1. 08 Dec, 2016 4 commits
  2. 07 Dec, 2016 5 commits
  3. 06 Dec, 2016 20 commits
    • Linus Torvalds's avatar
      Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/sparc · bc3913a5
      Linus Torvalds authored
      Pull sparc fix from David Miller:
       "A use-before-NULL-check from Dan Carpenter"
      
      * git://git.kernel.org/pub/scm/linux/kernel/git/davem/sparc:
        dbri: move dereference after check for NULL
      bc3913a5
    • Dan Carpenter's avatar
      dbri: move dereference after check for NULL · 163117e8
      Dan Carpenter authored
      We accidentally introduced a dereference before the NULL check in
      xmit_descs() as part of silencing a GCC warning.
      
      Fixes: 16f46050 ("dbri: Fix compiler warning")
      Signed-off-by: default avatarDan Carpenter <dan.carpenter@oracle.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      163117e8
    • Linus Torvalds's avatar
      Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net · da1b466f
      Linus Torvalds authored
      Pull networking fixes from David Miller:
      
       1) When dcbnl_cee_fill() fails to be able to push a new netlink
          attribute, it return 0 instead of an error code. From Pan Bian.
      
       2) Two suffix handling fixes to FIB trie code, from Alexander Duyck.
      
       3) bnxt_hwrm_stat_ctx_alloc() goes through all the trouble of setting
          and maintaining a return code 'rc' but fails to actually return it.
          Also from Pan Bian.
      
       4) ping socket ICMP handler needs to validate ICMP header length, from
          Kees Cook.
      
       5) caif_sktinit_module() has this interesting logic:
      
              int err = sock_register(...);
              if (!err)
                      return err;
              return 0;
      
          Just return sock_register()'s return value directly which is the
          only possible correct thing to do.
      
       6) Two bnx2x driver fixes from Yuval Mintz, return a reasonable
          estimate from get_ringparam() ethtool op when interface is down and
          avoid trying to use UDP port based tunneling on 577xx chips.
      
       7) Fix ep93xx_eth crash on module unload from Florian Fainelli.
      
       8) Missing uapi exports, from Stephen Hemminger.
      
       9) Don't schedule work from sk_destruct(), because the socket will be
          freed upon return from that function. From Herbert Xu.
      
      10) Buggy drivers, of which we know there is at least one, can send a
          huge packet into the TCP stack but forget to set the gso_size in the
          SKB, which causes all kinds of problems.
      
          Correct this when it happens, and emit a one-time warning with the
          device name included so that it can be diagnosed more easily.
      
          From Marcelo Ricardo Leitner.
      
      11) virtio-net does DMA off the stack causes hiccups with VMAP_STACK,
          fix from Andy Lutomirski.
      
      12) Fix fec driver compilation with CONFIG_M5272, from Nikita
          Yushchenko.
      
      13) mlx5 fixes from Kamal Heib, Saeed Mahameed, and Mohamad Haj Yahia.
          (erroneously flushing queues on error, module parameter validation,
          etc)
      
      * git://git.kernel.org/pub/scm/linux/kernel/git/davem/net: (34 commits)
        net/mlx5e: Change the SQ/RQ operational state to positive logic
        net/mlx5e: Don't flush SQ on error
        net/mlx5e: Don't notify HW when filling the edge of ICO SQ
        net/mlx5: Fix query ISSI flow
        net/mlx5: Remove duplicate pci dev name print
        net/mlx5: Verify module parameters
        net: fec: fix compile with CONFIG_M5272
        be2net: Add DEVSEC privilege to SET_HSW_CONFIG command.
        virtio-net: Fix DMA-from-the-stack in virtnet_set_mac_address()
        tcp: warn on bogus MSS and try to amend it
        uapi glibc compat: fix outer guard of net device flags enum
        net: stmmac: clear reset value of snps, wr_osr_lmt/snps, rd_osr_lmt before writing
        netlink: Do not schedule work from sk_destruct
        uapi: export nf_log.h
        uapi: export tc_skbmod.h
        net: ep93xx_eth: Do not crash unloading module
        bnx2x: Prevent tunnel config for 577xx
        bnx2x: Correct ringparam estimate when DOWN
        isdn: hisax: set error code on failure
        net: bnx2x: fix improper return value
        ...
      da1b466f
    • Linus Torvalds's avatar
      shmem: fix shm fallocate() list corruption · 10d20bd2
      Linus Torvalds authored
      The shmem hole punching with fallocate(FALLOC_FL_PUNCH_HOLE) does not
      want to race with generating new pages by faulting them in.
      
      However, the wait-queue used to delay the page faulting has a serious
      problem: the wait queue head (in shmem_fallocate()) is allocated on the
      stack, and the code expects that "wake_up_all()" will make sure that all
      the queue entries are gone before the stack frame is de-allocated.
      
      And that is not at all necessarily the case.
      
      Yes, a normal wake-up sequence will remove the wait-queue entry that
      caused the wakeup (see "autoremove_wake_function()"), but the key
      wording there is "that caused the wakeup".  When there are multiple
      possible wakeup sources, the wait queue entry may well stay around.
      
      And _particularly_ in a page fault path, we may be faulting in new pages
      from user space while we also have other things going on, and there may
      well be other pending wakeups.
      
      So despite the "wake_up_all()", it's not at all guaranteed that all list
      entries are removed from the wait queue head on the stack.
      
      Fix this by introducing a new wakeup function that removes the list
      entry unconditionally, even if the target process had already woken up
      for other reasons.  Use that "synchronous" function to set up the
      waiters in shmem_fault().
      
      This problem has never been seen in the wild afaik, but Dave Jones has
      reported it on and off while running trinity.  We thought we fixed the
      stack corruption with the blk-mq rq_list locking fix (commit
      7fe31130: "blk-mq: update hardware and software queues for sleeping
      alloc"), but it turns out there was _another_ stack corruptor hiding
      in the trinity runs.
      
      Vegard Nossum (also running trinity) was able to trigger this one fairly
      consistently, and made us look once again at the shmem code due to the
      faults often being in that area.
      
      Reported-and-tested-by: Vegard Nossum <vegard.nossum@oracle.com>.
      Reported-by: default avatarDave Jones <davej@codemonkey.org.uk>
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      10d20bd2
    • David S. Miller's avatar
      Merge branch 'mlx5-fixes' · 32f16e14
      David S. Miller authored
      Saeed Mahameed says:
      
      ====================
      Mellanox 100G mlx5 fixes 2016-12-04
      
      Some bug fixes for mlx5 core and mlx5e driver.
      
      v1->v2:
       - replace "uint" with "unsigned int"
      ====================
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      32f16e14
    • Mohamad Haj Yahia's avatar
      net/mlx5e: Change the SQ/RQ operational state to positive logic · c0f1147d
      Mohamad Haj Yahia authored
      When using the negative logic (i.e. FLUSH state), after the RQ/SQ reopen
      we will have a time interval that the RQ/SQ is not really ready and the
      state indicates that its not in FLUSH state because the initial SQ/RQ struct
      memory starts as zeros.
      Now we changed the state to indicate if the SQ/RQ is opened and we will
      set the READY state after finishing preparing all the SQ/RQ resources.
      
      Fixes: 6e8dd6d6 ("net/mlx5e: Don't wait for SQ completions on close")
      Fixes: f2fde18c ("net/mlx5e: Don't wait for RQ completions on close")
      Signed-off-by: default avatarMohamad Haj Yahia <mohamad@mellanox.com>
      Signed-off-by: default avatarSaeed Mahameed <saeedm@mellanox.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      c0f1147d
    • Saeed Mahameed's avatar
      net/mlx5e: Don't flush SQ on error · 3c8591d5
      Saeed Mahameed authored
      We are doing SQ descriptors cleanup in driver.
      
      Fixes: 6e8dd6d6 ("net/mlx5e: Don't wait for SQ completions on close")
      Signed-off-by: default avatarSaeed Mahameed <saeedm@mellanox.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      3c8591d5
    • Saeed Mahameed's avatar
      net/mlx5e: Don't notify HW when filling the edge of ICO SQ · b8335d91
      Saeed Mahameed authored
      We are going to do this a couple of steps ahead anyway.
      
      Fixes: d3c9bc27 ("net/mlx5e: Added ICO SQs")
      Signed-off-by: default avatarSaeed Mahameed <saeedm@mellanox.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      b8335d91
    • Kamal Heib's avatar
      net/mlx5: Fix query ISSI flow · f9c14e46
      Kamal Heib authored
      In old FWs query ISSI command is not supported and for some of those FWs
      it might fail with status other than "MLX5_CMD_STAT_BAD_OP_ERR".
      
      In such case instead of failing the driver load, we will treat any FW
      status other than 0 for Query ISSI FW command as ISSI not supported and
      assume ISSI=0 (most basic driver/FW interface).
      
      In case of driver syndrom (query ISSI failure by driver) we will fail
      driver load.
      
      Fixes: f62b8bb8 ('net/mlx5: Extend mlx5_core to support ConnectX-4
      Ethernet functionality')
      Signed-off-by: default avatarKamal Heib <kamalh@mellanox.com>
      Signed-off-by: default avatarSaeed Mahameed <saeedm@mellanox.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      f9c14e46
    • Kamal Heib's avatar
      net/mlx5: Remove duplicate pci dev name print · 9e5b2fc1
      Kamal Heib authored
      Remove duplicate pci dev name printing from mlx5_core_warn/dbg.
      
      Fixes: 5a788398 ('net/mlx5_core: Improve mlx5 messages')
      Signed-off-by: default avatarKamal Heib <kamalh@mellanox.com>
      Signed-off-by: default avatarSaeed Mahameed <saeedm@mellanox.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      9e5b2fc1
    • Kamal Heib's avatar
      net/mlx5: Verify module parameters · f663ad98
      Kamal Heib authored
      Verify the mlx5_core module parameters by making sure that they are in
      the expected range and if they aren't restore them to their default
      values.
      
      Fixes: 9603b61d ('mlx5: Move pci device handling from mlx5_ib to mlx5_core')
      Signed-off-by: default avatarKamal Heib <kamalh@mellanox.com>
      Signed-off-by: default avatarSaeed Mahameed <saeedm@mellanox.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      f663ad98
    • Nikita Yushchenko's avatar
      net: fec: fix compile with CONFIG_M5272 · f85de666
      Nikita Yushchenko authored
      Commit 80cca775 ("net: fec: cache statistics while device is down")
      introduced unconditional statistics-related actions.
      
      However, when driver is compiled with CONFIG_M5272, staticsics-related
      definitions do not exist, which results into build errors.
      
      Fix that by adding explicit handling of !defined(CONFIG_M5272) case.
      
      Fixes: 80cca775 ("net: fec: cache statistics while device is down")
      Signed-off-by: default avatarNikita Yushchenko <nikita.yoush@cogentembedded.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      f85de666
    • Venkat Duvvuru's avatar
      be2net: Add DEVSEC privilege to SET_HSW_CONFIG command. · d14584d9
      Venkat Duvvuru authored
      OPCODE_COMMON_GET_FN_PRIVILEGES is returning only DEVSEC
      privilege (Unrestricted Administrative Privilege) for Lancer NIC functions.
      So, driver is failing SET_HSW_CONFIG command, as DEVSEC privilege was not
      set in the privilege bitmap. This patch fixes the problem by setting DEVSEC
      privilege in SET_HSW_CONFIG’s privilege bitmap.
      Signed-off-by: default avatarVenkat Duvvuru <venkatkumar.duvvuru@broadcom.com>
      Signed-off-by: default avatarSuresh Reddy <suresh.reddy@broadcom.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      d14584d9
    • Andy Lutomirski's avatar
      virtio-net: Fix DMA-from-the-stack in virtnet_set_mac_address() · e37e2ff3
      Andy Lutomirski authored
      With CONFIG_VMAP_STACK=y, virtnet_set_mac_address() can be passed a
      pointer to the stack and it will OOPS.  Copy the address to the heap
      to prevent the crash.
      
      Cc: Michael S. Tsirkin <mst@redhat.com>
      Cc: Jason Wang <jasowang@redhat.com>
      Cc: Laura Abbott <labbott@redhat.com>
      Reported-by: zbyszek@in.waw.pl
      Signed-off-by: default avatarAndy Lutomirski <luto@kernel.org>
      Acked-by: default avatarJason Wang <jasowang@redhat.com>
      Acked-by: default avatarMichael S. Tsirkin <mst@redhat.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      e37e2ff3
    • Marcelo Ricardo Leitner's avatar
      tcp: warn on bogus MSS and try to amend it · dcb17d22
      Marcelo Ricardo Leitner authored
      There have been some reports lately about TCP connection stalls caused
      by NIC drivers that aren't setting gso_size on aggregated packets on rx
      path. This causes TCP to assume that the MSS is actually the size of the
      aggregated packet, which is invalid.
      
      Although the proper fix is to be done at each driver, it's often hard
      and cumbersome for one to debug, come to such root cause and report/fix
      it.
      
      This patch amends this situation in two ways. First, it adds a warning
      on when this situation occurs, so it gives a hint to those trying to
      debug this. It also limit the maximum probed MSS to the adverised MSS,
      as it should never be any higher than that.
      
      The result is that the connection may not have the best performance ever
      but it shouldn't stall, and the admin will have a hint on what to look
      for.
      
      Tested with virtio by forcing gso_size to 0.
      
      v2: updated msg per David's suggestion
      v3: use skb_iif to find the interface and also log its name, per Eric
          Dumazet's suggestion. As the skb may be backlogged and the interface
          gone by then, we need to check if the number still has a meaning.
      v4: use helper tcp_gro_dev_warn() and avoid pr_warn_once inside __once, per
          David's suggestion
      
      Cc: Jonathan Maxwell <jmaxwell37@gmail.com>
      Signed-off-by: default avatarMarcelo Ricardo Leitner <marcelo.leitner@gmail.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      dcb17d22
    • Jonas Gorski's avatar
      uapi glibc compat: fix outer guard of net device flags enum · efc45154
      Jonas Gorski authored
      Fix a wrong condition preventing the higher net device flags
      IFF_LOWER_UP etc to be defined if net/if.h is included before
      linux/if.h.
      
      The comment makes it clear the intention was to allow partial
      definition with either parts.
      
      This fixes compilation of userspace programs trying to use
      IFF_LOWER_UP, IFF_DORMANT or IFF_ECHO.
      
      Fixes: 4a91cb61 ("uapi glibc compat: fix compile errors when glibc net/if.h included before linux/if.h")
      Signed-off-by: default avatarJonas Gorski <jonas.gorski@gmail.com>
      Reviewed-by: default avatarMikko Rapeli <mikko.rapeli@iki.fi>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      efc45154
    • Niklas Cassel's avatar
      net: stmmac: clear reset value of snps, wr_osr_lmt/snps, rd_osr_lmt before writing · 6b3374cb
      Niklas Cassel authored
      WR_OSR_LMT and RD_OSR_LMT have a reset value of 1.
      Since the reset value wasn't cleared before writing, the value in the
      register would be incorrect if specifying an uneven value for
      snps,wr_osr_lmt/snps,rd_osr_lmt.
      
      Zero is a valid value for the properties, since the databook specifies:
      maximum outstanding requests = WR_OSR_LMT + 1.
      
      We do not want to change the behavior for existing users when the
      property is missing. Therefore, default to 1 if the property is missing,
      since that is the same as the reset value.
      Signed-off-by: default avatarNiklas Cassel <niklas.cassel@axis.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      6b3374cb
    • Herbert Xu's avatar
      netlink: Do not schedule work from sk_destruct · ed5d7788
      Herbert Xu authored
      It is wrong to schedule a work from sk_destruct using the socket
      as the memory reserve because the socket will be freed immediately
      after the return from sk_destruct.
      
      Instead we should do the deferral prior to sk_free.
      
      This patch does just that.
      
      Fixes: 707693c8 ("netlink: Call cb->done from a worker thread")
      Signed-off-by: default avatarHerbert Xu <herbert@gondor.apana.org.au>
      Tested-by: default avatarAndrey Konovalov <andreyknvl@google.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      ed5d7788
    • stephen hemminger's avatar
      uapi: export nf_log.h · ffe3bb85
      stephen hemminger authored
      File is in uapi directory but not being copied on
       make install_headers
      
      Fixes commit 4ec9c8fbbc22 ("netfilter: nft_log: complete
      NFTA_LOG_FLAGS attr support").
      Signed-off-by: default avatarStephen Hemminger <sthemmin@microsoft.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      ffe3bb85
    • stephen hemminger's avatar
      uapi: export tc_skbmod.h · ad558858
      stephen hemminger authored
      Fixes commit 735cffe5d800 ("net_sched: Introduce skbmod action")
      Not used by iproute2 but maybe in future.
      Signed-off-by: default avatarStephen Hemminger <sthemmin@microsoft.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      ad558858
  4. 05 Dec, 2016 11 commits
    • Florian Fainelli's avatar
      net: ep93xx_eth: Do not crash unloading module · c823abac
      Florian Fainelli authored
      When we unload the ep93xx_eth, whether we have opened the network
      interface or not, we will either hit a kernel paging request error, or a
      simple NULL pointer de-reference because:
      
      - if ep93xx_open has been called, we have created a valid DMA mapping
        for ep->descs, when we call ep93xx_stop, we also call
        ep93xx_free_buffers, ep->descs now has a stale value
      
      - if ep93xx_open has not been called, we have a NULL pointer for
        ep->descs, so performing any operation against that address just won't
        work
      
      Fix this by adding a NULL pointer check for ep->descs which means that
      ep93xx_free_buffers() was able to successfully tear down the descriptors
      and free the DMA cookie as well.
      
      Fixes: 1d22e05d ("[PATCH] Cirrus Logic ep93xx ethernet driver")
      Signed-off-by: default avatarFlorian Fainelli <f.fainelli@gmail.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      c823abac
    • David S. Miller's avatar
      Merge branch 'bnx2x-fixes' · 34e0f2c2
      David S. Miller authored
      Yuval Mintz says:
      
      ====================
      bnx2x: fixes series
      
      Two unrelated fixes for bnx2x - the first one is nice-to-have,
      while the other fixes fatal behaviour in older adapters.
      
      Please consider applying them to `net'.
      ====================
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      34e0f2c2
    • Mintz, Yuval's avatar
      bnx2x: Prevent tunnel config for 577xx · 360d9df2
      Mintz, Yuval authored
      Only the 578xx adapters are capable of configuring UDP ports for
      the purpose of tunnelling - doing the same on 577xx might lead to
      a firmware assertion.
      We're already not claiming support for any related feature for such
      devices, but we also need to prevent the configuration of the UDP
      ports to the device in this case.
      
      Fixes: f34fa14c ("bnx2x: Add vxlan RSS support")
      Reported-by: default avatarAnikina Anna <anikina@gmail.com>
      Signed-off-by: default avatarYuval Mintz <Yuval.Mintz@cavium.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      360d9df2
    • Mintz, Yuval's avatar
      bnx2x: Correct ringparam estimate when DOWN · 65870fa7
      Mintz, Yuval authored
      Until interface is up [and assuming ringparams weren't explicitly
      configured] when queried for the size of its rings bnx2x would
      claim they're the maximal size by default.
      That is incorrect as by default the maximal number of buffers would
      be equally divided between the various rx rings.
      
      This prevents the user from actually setting the number of elements
      on each rx ring to be of maximal size prior to transitioning the
      interface into up state.
      
      To fix this, make a rough estimation about the number of buffers.
      It wouldn't always be accurate, but it would be much better than
      current estimation and would allow users to increase number of
      buffers during early initialization of the interface.
      Reported-by: default avatarSeymour, Shane <shane.seymour@hpe.com>
      Signed-off-by: default avatarYuval Mintz <Yuval.Mintz@cavium.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      65870fa7
    • Pan Bian's avatar
      isdn: hisax: set error code on failure · 9a53682b
      Pan Bian authored
      In function hfc4s8s_probe(), the value of return variable err should be
      negative on failures. However, when the call to request_region() returns
      NULL, the value of err is 0. This patch fixes the bug, assigning
      "-EBUSY" to err on the path that request_region() fails.
      
      Bugzilla: https://bugzilla.kernel.org/show_bug.cgi?id=188931Signed-off-by: default avatarPan Bian <bianpan2016@163.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      9a53682b
    • Pan Bian's avatar
      net: bnx2x: fix improper return value · 005f7e68
      Pan Bian authored
      Macro BNX2X_ALLOC_AND_SET(arr, lbl, func) calls kmalloc() to allocate
      memory, and jumps to label "lbl" if the allocation fails. Label "lbl"
      first cleans memory and then returns variable rc. Before calling the
      macro, the value of variable rc is 0. Because 0 means no error, the
      callers of bnx2x_init_firmware() may be misled. This patch fixes the bug,
      assigning "-ENOMEM" to rc before calling macro NX2X_ALLOC_AND_SET().
      
      Bugzilla: https://bugzilla.kernel.org/show_bug.cgi?id=189141Signed-off-by: default avatarPan Bian <bianpan2016@163.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      005f7e68
    • Pan Bian's avatar
      net: ethernet: qlogic: set error code on failure · 0ff18d2d
      Pan Bian authored
      When calling dma_mapping_error(), the value of return variable rc is 0.
      And when the call returns an unexpected value, rc is not set to a
      negative errno. Thus, it will return 0 on the error path, and its
      callers cannot detect the bug. This patch fixes the bug, assigning
      "-ENOMEM" to err.
      
      Bugzilla: https://bugzilla.kernel.org/show_bug.cgi?id=189041Signed-off-by: default avatarPan Bian <bianpan2016@163.com>
      Acked-by: default avatarYuval Mintz <Yuval.Mintz@cavium.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      0ff18d2d
    • Pan Bian's avatar
      atm: fix improper return value · 7cf61566
      Pan Bian authored
      It returns variable "error" when ioremap_nocache() returns a NULL
      pointer. The value of "error" is 0 then, which will mislead the callers
      to believe that there is no error. This patch fixes the bug, returning
      "-ENOMEM".
      
      Bugzilla: https://bugzilla.kernel.org/show_bug.cgi?id=189021Signed-off-by: default avatarPan Bian <bianpan2016@163.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      7cf61566
    • Pan Bian's avatar
      net: irda: set error code on failures · 8ad3ba93
      Pan Bian authored
      When the calls to kzalloc() fail, the value of return variable ret may
      be 0. 0 means success in this context. This patch fixes the bug,
      assigning "-ENOMEM" to ret before calling kzalloc().
      
      Bugzilla: https://bugzilla.kernel.org/show_bug.cgi?id=188971Signed-off-by: default avatarPan Bian <bianpan2016@163.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      8ad3ba93
    • Pan Bian's avatar
      net: caif: remove ineffective check · c79e167c
      Pan Bian authored
      The check of the return value of sock_register() is ineffective.
      "if(!err)" seems to be a typo. It is better to propagate the error code
      to the callers of caif_sktinit_module(). This patch removes the check
      statment and directly returns the result of sock_register().
      
      Bugzilla: https://bugzilla.kernel.org/show_bug.cgi?id=188751Signed-off-by: default avatarPan Bian <bianpan2016@163.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      c79e167c
    • Kees Cook's avatar
      net: ping: check minimum size on ICMP header length · 0eab121e
      Kees Cook authored
      Prior to commit c0371da6 ("put iov_iter into msghdr") in v3.19, there
      was no check that the iovec contained enough bytes for an ICMP header,
      and the read loop would walk across neighboring stack contents. Since the
      iov_iter conversion, bad arguments are noticed, but the returned error is
      EFAULT. Returning EINVAL is a clearer error and also solves the problem
      prior to v3.19.
      
      This was found using trinity with KASAN on v3.18:
      
      BUG: KASAN: stack-out-of-bounds in memcpy_fromiovec+0x60/0x114 at addr ffffffc071077da0
      Read of size 8 by task trinity-c2/9623
      page:ffffffbe034b9a08 count:0 mapcount:0 mapping:          (null) index:0x0
      flags: 0x0()
      page dumped because: kasan: bad access detected
      CPU: 0 PID: 9623 Comm: trinity-c2 Tainted: G    BU         3.18.0-dirty #15
      Hardware name: Google Tegra210 Smaug Rev 1,3+ (DT)
      Call trace:
      [<ffffffc000209c98>] dump_backtrace+0x0/0x1ac arch/arm64/kernel/traps.c:90
      [<ffffffc000209e54>] show_stack+0x10/0x1c arch/arm64/kernel/traps.c:171
      [<     inline     >] __dump_stack lib/dump_stack.c:15
      [<ffffffc000f18dc4>] dump_stack+0x7c/0xd0 lib/dump_stack.c:50
      [<     inline     >] print_address_description mm/kasan/report.c:147
      [<     inline     >] kasan_report_error mm/kasan/report.c:236
      [<ffffffc000373dcc>] kasan_report+0x380/0x4b8 mm/kasan/report.c:259
      [<     inline     >] check_memory_region mm/kasan/kasan.c:264
      [<ffffffc00037352c>] __asan_load8+0x20/0x70 mm/kasan/kasan.c:507
      [<ffffffc0005b9624>] memcpy_fromiovec+0x5c/0x114 lib/iovec.c:15
      [<     inline     >] memcpy_from_msg include/linux/skbuff.h:2667
      [<ffffffc000ddeba0>] ping_common_sendmsg+0x50/0x108 net/ipv4/ping.c:674
      [<ffffffc000dded30>] ping_v4_sendmsg+0xd8/0x698 net/ipv4/ping.c:714
      [<ffffffc000dc91dc>] inet_sendmsg+0xe0/0x12c net/ipv4/af_inet.c:749
      [<     inline     >] __sock_sendmsg_nosec net/socket.c:624
      [<     inline     >] __sock_sendmsg net/socket.c:632
      [<ffffffc000cab61c>] sock_sendmsg+0x124/0x164 net/socket.c:643
      [<     inline     >] SYSC_sendto net/socket.c:1797
      [<ffffffc000cad270>] SyS_sendto+0x178/0x1d8 net/socket.c:1761
      
      CVE-2016-8399
      Reported-by: default avatarQidan He <i@flanker017.me>
      Fixes: c319b4d7 ("net: ipv4: add IPPROTO_ICMP socket kind")
      Cc: stable@vger.kernel.org
      Signed-off-by: default avatarKees Cook <keescook@chromium.org>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      0eab121e