1. 05 Aug, 2018 2 commits
    • Dmitry Safonov's avatar
      netlink: Don't shift on 64 for ngroups · 91874ecf
      Dmitry Safonov authored
      It's legal to have 64 groups for netlink_sock.
      
      As user-supplied nladdr->nl_groups is __u32, it's possible to subscribe
      only to first 32 groups.
      
      The check for correctness of .bind() userspace supplied parameter
      is done by applying mask made from ngroups shift. Which broke Android
      as they have 64 groups and the shift for mask resulted in an overflow.
      
      Fixes: 61f4b237 ("netlink: Don't shift with UB on nlk->ngroups")
      Cc: "David S. Miller" <davem@davemloft.net>
      Cc: Herbert Xu <herbert@gondor.apana.org.au>
      Cc: Steffen Klassert <steffen.klassert@secunet.com>
      Cc: netdev@vger.kernel.org
      Cc: stable@vger.kernel.org
      Reported-and-Tested-by: default avatarNathan Chancellor <natechancellor@gmail.com>
      Signed-off-by: default avatarDmitry Safonov <dima@arista.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      91874ecf
    • David S. Miller's avatar
      Merge git://git.kernel.org/pub/scm/linux/kernel/git/bpf/bpf · 5dbfb6ec
      David S. Miller authored
      Daniel Borkmann says:
      
      ====================
      pull-request: bpf 2018-08-05
      
      The following pull-request contains BPF updates for your *net* tree.
      
      The main changes are:
      
      1) Fix bpftool percpu_array dump by using correct roundup to next
         multiple of 8 for the value size, from Yonghong.
      
      2) Fix in AF_XDP's __xsk_rcv_zc() to not returning frames back to
         allocator since driver will recycle frame anyway in case of an
         error, from Jakub.
      
      3) Fix up BPF test_lwt_seg6local test cases to final iproute2
         syntax, from Mathieu.
      ====================
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      5dbfb6ec
  2. 04 Aug, 2018 1 commit
  3. 03 Aug, 2018 7 commits
    • Guillaume Nault's avatar
      l2tp: fix missing refcount drop in pppol2tp_tunnel_ioctl() · f664e37d
      Guillaume Nault authored
      If 'session' is not NULL and is not a PPP pseudo-wire, then we fail to
      drop the reference taken by l2tp_session_get().
      
      Fixes: ecd012e4 ("l2tp: filter out non-PPP sessions in pppol2tp_tunnel_ioctl()")
      Signed-off-by: default avatarGuillaume Nault <g.nault@alphalink.fr>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      f664e37d
    • David S. Miller's avatar
      Merge branch 'mlxsw-Fix-ACL-actions-error-condition-handling' · 60a01828
      David S. Miller authored
      Ido Schimmel says:
      
      ====================
      mlxsw: Fix ACL actions error condition handling
      
      Nir says:
      
      Two issues were lately noticed within mlxsw ACL actions error condition
      handling. The first patch deals with conflicting actions such as:
      
       # tc filter add dev swp49 parent ffff: \
         protocol ip pref 10 flower skip_sw dst_ip 192.168.101.1 \
         action goto chain 100 \
         action mirred egress redirect dev swp4
      
      The second action will never execute, however SW model allows this
      configuration, while the mlxsw driver cannot allow for it as it
      implements actions in sets of up to three actions per set with a single
      termination marking. Conflicting actions create a contradiction over
      this single marking and thus cannot be configured. The fix replaces a
      misplaced warning with an error code to be returned.
      
      Patches 2-4 fix a condition of duplicate destruction of resources. Some
      actions require allocation of specific resource prior to setting the
      action itself. On error condition this resource was destroyed twice,
      leading to a crash when using mirror action, and to a redundant
      destruction in other cases, since for error condition rule destruction
      also takes care of resource destruction. In order to fix this state a
      symmetry in behavior is added and resource destruction also takes care
      of removing the resource from rule's resource list.
      ====================
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      60a01828
    • Nir Dotan's avatar
      mlxsw: core_acl_flex_actions: Remove redundant mirror resource destruction · caebd1b3
      Nir Dotan authored
      In previous patch mlxsw_afa_resource_del() was added to avoid a duplicate
      resource detruction scenario.
      For mirror actions, such duplicate destruction leads to a crash as in:
      
       # tc qdisc add dev swp49 ingress
       # tc filter add dev swp49 parent ffff: \
         protocol ip chain 100 pref 10 \
         flower skip_sw dst_ip 192.168.101.1 action drop
       # tc filter add dev swp49 parent ffff: \
         protocol ip pref 10 \
         flower skip_sw dst_ip 192.168.101.1 action goto chain 100 \
         action mirred egress mirror dev swp4
      
      Therefore add a call to mlxsw_afa_resource_del() in
      mlxsw_afa_mirror_destroy() in order to clear that resource
      from rule's resources.
      
      Fixes: d0d13c18 ("mlxsw: spectrum_acl: Add support for mirror action")
      Signed-off-by: default avatarNir Dotan <nird@mellanox.com>
      Reviewed-by: default avatarJiri Pirko <jiri@mellanox.com>
      Signed-off-by: default avatarIdo Schimmel <idosch@mellanox.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      caebd1b3
    • Nir Dotan's avatar
      mlxsw: core_acl_flex_actions: Remove redundant counter destruction · 7cc61694
      Nir Dotan authored
      Each tc flower rule uses a hidden count action. As counter resource may
      not be available due to limited HW resources, update _counter_create()
      and _counter_destroy() pair to follow previously introduced symmetric
      error condition handling, add a call to mlxsw_afa_resource_del() as part
      of the counter resource destruction.
      
      Fixes: c18c1e18 ("mlxsw: core: Make counter index allocated inside the action append")
      Signed-off-by: default avatarNir Dotan <nird@mellanox.com>
      Reviewed-by: default avatarPetr Machata <petrm@mellanox.com>
      Reviewed-by: default avatarJiri Pirko <jiri@mellanox.com>
      Signed-off-by: default avatarIdo Schimmel <idosch@mellanox.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      7cc61694
    • Nir Dotan's avatar
      mlxsw: core_acl_flex_actions: Remove redundant resource destruction · dda0a3a3
      Nir Dotan authored
      Some ACL actions require the allocation of a separate resource
      prior to applying the action itself. When facing an error condition
      during the setup phase of the action, resource should be destroyed.
      For such actions the destruction was done twice which is dangerous
      and lead to a potential crash.
      The destruction took place first upon error on action setup phase
      and then as the rule was destroyed.
      
      The following sequence generated a crash:
      
       # tc qdisc add dev swp49 ingress
       # tc filter add dev swp49 parent ffff: \
         protocol ip chain 100 pref 10 \
         flower skip_sw dst_ip 192.168.101.1 action drop
       # tc filter add dev swp49 parent ffff: \
         protocol ip pref 10 \
         flower skip_sw dst_ip 192.168.101.1 action goto chain 100 \
         action mirred egress mirror dev swp4
      
      Therefore add mlxsw_afa_resource_del() as a complement of
      mlxsw_afa_resource_add() to add symmetry to resource_list membership
      handling. Call this from mlxsw_afa_fwd_entry_ref_destroy() to make the
      _fwd_entry_ref_create() and _fwd_entry_ref_destroy() pair of calls a
      NOP.
      
      Fixes: 140ce421 ("mlxsw: core: Convert fwd_entry_ref list to be generic per-block resource list")
      Signed-off-by: default avatarNir Dotan <nird@mellanox.com>
      Reviewed-by: default avatarJiri Pirko <jiri@mellanox.com>
      Signed-off-by: default avatarIdo Schimmel <idosch@mellanox.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      dda0a3a3
    • Nir Dotan's avatar
      mlxsw: core_acl_flex_actions: Return error for conflicting actions · 3757b255
      Nir Dotan authored
      Spectrum switch ACL action set is built in groups of three actions
      which may point to additional actions. A group holds a single record
      which can be set as goto record for pointing at a following group
      or can be set to mark the termination of the lookup. This is perfectly
      adequate for handling a series of actions to be executed on a packet.
      While the SW model allows configuration of conflicting actions
      where it is clear that some actions will never execute, the mlxsw
      driver must block such configurations as it creates a conflict
      over the single terminate/goto record value.
      
      For a conflicting actions configuration such as:
      
       # tc filter add dev swp49 parent ffff: \
         protocol ip pref 10 \
         flower skip_sw dst_ip 192.168.101.1 \
         action goto chain 100 \
         action mirred egress mirror dev swp4
      
      Where it is clear that the last action will never execute, the
      mlxsw driver was issuing a warning instead of returning an error.
      Therefore replace that warning with an error for this specific
      case.
      
      Fixes: 4cda7d8d ("mlxsw: core: Introduce flexible actions support")
      Signed-off-by: default avatarNir Dotan <nird@mellanox.com>
      Reviewed-by: default avatarJiri Pirko <jiri@mellanox.com>
      Signed-off-by: default avatarIdo Schimmel <idosch@mellanox.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      3757b255
    • Mathieu Xhonneux's avatar
      selftests/bpf: update test_lwt_seg6local.sh according to iproute2 · 8c85cbdf
      Mathieu Xhonneux authored
      The shell file for test_lwt_seg6local contains an early iproute2 syntax
      for installing a seg6local End.BPF route. iproute2 support for this
      feature has recently been upstreamed, but with an additional keyword
      required. This patch updates test_lwt_seg6local.sh to the definitive
      iproute2 syntax
      Signed-off-by: default avatarMathieu Xhonneux <m.xhonneux@gmail.com>
      Acked-by: default avatarYonghong Song <yhs@fb.com>
      Signed-off-by: default avatarDaniel Borkmann <daniel@iogearbox.net>
      8c85cbdf
  4. 02 Aug, 2018 6 commits
  5. 01 Aug, 2018 15 commits
    • Linus Torvalds's avatar
      Merge branch 'fixes' of git://git.armlinux.org.uk/~rmk/linux-arm · 6b470376
      Linus Torvalds authored
      Pull ARM fix from Russell King:
       "Just a single fix this time around for recent binutils causing build
        problems when generating Thumb-2 code"
      
      * 'fixes' of git://git.armlinux.org.uk/~rmk/linux-arm:
        ARM: 8781/1: Fix Thumb-2 syscall return for binutils 2.29+
      6b470376
    • Linus Torvalds's avatar
      mm: do not initialize TLB stack vma's with vma_init() · 8b11ec1b
      Linus Torvalds authored
      Commit 2c4541e2 ("mm: use vma_init() to initialize VMAs on stack and
      data segments") tried to initialize various left-over ad-hoc vma's
      "properly", but actually made things worse for the temporary vma's used
      for TLB flushing.
      
      vma_init() doesn't actually initialize all of the vma, just a few
      fields, so doing something like
      
         -       struct vm_area_struct vma = { .vm_mm = tlb->mm, };
         +       struct vm_area_struct vma;
         +
         +       vma_init(&vma, tlb->mm);
      
      was actually very bad: instead of having a nicely initialized vma with
      every field but "vm_mm" zeroed, you'd have an entirely uninitialized vma
      with only a couple of fields initialized.  And they weren't even fields
      that the code in question mostly cared about.
      
      The flush_tlb_range() function takes a "struct vma" rather than a
      "struct mm_struct", because a few architectures actually care about what
      kind of range it is - being able to only do an ITLB flush if it's a
      range that doesn't have data accesses enabled, for example.  And all the
      normal users already have the vma for doing the range invalidation.
      
      But a few people want to call flush_tlb_range() with a range they just
      made up, so they also end up using a made-up vma.  x86 just has a
      special "flush_tlb_mm_range()" function for this, but other
      architectures (arm and ia64) do the "use fake vma" thing instead, and
      thus got caught up in the vma_init() changes.
      
      At the same time, the TLB flushing code really doesn't care about most
      other fields in the vma, so vma_init() is just unnecessary and
      pointless.
      
      This fixes things by having an explicit "this is just an initializer for
      the TLB flush" initializer macro, which is used by the arm/arm64/ia64
      people who mis-use this interface with just a dummy vma.
      
      Fixes: 2c4541e2 ("mm: use vma_init() to initialize VMAs on stack and data segments")
      Cc: Dmitry Vyukov <dvyukov@google.com>
      Cc: Oleg Nesterov <oleg@redhat.com>
      Cc: Andrea Arcangeli <aarcange@redhat.com>
      Cc: Kirill Shutemov <kirill.shutemov@linux.intel.com>
      Cc: Andrew Morton <akpm@linux-foundation.org>
      Cc: John Stultz <john.stultz@linaro.org>
      Cc: Hugh Dickins <hughd@google.com>
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      8b11ec1b
    • Hugh Dickins's avatar
      mm: delete historical BUG from zap_pmd_range() · 53406ed1
      Hugh Dickins authored
      Delete the old VM_BUG_ON_VMA() from zap_pmd_range(), which asserted
      that mmap_sem must be held when splitting an "anonymous" vma there.
      Whether that's still strictly true nowadays is not entirely clear,
      but the danger of sometimes crashing on the BUG is now fairly clear.
      
      Even with the new stricter rules for anonymous vma marking, the
      condition it checks for can possible trigger. Commit 44960f2a
      ("staging: ashmem: Fix SIGBUS crash when traversing mmaped ashmem
      pages") is good, and originally I thought it was safe from that
      VM_BUG_ON_VMA(), because the /dev/ashmem fd exposed to the user is
      disconnected from the vm_file in the vma, and madvise(,,MADV_REMOVE)
      insists on VM_SHARED.
      
      But after I read John's earlier mail, drawing attention to the
      vfs_fallocate() in there: I may be wrong, and I don't know if Android
      has THP in the config anyway, but it looks to me like an
      unmap_mapping_range() from ashmem's vfs_fallocate() could hit precisely
      the VM_BUG_ON_VMA(), once it's vma_is_anonymous().
      Signed-off-by: default avatarHugh Dickins <hughd@google.com>
      Cc: John Stultz <john.stultz@linaro.org>
      Cc: Kirill Shutemov <kirill.shutemov@linux.intel.com>
      Cc: Andrew Morton <akpm@linux-foundation.org>
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      53406ed1
    • YueHaibing's avatar
      rxrpc: Fix user call ID check in rxrpc_service_prealloc_one · c01f6c9b
      YueHaibing authored
      There just check the user call ID isn't already in use, hence should
      compare user_call_ID with xcall->user_call_ID, which is current
      node's user_call_ID.
      
      Fixes: 540b1c48 ("rxrpc: Fix deadlock between call creation and sendmsg/recvmsg")
      Suggested-by: default avatarDavid Howells <dhowells@redhat.com>
      Signed-off-by: default avatarYueHaibing <yuehaibing@huawei.com>
      Signed-off-by: default avatarDavid Howells <dhowells@redhat.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      c01f6c9b
    • Linus Torvalds's avatar
      Merge tag 'mmc-v4.18-rc5' of git://git.kernel.org/pub/scm/linux/kernel/git/ulfh/mmc · 9a97ebf7
      Linus Torvalds authored
      Pull MMC fix from Ulf Hansson:
       "MMC host: mxcmmc: Fix build error for powerpc"
      
      * tag 'mmc-v4.18-rc5' of git://git.kernel.org/pub/scm/linux/kernel/git/ulfh/mmc:
        mmc: mxcmmc: Fix missing parentheses and brace
      9a97ebf7
    • Linus Torvalds's avatar
      Merge tag 'pm-urgent-4.18' of git://git.kernel.org/pub/scm/linux/kernel/git/rafael/linux-pm · f390b7bf
      Linus Torvalds authored
      Pull power management fixes from Rafael Wysocki:
       "These fix the scope of a recent intel_pstate driver optimization used
        incorrectly on some systems due to processor identification ambiguity
        and fix a few issues in the turbostat utility, including three recent
        regressions.
      
        Specifics:
      
         - Use ACPI FADT preferred PM Profile to distinguish Skylake desktop
           processors from some server ones with the same model number in
           order to limit the scope of the recent IO-wait boost optimization
           to servers, as intended (Srinivas Pandruvada).
      
         - Fix several issues in the turbostat utility:
            * Fix the -S option on 1-CPU systems (Len Brown).
            * Fix computations using incorrect processor core counts (Artem
              Bityutskiy).
            * Fix the x2apic debug message (Len Brown).
            * Fix logical node enumeration to allow for non-sequential
              physical nodes (Prarit Bhargava).
            * Fix reported family on modern AMD processors (Calvin Walton).
            * Clarify the RAPL column information in the man page (Len Brown)"
      
      * tag 'pm-urgent-4.18' of git://git.kernel.org/pub/scm/linux/kernel/git/rafael/linux-pm:
        cpufreq: intel_pstate: Limit the scope of HWP dynamic boost platforms
        tools/power turbostat: version 18.07.27
        tools/power turbostat: Read extended processor family from CPUID
        tools/power turbostat: Fix logical node enumeration to allow for non-sequential physical nodes
        tools/power turbostat: fix x2apic debug message output file
        tools/power turbostat: fix bogus summary values
        tools/power turbostat: fix -S on UP systems
        tools/power turbostat: Update turbostat(8) RAPL throttling column description
      f390b7bf
    • Linus Torvalds's avatar
      squashfs metadata 2: electric boogaloo · cdbb65c4
      Linus Torvalds authored
      Anatoly continues to find issues with fuzzed squashfs images.
      
      This time, corrupt, missing, or undersized data for the page filling
      wasn't checked for, because the squashfs_{copy,read}_cache() functions
      did the squashfs_copy_data() call without checking the resulting data
      size.
      
      Which could result in the page cache pages being incompletely filled in,
      and no error indication to the user space reading garbage data.
      
      So make a helper function for the "fill in pages" case, because the
      exact same incomplete sequence existed in two places.
      
      [ I should have made a squashfs branch for these things, but I didn't
        intend to start doing them in the first place.
      
        My historical connection through cramfs is why I got into looking at
        these issues at all, and every time I (continue to) think it's a
        one-off.
      
        Because _this_ time is always the last time. Right?   - Linus ]
      Reported-by: default avatarAnatoly Trosinenko <anatoly.trosinenko@gmail.com>
      Tested-by: default avatarWilly Tarreau <w@1wt.eu>
      Cc: Al Viro <viro@zeniv.linux.org.uk>
      Cc: Phillip Lougher <phillip@squashfs.org.uk>
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      cdbb65c4
    • John Stultz's avatar
      staging: ashmem: Fix SIGBUS crash when traversing mmaped ashmem pages · 44960f2a
      John Stultz authored
      Amit Pundir and Youling in parallel reported crashes with recent
      mainline kernels running Android:
      
        F DEBUG   : *** *** *** *** *** *** *** *** *** *** *** *** *** *** *** ***
        F DEBUG   : Build fingerprint: 'Android/db410c32_only/db410c32_only:Q/OC-MR1/102:userdebug/test-key
        F DEBUG   : Revision: '0'
        F DEBUG   : ABI: 'arm'
        F DEBUG   : pid: 2261, tid: 2261, name: zygote  >>> zygote <<<
        F DEBUG   : signal 7 (SIGBUS), code 2 (BUS_ADRERR), fault addr 0xec00008
        ... <snip> ...
        F DEBUG   : backtrace:
        F DEBUG   :     #00 pc 00001c04  /system/lib/libc.so (memset+48)
        F DEBUG   :     #01 pc 0010c513  /system/lib/libart.so (create_mspace_with_base+82)
        F DEBUG   :     #02 pc 0015c601  /system/lib/libart.so (art::gc::space::DlMallocSpace::CreateMspace(void*, unsigned int, unsigned int)+40)
        F DEBUG   :     #03 pc 0015c3ed  /system/lib/libart.so (art::gc::space::DlMallocSpace::CreateFromMemMap(art::MemMap*, std::__1::basic_string<char, std::__ 1::char_traits<char>, std::__1::allocator<char>> const&, unsigned int, unsigned int, unsigned int, unsigned int, bool)+36)
        ...
      
      This was bisected back to commit bfd40eaf ("mm: fix
      vma_is_anonymous() false-positives").
      
      create_mspace_with_base() in the trace above, utilizes ashmem, and with
      ashmem, for shared mappings we use shmem_zero_setup(), which sets the
      vma->vm_ops to &shmem_vm_ops.  But for private ashmem mappings nothing
      sets the vma->vm_ops.
      
      Looking at the problematic patch, it seems to add a requirement that one
      call vma_set_anonymous() on a vma, otherwise the dummy_vm_ops will be
      used.  Using the dummy_vm_ops seem to triggger SIGBUS when traversing
      unmapped pages.
      
      Thus, this patch adds a call to vma_set_anonymous() for ashmem private
      mappings and seems to avoid the reported problem.
      
      Fixes: bfd40eaf ("mm: fix vma_is_anonymous() false-positives")
      Cc: Kirill Shutemov <kirill.shutemov@linux.intel.com>
      Cc: Andrew Morton <akpm@linux-foundation.org>
      Cc: Dmitry Vyukov <dvyukov@google.com>
      Cc: Oleg Nesterov <oleg@redhat.com>
      Cc: Andrea Arcangeli <aarcange@redhat.com>
      Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
      Cc: Hugh Dickins <hughd@google.com>
      Cc: Joel Fernandes <joelaf@google.com>
      Cc: Colin Cross <ccross@google.com>
      Cc: Matthew Wilcox <willy@infradead.org>
      Reported-by: default avatarAmit Pundir <amit.pundir@linaro.org>
      Reported-by: default avatarYouling 257 <youling257@gmail.com>
      Signed-off-by: default avatarJohn Stultz <john.stultz@linaro.org>
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      44960f2a
    • Linus Torvalds's avatar
      ia64: mark special ia64 memory areas anonymous · ebad825c
      Linus Torvalds authored
      Commit bfd40eaf ("mm: fix vma_is_anonymous() false-positives") made
      newly allocated vma's have a dummy vm_ops field so that they wouldn't be
      mistaken for anonymous mappings, and if you wanted an anonymous vma you
      had to explicitly say so by calling "vma_set_anonymous()" on it.
      
      However, it missed the two special vmas that ia64 processes have: the
      register backing store and the NaT page.  So they wouldn't actually act
      like anonymous ranges, and page faults on them caused a SIGBUS rather
      than the creation of a new anon page in them.
      
      That obviously will make any ia64 binary very unhappy indeed, and the
      boot fails early.
      
      Fixes: bfd40eaf ("mm: fix vma_is_anonymous() false-positives")
      Reported-by: default avatarTony Luck <tony.luck@intel.com>
      Cc: Kirill Shutemov <kirill.shutemov@linux.intel.com>
      Cc: Andrew Morton <akpm@linux-foundation.org>
      Cc: Dmitry Vyukov <dvyukov@google.com>
      Cc: Oleg Nesterov <oleg@redhat.com>
      Cc: Andrea Arcangeli <aarcange@redhat.com>
      Cc: John Stultz <john.stultz@linaro.org>
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      ebad825c
    • Florian Fainelli's avatar
      net: dsa: Do not suspend/resume closed slave_dev · a94c689e
      Florian Fainelli authored
      If a DSA slave network device was previously disabled, there is no need
      to suspend or resume it.
      
      Fixes: 24462549 ("net: dsa: allow switch drivers to implement suspend/resume hooks")
      Signed-off-by: default avatarFlorian Fainelli <f.fainelli@gmail.com>
      Reviewed-by: default avatarAndrew Lunn <andrew@lunn.ch>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      a94c689e
    • Jeremy Cline's avatar
      netlink: Fix spectre v1 gadget in netlink_create() · bc5b6c0b
      Jeremy Cline authored
      'protocol' is a user-controlled value, so sanitize it after the bounds
      check to avoid using it for speculative out-of-bounds access to arrays
      indexed by it.
      
      This addresses the following accesses detected with the help of smatch:
      
      * net/netlink/af_netlink.c:654 __netlink_create() warn: potential
        spectre issue 'nlk_cb_mutex_keys' [w]
      
      * net/netlink/af_netlink.c:654 __netlink_create() warn: potential
        spectre issue 'nlk_cb_mutex_key_strings' [w]
      
      * net/netlink/af_netlink.c:685 netlink_create() warn: potential spectre
        issue 'nl_table' [w] (local cap)
      
      Cc: Josh Poimboeuf <jpoimboe@redhat.com>
      Signed-off-by: default avatarJeremy Cline <jcline@redhat.com>
      Reviewed-by: default avatarJosh Poimboeuf <jpoimboe@redhat.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      bc5b6c0b
    • Ioana Ciornei's avatar
      Documentation: dpaa2: Use correct heading adornment · e02ee981
      Ioana Ciornei authored
      Add overline heading adornment to document title in order to comply
      with kernel doc requirements.
      
      Fixes: 60b91319 staging: fsl-mc: Convert documentation to rst format
      Signed-off-by: default avatarIoana Ciornei <ioana.ciornei@nxp.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      e02ee981
    • Jose Abreu's avatar
      net: stmmac: Fix WoL for PCI-based setups · b7d0f08e
      Jose Abreu authored
      WoL won't work in PCI-based setups because we are not saving the PCI EP
      state before entering suspend state and not allowing D3 wake.
      
      Fix this by using a wrapper around stmmac_{suspend/resume} which
      correctly sets the PCI EP state.
      Signed-off-by: default avatarJose Abreu <joabreu@synopsys.com>
      Cc: David S. Miller <davem@davemloft.net>
      Cc: Joao Pinto <jpinto@synopsys.com>
      Cc: Giuseppe Cavallaro <peppe.cavallaro@st.com>
      Cc: Alexandre Torgue <alexandre.torgue@st.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      b7d0f08e
    • Eric Dumazet's avatar
      bonding: avoid lockdep confusion in bond_get_stats() · 7e2556e4
      Eric Dumazet authored
      syzbot found that the following sequence produces a LOCKDEP splat [1]
      
      ip link add bond10 type bond
      ip link add bond11 type bond
      ip link set bond11 master bond10
      
      To fix this, we can use the already provided nest_level.
      
      This patch also provides correct nesting for dev->addr_list_lock
      
      [1]
      WARNING: possible recursive locking detected
      4.18.0-rc6+ #167 Not tainted
      --------------------------------------------
      syz-executor751/4439 is trying to acquire lock:
      (____ptrval____) (&(&bond->stats_lock)->rlock){+.+.}, at: spin_lock include/linux/spinlock.h:310 [inline]
      (____ptrval____) (&(&bond->stats_lock)->rlock){+.+.}, at: bond_get_stats+0xb4/0x560 drivers/net/bonding/bond_main.c:3426
      
      but task is already holding lock:
      (____ptrval____) (&(&bond->stats_lock)->rlock){+.+.}, at: spin_lock include/linux/spinlock.h:310 [inline]
      (____ptrval____) (&(&bond->stats_lock)->rlock){+.+.}, at: bond_get_stats+0xb4/0x560 drivers/net/bonding/bond_main.c:3426
      
      other info that might help us debug this:
       Possible unsafe locking scenario:
      
             CPU0
             ----
        lock(&(&bond->stats_lock)->rlock);
        lock(&(&bond->stats_lock)->rlock);
      
       *** DEADLOCK ***
      
       May be due to missing lock nesting notation
      
      3 locks held by syz-executor751/4439:
       #0: (____ptrval____) (rtnl_mutex){+.+.}, at: rtnl_lock+0x17/0x20 net/core/rtnetlink.c:77
       #1: (____ptrval____) (&(&bond->stats_lock)->rlock){+.+.}, at: spin_lock include/linux/spinlock.h:310 [inline]
       #1: (____ptrval____) (&(&bond->stats_lock)->rlock){+.+.}, at: bond_get_stats+0xb4/0x560 drivers/net/bonding/bond_main.c:3426
       #2: (____ptrval____) (rcu_read_lock){....}, at: bond_get_stats+0x0/0x560 include/linux/compiler.h:215
      
      stack backtrace:
      CPU: 0 PID: 4439 Comm: syz-executor751 Not tainted 4.18.0-rc6+ #167
      Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
      Call Trace:
       __dump_stack lib/dump_stack.c:77 [inline]
       dump_stack+0x1c9/0x2b4 lib/dump_stack.c:113
       print_deadlock_bug kernel/locking/lockdep.c:1765 [inline]
       check_deadlock kernel/locking/lockdep.c:1809 [inline]
       validate_chain kernel/locking/lockdep.c:2405 [inline]
       __lock_acquire.cold.64+0x1fb/0x486 kernel/locking/lockdep.c:3435
       lock_acquire+0x1e4/0x540 kernel/locking/lockdep.c:3924
       __raw_spin_lock include/linux/spinlock_api_smp.h:142 [inline]
       _raw_spin_lock+0x2a/0x40 kernel/locking/spinlock.c:144
       spin_lock include/linux/spinlock.h:310 [inline]
       bond_get_stats+0xb4/0x560 drivers/net/bonding/bond_main.c:3426
       dev_get_stats+0x10f/0x470 net/core/dev.c:8316
       bond_get_stats+0x232/0x560 drivers/net/bonding/bond_main.c:3432
       dev_get_stats+0x10f/0x470 net/core/dev.c:8316
       rtnl_fill_stats+0x4d/0xac0 net/core/rtnetlink.c:1169
       rtnl_fill_ifinfo+0x1aa6/0x3fb0 net/core/rtnetlink.c:1611
       rtmsg_ifinfo_build_skb+0xc8/0x190 net/core/rtnetlink.c:3268
       rtmsg_ifinfo_event.part.30+0x45/0xe0 net/core/rtnetlink.c:3300
       rtmsg_ifinfo_event net/core/rtnetlink.c:3297 [inline]
       rtnetlink_event+0x144/0x170 net/core/rtnetlink.c:4716
       notifier_call_chain+0x180/0x390 kernel/notifier.c:93
       __raw_notifier_call_chain kernel/notifier.c:394 [inline]
       raw_notifier_call_chain+0x2d/0x40 kernel/notifier.c:401
       call_netdevice_notifiers_info+0x3f/0x90 net/core/dev.c:1735
       call_netdevice_notifiers net/core/dev.c:1753 [inline]
       netdev_features_change net/core/dev.c:1321 [inline]
       netdev_change_features+0xb3/0x110 net/core/dev.c:7759
       bond_compute_features.isra.47+0x585/0xa50 drivers/net/bonding/bond_main.c:1120
       bond_enslave+0x1b25/0x5da0 drivers/net/bonding/bond_main.c:1755
       bond_do_ioctl+0x7cb/0xae0 drivers/net/bonding/bond_main.c:3528
       dev_ifsioc+0x43c/0xb30 net/core/dev_ioctl.c:327
       dev_ioctl+0x1b5/0xcc0 net/core/dev_ioctl.c:493
       sock_do_ioctl+0x1d3/0x3e0 net/socket.c:992
       sock_ioctl+0x30d/0x680 net/socket.c:1093
       vfs_ioctl fs/ioctl.c:46 [inline]
       file_ioctl fs/ioctl.c:500 [inline]
       do_vfs_ioctl+0x1de/0x1720 fs/ioctl.c:684
       ksys_ioctl+0xa9/0xd0 fs/ioctl.c:701
       __do_sys_ioctl fs/ioctl.c:708 [inline]
       __se_sys_ioctl fs/ioctl.c:706 [inline]
       __x64_sys_ioctl+0x73/0xb0 fs/ioctl.c:706
       do_syscall_64+0x1b9/0x820 arch/x86/entry/common.c:290
       entry_SYSCALL_64_after_hwframe+0x49/0xbe
      RIP: 0033:0x440859
      Code: e8 2c af 02 00 48 83 c4 18 c3 0f 1f 80 00 00 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 3b 10 fc ff c3 66 2e 0f 1f 84 00 00 00 00
      RSP: 002b:00007ffc51a92878 EFLAGS: 00000213 ORIG_RAX: 0000000000000010
      RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 0000000000440859
      RDX: 0000000020000040 RSI: 0000000000008990 RDI: 0000000000000003
      RBP: 0000000000000000 R08: 00000000004002c8 R09: 00000000004002c8
      R10: 00000000022d5880 R11: 0000000000000213 R12: 0000000000007390
      R13: 0000000000401db0 R14: 0000000000000000 R15: 0000000000000000
      Signed-off-by: default avatarEric Dumazet <edumazet@google.com>
      Cc: Jay Vosburgh <j.vosburgh@gmail.com>
      Cc: Veaceslav Falico <vfalico@gmail.com>
      Cc: Andy Gospodarek <andy@greyhouse.net>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      7e2556e4
    • Rafael J. Wysocki's avatar
      Merge branch 'pm-tools' · 9b7c19e9
      Rafael J. Wysocki authored
      Merge turbostat utility fixes for final 4.18:
      
       - Fix the -S option on 1-CPU systems.
       - Fix computations using incorrect processor core counts.
       - Fix the x2apic debug message.
       - Fix logical node enumeration to allow for non-sequential physical nodes.
       - Fix reported family on modern AMD processors.
       - Clarify the RAPL column information in the man page.
      
      * pm-tools:
        tools/power turbostat: version 18.07.27
        tools/power turbostat: Read extended processor family from CPUID
        tools/power turbostat: Fix logical node enumeration to allow for non-sequential physical nodes
        tools/power turbostat: fix x2apic debug message output file
        tools/power turbostat: fix bogus summary values
        tools/power turbostat: fix -S on UP systems
        tools/power turbostat: Update turbostat(8) RAPL throttling column description
      9b7c19e9
  6. 31 Jul, 2018 9 commits