' of... · b8db9e69
      Greg Kroah-Hartman authored
      Merge tag 'for-4.19/dm-fixes-3' of git://git.kernel.org/pub/scm/linux/kernel/git/device-mapper/linux-dm
      
      Mike writes:
        "device mapper fixes for 4.19 final
      
         - Fix a DM cache module init error path bug that doesn't properly
           cleanup a KMEM_CACHE if target registration fails.
      
         - Two stable@ fixes for DM zoned target; 4.20 will have changes that
           eliminate this code entirely but <= 4.19 needs these changes."
      
      * tag 'for-4.19/dm-fixes-3' of git://git.kernel.org/pub/scm/linux/kernel/git/device-mapper/linux-dm:
        dm linear: eliminate linear_end_io call if CONFIG_DM_ZONED disabled
        dm: fix report zone remapping to account for partition offset
        dm cache: destroy migration_cache if cache target registration failed
      b8db9e69
    • Greg Kroah-Hartman's avatar
      Merge tag 'trace-v4.19-rc5' of git://git.kernel.org/pub/scm/linux/kernel/git/rostedt/linux-trace · 588b5938
      Greg Kroah-Hartman authored
      Steven writes:
        "vsprint fix:
      
         It was reported that trace_printk() was not reporting properly
         values that came after a dereference pointer.
      
         trace_printk() utilizes vbin_printf() and bstr_printf() to keep the
         overhead of tracing down. vbin_printf() does not do any conversions
         and just stors the string format and the raw arguments into the
         buffer. bstr_printf() is used to read the buffer and does the
         conversions to complete the printf() output.
      
         This can be troublesome with dereferenced pointers because the
         reference may be different from the time vbin_printf() is called to
         the time bstr_printf() is called. To fix this, a prior commit changed
         vbin_printf() to convert dereferenced pointers into strings and load
         the converted string into the buffer. But the change to bstr_printf()
         had an off-by-one error and didn't account for the nul character at
         the end of the string and this corrupted the rest of the values in
         the format that came after a dereferenced pointer."
      
      * tag 'trace-v4.19-rc5' of git://git.kernel.org/pub/scm/linux/kernel/git/rostedt/linux-trace:
        vsprintf: Fix off-by-one bug in bstr_printf() processing dereferenced pointers
      588b5938
    • Greg Kroah-Hartman's avatar
      Merge tag 'devicetree-fixes-for-4.19-3' of git://git.kernel.org/pub/scm/linux/kernel/git/robh/linux · f7e59f38
      Greg Kroah-Hartman authored
      Rob writes:
        "Devicetree fixes for 4.19, part 3:
      
         - Fix DT unittest on Oldworld MAC systems"
      
      * tag 'devicetree-fixes-for-4.19-3' of git://git.kernel.org/pub/scm/linux/kernel/git/robh/linux:
        of: unittest: Disable interrupt node tests for old world MAC systems
      f7e59f38
    • Eric Dumazet's avatar
      net: make skb_partial_csum_set() more robust against overflows · 52b5d6f5
      Eric Dumazet authored
      syzbot managed to crash in skb_checksum_help() [1] :
      
              BUG_ON(offset + sizeof(__sum16) > skb_headlen(skb));
      
      Root cause is the following check in skb_partial_csum_set()
      
      	if (unlikely(start > skb_headlen(skb)) ||
      	    unlikely((int)start + off > skb_headlen(skb) - 2))
      		return false;
      
      If skb_headlen(skb) is 1, then (skb_headlen(skb) - 2) becomes 0xffffffff
      and the check fails to detect that ((int)start + off) is off the limit,
      since the compare is unsigned.
      
      When we fix that, then the first condition (start > skb_headlen(skb))
      becomes obsolete.
      
      Then we should also check that (skb_headroom(skb) + start) wont
      overflow 16bit field.
      
      [1]
      kernel BUG at net/core/dev.c:2880!
      invalid opcode: 0000 [#1] PREEMPT SMP KASAN
      CPU: 1 PID: 7330 Comm: syz-executor4 Not tainted 4.19.0-rc6+ #253
      Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
      RIP: 0010:skb_checksum_help+0x9e3/0xbb0 net/core/dev.c:2880
      Code: 85 00 ff ff ff 48 c1 e8 03 42 80 3c 28 00 0f 84 09 fb ff ff 48 8b bd 00 ff ff ff e8 97 a8 b9 fb e9 f8 fa ff ff e8 2d 09 76 fb <0f> 0b 48 8b bd 28 ff ff ff e8 1f a8 b9 fb e9 b1 f6 ff ff 48 89 cf
      RSP: 0018:ffff8801d83a6f60 EFLAGS: 00010293
      RAX: ffff8801b9834380 RBX: ffff8801b9f8d8c0 RCX: ffffffff8608c6d7
      RDX: 0000000000000000 RSI: ffffffff8608cc63 RDI: 0000000000000006
      RBP: ffff8801d83a7068 R08: ffff8801b9834380 R09: 0000000000000000
      R10: ffff8801d83a76d8 R11: 0000000000000000 R12: 0000000000000001
      R13: 0000000000010001 R14: 000000000000ffff R15: 00000000000000a8
      FS:  00007f1a66db5700(0000) GS:ffff8801daf00000(0000) knlGS:0000000000000000
      CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
      CR2: 00007f7d77f091b0 CR3: 00000001ba252000 CR4: 00000000001406e0
      DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
      DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
      Call Trace:
       skb_csum_hwoffload_help+0x8f/0xe0 net/core/dev.c:3269
       validate_xmit_skb+0xa2a/0xf30 net/core/dev.c:3312
       __dev_queue_xmit+0xc2f/0x3950 net/core/dev.c:3797
       dev_queue_xmit+0x17/0x20 net/core/dev.c:3838
       packet_snd net/packet/af_packet.c:2928 [inline]
       packet_sendmsg+0x422d/0x64c0 net/packet/af_packet.c:2953
      
      Fixes: 5ff8dda3 ("net: Ensure partial checksum offset is inside the skb head")
      Signed-off-by: default avatarEric Dumazet <edumazet@google.com>
      Cc: Herbert Xu <herbert@gondor.apana.org.au>
      Reported-by: default avatarsyzbot <syzkaller@googlegroups.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      52b5d6f5
    • David S. Miller's avatar
      Merge branch 'devlink-param-type-string-fixes' · 8b79f410
      David S. Miller authored
      Moshe Shemesh says:
      
      ====================
      devlink param type string fixes
      
      This patchset fixes devlink param infrastructure for string param type.
      
      The devlink param infrastructure doesn't handle copying the string data
      correctly.  The first two patches fix it and the third patch adds helper
      function to safely copy string value without exceeding
      DEVLINK_PARAM_MAX_STRING_VALUE.
      ====================
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      8b79f410
    • Moshe Shemesh's avatar
      devlink: Add helper function for safely copy string param · bde74ad1
      Moshe Shemesh authored
      Devlink string param buffer is allocated at the size of
      DEVLINK_PARAM_MAX_STRING_VALUE. Add helper function which makes sure
      this size is not exceeded.
      Renamed DEVLINK_PARAM_MAX_STRING_VALUE to
      __DEVLINK_PARAM_MAX_STRING_VALUE to emphasize that it should be used by
      devlink only. The driver should use the helper function instead to
      verify it doesn't exceed the allowed length.
      Signed-off-by: default avatarMoshe Shemesh <moshe@mellanox.com>
      Acked-by: default avatarJiri Pirko <jiri@mellanox.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      bde74ad1
    • Moshe Shemesh's avatar
      devlink: Fix param cmode driverinit for string type · 1276534c
      Moshe Shemesh authored
      Driverinit configuration mode value is held by devlink to enable the
      driver fetch the value after reload command. In case the param type is
      string devlink should copy the value from driver string buffer to
      devlink string buffer on devlink_param_driverinit_value_set() and
      vice-versa on devlink_param_driverinit_value_get().
      
      Fixes: ec01aeb1 ("devlink: Add support for get/set driverinit value")
      Signed-off-by: default avatarMoshe Shemesh <moshe@mellanox.com>
      Acked-by: default avatarJiri Pirko <jiri@mellanox.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      1276534c
    • Moshe Shemesh's avatar
      devlink: Fix param set handling for string type · f355cfcd
      Moshe Shemesh authored
      In case devlink param type is string, it needs to copy the string value
      it got from the input to devlink_param_value.
      
      Fixes: e3b7ca18 ("devlink: Add param set command")
      Signed-off-by: default avatarMoshe Shemesh <moshe@mellanox.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      f355cfcd
    • Masahiro Yamada's avatar
      samples: disable CONFIG_SAMPLES for UML · 5318321d
      Masahiro Yamada authored
      Some samples require headers installation, so commit 3fca1700
      ("kbuild: make samples really depend on headers_install") added
      such dependency in the top Makefile. However, UML fails to build
      with CONFIG_SAMPLES=y because UML does not support headers_install.
      
      Fixes: 3fca1700 ("kbuild: make samples really depend on headers_install")
      Reported-by: default avatarKees Cook <keescook@chromium.org>
      Cc: David Howells <dhowells@redhat.com>
      Signed-off-by: default avatarMasahiro Yamada <yamada.masahiro@socionext.com>
      5318321d
    • Mike Snitzer's avatar
      dm linear: eliminate linear_end_io call if CONFIG_DM_ZONED disabled · beb9caac
      Mike Snitzer authored
      It is best to avoid any extra overhead associated with bio completion.
      DM core will indirectly call a DM target's .end_io if it is defined.
      In the case of DM linear, there is no need to do so (for every bio that
      completes) if CONFIG_DM_ZONED is not enabled.
      
      Avoiding an extra indirect call for every bio completion is very
      important for ensuring DM linear doesn't incur more overhead that
      further widens the performance gap between dm-linear and raw block
      devices.
      
      Fixes: 0be12c1c ("dm linear: add support for zoned block devices")
      Cc: stable@vger.kernel.org
      Signed-off-by: default avatarMike Snitzer <snitzer@redhat.com>
      beb9caac