1. 11 Jun, 2020 1 commit
  2. 10 Jun, 2020 7 commits
    • Jakub Kicinski's avatar
      docs: networkng: fix lists and table in sja1105 · 934e36ec
      Jakub Kicinski authored
      We need an empty line before list stats, otherwise first point
      will be smooshed into the paragraph. Inside tables text must
      start at the same offset in the cell, otherwise sphinx thinks
      it's a new indented block.
      
      Documentation/networking/dsa/sja1105.rst:108: WARNING: Block quote ends without a blank line; unexpected unindent.
      Documentation/networking/dsa/sja1105.rst:112: WARNING: Definition list ends without a blank line; unexpected unindent.
      Documentation/networking/dsa/sja1105.rst:245: WARNING: Unexpected indentation.
      Documentation/networking/dsa/sja1105.rst:246: WARNING: Block quote ends without a blank line; unexpected unindent.
      Documentation/networking/dsa/sja1105.rst:253: WARNING: Unexpected indentation.
      Documentation/networking/dsa/sja1105.rst:254: WARNING: Block quote ends without a blank line; unexpected unindent.
      
      Fixes: a20bc43b ("docs: net: dsa: sja1105: document the best_effort_vlan_filtering option")
      Signed-off-by: default avatarJakub Kicinski <kuba@kernel.org>
      Acked-by: default avatarVladimir Oltean <vladimir.oltean@nxp.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      934e36ec
    • Jakub Kicinski's avatar
      docs: networking: fix extra spaces in ethtool-netlink · 58e898a0
      Jakub Kicinski authored
      Sphinx appears to get upset at extra spaces at the end of a literal:
      
      Documentation/networking/ethtool-netlink.rst:1032: WARNING: Inline literal start-string without end-string.
      Documentation/networking/ethtool-netlink.rst:1034: WARNING: Inline literal start-string without end-string.
      Documentation/networking/ethtool-netlink.rst:1036: WARNING: Inline literal start-string without end-string.
      Documentation/networking/ethtool-netlink.rst:1089: WARNING: Inline literal start-string without end-string.
      Documentation/networking/ethtool-netlink.rst:1091: WARNING: Inline literal start-string without end-string.
      Documentation/networking/ethtool-netlink.rst:1093: WARNING: Inline literal start-string without end-string.
      
      Fixes: f2bc8ad3 ("net: ethtool: Allow PHY cable test TDR data to configured")
      Fixes: a331172b ("net: ethtool: Add attributes for cable test TDR data")
      Signed-off-by: default avatarJakub Kicinski <kuba@kernel.org>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      58e898a0
    • Corentin Labbe's avatar
      net: cadence: macb: disable NAPI on error · 014406ba
      Corentin Labbe authored
      When the PHY is not working, the macb driver crash on a second try to
      setup it.
      [   78.545994] macb e000b000.ethernet eth0: Could not attach PHY (-19)
      ifconfig: SIOCSIFFLAGS: No such device
      [   78.655457] ------------[ cut here ]------------
      [   78.656014] kernel BUG at /linux-next/include/linux/netdevice.h:521!
      [   78.656504] Internal error: Oops - BUG: 0 [#1] SMP ARM
      [   78.657079] Modules linked in:
      [   78.657795] CPU: 0 PID: 122 Comm: ifconfig Not tainted 5.7.0-next-20200609 #1
      [   78.658202] Hardware name: Xilinx Zynq Platform
      [   78.659632] PC is at macb_open+0x220/0x294
      [   78.660160] LR is at 0x0
      [   78.660373] pc : [<c0b0a634>]    lr : [<00000000>]    psr: 60000013
      [   78.660716] sp : c89ffd70  ip : c8a28800  fp : c199bac0
      [   78.661040] r10: 00000000  r9 : c8838540  r8 : c8838568
      [   78.661362] r7 : 00000001  r6 : c8838000  r5 : c883c000  r4 : 00000000
      [   78.661724] r3 : 00000010  r2 : 00000000  r1 : 00000000  r0 : 00000000
      [   78.662187] Flags: nZCv  IRQs on  FIQs on  Mode SVC_32  ISA ARM  Segment none
      [   78.662635] Control: 10c5387d  Table: 08b64059  DAC: 00000051
      [   78.663035] Process ifconfig (pid: 122, stack limit = 0x(ptrval))
      [   78.663476] Stack: (0xc89ffd70 to 0xc8a00000)
      [   78.664121] fd60:                                     00000000 c89fe000 c8838000 c89fe000
      [   78.664866] fd80: 00000000 c11ff9ac c8838028 00000000 00000000 c0de6f2c 00000001 c1804eec
      [   78.665579] fda0: c19b8178 c8838000 00000000 ca760866 c8838000 00000001 00001043 c89fe000
      [   78.666355] fdc0: 00001002 c0de72f4 c89fe000 c0de8dc0 00008914 c89fe000 c199bac0 ca760866
      [   78.667111] fde0: c89ffddc c8838000 00001002 00000000 c8838138 c881010c 00008914 c0de7364
      [   78.667862] fe00: 00000000 c89ffe70 c89fe000 ffffffff c881010c c0e8bd48 00000003 00000000
      [   78.668601] fe20: c8838000 c8810100 39c1118f 00039c11 c89a0960 00001043 00000000 000a26d0
      [   78.669343] fe40: b6f43000 ca760866 c89a0960 00000051 befe6c50 00008914 c8b2a3c0 befe6c50
      [   78.670086] fe60: 00000003 ee610500 00000000 c0e8ef58 30687465 00000000 00000000 00000000
      [   78.670865] fe80: 00001043 00000000 000a26d0 b6f43000 c89a0600 ee40ae7c c8870d00 c0ddabf4
      [   78.671593] fea0: c89ffeec c0ddabf4 c89ffeec c199bac0 00008913 c0ddac48 c89ffeec c89fe000
      [   78.672324] fec0: befe6c50 ca760866 befe6c50 00008914 c89fe000 befe6c50 c8b2a3c0 c0dc00e4
      [   78.673088] fee0: c89a0480 00000201 00000cc0 30687465 00000000 00000000 00000000 00001002
      [   78.673822] ff00: 00000000 000a26d0 b6f43000 ca760866 00008914 c8b2a3c0 000a0ec4 c8b2a3c0
      [   78.674576] ff20: befe6c50 c04b21bc 000d5004 00000817 c89a0480 c0315f94 00000000 00000003
      [   78.675415] ff40: c19a2bc8 c8a3cc00 c89fe000 00000255 00000000 00000000 00000000 000d5000
      [   78.676182] ff60: 000f6000 c180b2a0 00000817 c0315e64 000d5004 c89fffb0 b6ec0c30 ca760866
      [   78.676928] ff80: 00000000 000b609b befe6c50 000a0ec4 00000036 c03002c4 c89fe000 00000036
      [   78.677673] ffa0: 00000000 c03000c0 000b609b befe6c50 00000003 00008914 befe6c50 000b609b
      [   78.678415] ffc0: 000b609b befe6c50 000a0ec4 00000036 befe6e0c befe6f1a 000d5150 00000000
      [   78.679154] ffe0: 000d41e4 befe6bf4 00019648 b6e4509c 20000010 00000003 00000000 00000000
      [   78.681059] [<c0b0a634>] (macb_open) from [<c0de6f2c>] (__dev_open+0xd0/0x154)
      [   78.681571] [<c0de6f2c>] (__dev_open) from [<c0de72f4>] (__dev_change_flags+0x16c/0x1c4)
      [   78.682015] [<c0de72f4>] (__dev_change_flags) from [<c0de7364>] (dev_change_flags+0x18/0x48)
      [   78.682493] [<c0de7364>] (dev_change_flags) from [<c0e8bd48>] (devinet_ioctl+0x5e4/0x75c)
      [   78.682945] [<c0e8bd48>] (devinet_ioctl) from [<c0e8ef58>] (inet_ioctl+0x1f0/0x3b4)
      [   78.683381] [<c0e8ef58>] (inet_ioctl) from [<c0dc00e4>] (sock_ioctl+0x39c/0x664)
      [   78.683818] [<c0dc00e4>] (sock_ioctl) from [<c04b21bc>] (ksys_ioctl+0x2d8/0x9c0)
      [   78.684343] [<c04b21bc>] (ksys_ioctl) from [<c03000c0>] (ret_fast_syscall+0x0/0x54)
      [   78.684789] Exception stack(0xc89fffa8 to 0xc89ffff0)
      [   78.685346] ffa0:                   000b609b befe6c50 00000003 00008914 befe6c50 000b609b
      [   78.686106] ffc0: 000b609b befe6c50 000a0ec4 00000036 befe6e0c befe6f1a 000d5150 00000000
      [   78.686710] ffe0: 000d41e4 befe6bf4 00019648 b6e4509c
      [   78.687582] Code: 9a000003 e5983078 e3130001 1affffef (e7f001f2)
      [   78.688788] ---[ end trace e3f2f6ab69754eae ]---
      
      This is due to NAPI left enabled if macb_phylink_connect() fail.
      
      Fixes: 7897b071 ("net: macb: convert to phylink")
      Signed-off-by: default avatarCorentin Labbe <clabbe@baylibre.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      014406ba
    • Paolo Abeni's avatar
      mptcp: don't leak msk in token container · 4b5af441
      Paolo Abeni authored
      If a listening MPTCP socket has unaccepted sockets at close
      time, the related msks are freed via mptcp_sock_destruct(),
      which in turn does not invoke the proto->destroy() method
      nor the mptcp_token_destroy() function.
      
      Due to the above, the child msk socket is not removed from
      the token container, leading to later UaF.
      
      Address the issue explicitly removing the token even in the
      above error path.
      
      Fixes: 79c0949e ("mptcp: Add key generation and token tree")
      Signed-off-by: default avatarPaolo Abeni <pabeni@redhat.com>
      Reviewed-by: default avatarMatthieu Baerts <matthieu.baerts@tessares.net>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      4b5af441
    • Paolo Abeni's avatar
      mptcp: fix races between shutdown and recvmsg · 5969856a
      Paolo Abeni authored
      The msk sk_shutdown flag is set by a workqueue, possibly
      introducing some delay in user-space notification. If the last
      subflow carries some data with the fin packet, the user space
      can wake-up before RCV_SHUTDOWN is set. If it executes unblocking
      recvmsg(), it may return with an error instead of eof.
      
      Address the issue explicitly checking for eof in recvmsg(), when
      no data is found.
      
      Fixes: 59832e24 ("mptcp: subflow: check parent mptcp socket on subflow state change")
      Signed-off-by: default avatarPaolo Abeni <pabeni@redhat.com>
      Reviewed-by: default avatarMatthieu Baerts <matthieu.baerts@tessares.net>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      5969856a
    • David Ahern's avatar
      vxlan: Remove access to nexthop group struct · 50cb8769
      David Ahern authored
      vxlan driver should be using helpers to access nexthop struct
      internals. Remove open check if whether nexthop is multipath in
      favor of the existing nexthop_is_multipath helper. Add a new
      helper, nexthop_has_v4, to cover the need to check has_v4 in
      a group.
      
      Fixes: 1274e1cc ("vxlan: ecmp support for mac fdb entries")
      Cc: Roopa Prabhu <roopa@cumulusnetworks.com>
      Signed-off-by: default avatarDavid Ahern <dsahern@kernel.org>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      50cb8769
    • David Ahern's avatar
      nexthop: Fix fdb labeling for groups · ce9ac056
      David Ahern authored
      fdb nexthops are marked with a flag. For standalone nexthops, a flag was
      added to the nh_info struct. For groups that flag was added to struct
      nexthop when it should have been added to the group information. Fix
      by removing the flag from the nexthop struct and adding a flag to nh_group
      that mirrors nh_info and is really only a caching of the individual types.
      Add a helper, nexthop_is_fdb, for use by the vxlan code and fixup the
      internal code to use the flag from either nh_info or nh_group.
      
      v2
      - propagate fdb_nh in remove_nh_grp_entry
      
      Fixes: 38428d68 ("nexthop: support for fdb ecmp nexthops")
      Cc: Roopa Prabhu <roopa@cumulusnetworks.com>
      Signed-off-by: default avatarDavid Ahern <dsahern@kernel.org>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      ce9ac056
  3. 09 Jun, 2020 13 commits
  4. 08 Jun, 2020 7 commits
  5. 07 Jun, 2020 12 commits
    • Vadim Pasternak's avatar
      mlxsw: core: Use different get_trend() callbacks for different thermal zones · 2dc2f760
      Vadim Pasternak authored
      The driver registers three different types of thermal zones: For the
      ASIC itself, for port modules and for gearboxes.
      
      Currently, all three types use the same get_trend() callback which does
      not work correctly for the ASIC thermal zone. The callback assumes that
      the device data is of type 'struct mlxsw_thermal_module', whereas for
      the ASIC thermal zone 'struct mlxsw_thermal' is passed as device data.
      
      Fix this by using one get_trend() callback for the ASIC thermal zone and
      another for the other two types.
      
      Fixes: 6f73862f ("mlxsw: core: Add the hottest thermal zone detection")
      Signed-off-by: default avatarVadim Pasternak <vadimp@mellanox.com>
      Reviewed-by: default avatarJiri Pirko <jiri@mellanox.com>
      Signed-off-by: default avatarIdo Schimmel <idosch@mellanox.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      2dc2f760
    • David S. Miller's avatar
    • Linus Torvalds's avatar
      Merge tag 'pinctrl-v5.8-1' of git://git.kernel.org/pub/scm/linux/kernel/git/linusw/linux-pinctrl · cf0c97f1
      Linus Torvalds authored
      Pull pin control updates from Linus Walleij:
       "This is the bulk of pin control changes for the v5.8 kernel cycle.
      
        It's just really boring this time. Zero core changes. Just linear
        development, cleanups and misc noncritical fixes. Some new drivers for
        very new Qualcomm and Intel chips.
      
        New drivers:
      
         - Intel Jasper Lake support.
      
         - NXP Freescale i.MX8DXL support.
      
         - Qualcomm SM8250 support.
      
         - Renesas R8A7742 SH-PFC support.
      
        Driver improvements:
      
         - Severe cleanup and modernization of the MCP23s08 driver.
      
         - Mediatek driver modularized.
      
         - Setting config supported in the Meson driver.
      
         - Wakeup support for the Broadcom BCM7211"
      
      * tag 'pinctrl-v5.8-1' of git://git.kernel.org/pub/scm/linux/kernel/git/linusw/linux-pinctrl: (72 commits)
        pinctrl: sprd: Fix the incorrect pull-up definition
        pinctrl: pxa: pxa2xx: Remove 'pxa2xx_pinctrl_exit()' which is unused and broken
        pinctrl: freescale: imx: Use 'devm_of_iomap()' to avoid a resource leak in case of error in 'imx_pinctrl_probe()'
        pinctrl: freescale: imx: Fix an error handling path in 'imx_pinctrl_probe()'
        pinctrl: sirf: add missing put_device() call in sirfsoc_gpio_probe()
        pinctrl: imxl: Fix an error handling path in 'imx1_pinctrl_core_probe()'
        pinctrl: bcm2835: Add support for wake-up interrupts
        pinctrl: bcm2835: Match BCM7211 compatible string
        dt-bindings: pinctrl: Document optional BCM7211 wake-up interrupts
        dt-bindings: pinctrl: Document 7211 compatible for brcm, bcm2835-gpio.txt
        dt-bindings: pinctrl: stm32: Add missing interrupts property
        pinctrl: at91-pio4: Add COMPILE_TEST support
        pinctrl: Fix return value about devm_platform_ioremap_resource()
        MAINTAINERS: Renesas Pin Controllers are supported
        dt-bindings: pinctrl: ocelot: Add Sparx5 SoC support
        pinctrl: ocelot: Fix GPIO interrupt decoding on Jaguar2
        pinctrl: ocelot: Remove instance number from pin functions
        pinctrl: ocelot: Always register GPIO driver
        dt-bindings: pinctrl: rockchip: update example
        pinctrl: amd: Add ACPI dependency
        ...
      cf0c97f1
    • Linus Torvalds's avatar
      Merge tag 'rtc-5.8' of git://git.kernel.org/pub/scm/linux/kernel/git/abelloni/linux · e8dff03a
      Linus Torvalds authored
      Pull RTC updates from Alexandre Belloni:
       "Not much this cycle apart from the ingenic rtc driver rework.
      
        The fixes are mainly minor issues reported by coccinelle rather than
        real world issues.
      
        Subsystem:
      
         - new VL flag for backup switch over
      
        Drivers:
      
         - ingenic: only support device tree
      
         - pcf2127: report battery switch over, handle nowayout"
      
      * tag 'rtc-5.8' of git://git.kernel.org/pub/scm/linux/kernel/git/abelloni/linux: (29 commits)
        rtc: pcf2127: watchdog: handle nowayout feature
        rtc: fsl-ftm-alarm: fix freeze(s2idle) failed to wake
        rtc: abx80x: Provide debug feedback for invalid dt properties
        rtc: abx80x: Add Device Tree matching table
        rtc: rv3028: Add missed check for devm_regmap_init_i2c()
        rtc: mpc5121: Use correct return value for mpc5121_rtc_probe()
        rtc: goldfish: Use correct return value for goldfish_rtc_probe()
        rtc: snvs: Add necessary clock operations for RTC APIs
        rtc: snvs: Make SNVS clock always prepared
        rtc: ingenic: Reset regulator register in probe
        rtc: ingenic: Fix masking of error code
        rtc: ingenic: Remove unused fields from private structure
        rtc: ingenic: Set wakeup params in probe
        rtc: ingenic: Enable clock in probe
        rtc: ingenic: Use local 'dev' variable in probe
        rtc: ingenic: Only support probing from devicetree
        rtc: mc13xxx: fix a double-unlock issue
        rtc: stmp3xxx: update contact email
        rtc: max77686: Use single-byte writes on MAX77620
        rtc: pcf2127: report battery switch over
        ...
      e8dff03a
    • Linus Torvalds's avatar
      Merge tag 'ntb-5.8' of git://github.com/jonmason/ntb · 787f74fc
      Linus Torvalds authored
      Pull NTB updates from Jon Mason:
       "Intel Icelake NTB support, Intel driver bug fixes, and lots of bug
        fixes for ntb tests"
      
      * tag 'ntb-5.8' of git://github.com/jonmason/ntb:
        NTB: ntb_test: Fix bug when counting remote files
        NTB: perf: Fix race condition when run with ntb_test
        NTB: perf: Fix support for hardware that doesn't have port numbers
        NTB: perf: Don't require one more memory window than number of peers
        NTB: ntb_pingpong: Choose doorbells based on port number
        NTB: Fix the default port and peer numbers for legacy drivers
        NTB: Revert the change to use the NTB device dev for DMA allocations
        NTB: ntb_tool: reading the link file should not end in a NULL byte
        ntb_perf: avoid false dma unmap of destination address
        ntb_perf: increase sleep time from one milli sec to one sec
        ntb_tool: pass correct struct device to dma_alloc_coherent
        ntb_perf: pass correct struct device to dma_alloc_coherent
        ntb: hw: remove the code that sets the DMA mask
        NTB: correct ntb_peer_spad_addr and ntb_peer_spad_read comment typos
        ntb: intel: fix static declaration
        ntb: intel: add hw workaround for NTB BAR alignment
        ntb: intel: Add Icelake (gen4) support for Intel NTB
        NTB: Fix static check warning in perf_clear_test
        include/ntb: Fix typo in ntb_unregister_device description
      787f74fc
    • Linus Torvalds's avatar
      Merge tag 'apparmor-pr-2020-06-07' of... · a2b44706
      Linus Torvalds authored
      Merge tag 'apparmor-pr-2020-06-07' of git://git.kernel.org/pub/scm/linux/kernel/git/jj/linux-apparmor
      
      Pull apparmor updates from John Johansen:
       "Features:
         - Replace zero-length array with flexible-array
         - add a valid state flags check
         - add consistency check between state and dfa diff encode flags
         - add apparmor subdir to proc attr interface
         - fail unpack if profile mode is unknown
         - add outofband transition and use it in xattr match
         - ensure that dfa state tables have entries
      
        Cleanups:
         - Use true and false for bool variable
         - Remove semicolon
         - Clean code by removing redundant instructions
         - Replace two seq_printf() calls by seq_puts() in aa_label_seq_xprint()
         - remove duplicate check of xattrs on profile attachment
         - remove useless aafs_create_symlink
      
        Bug fixes:
         - Fix memory leak of profile proxy
         - fix introspection of of task mode for unconfined tasks
         - fix nnp subset test for unconfined
         - check/put label on apparmor_sk_clone_security()"
      
      * tag 'apparmor-pr-2020-06-07' of git://git.kernel.org/pub/scm/linux/kernel/git/jj/linux-apparmor:
        apparmor: Fix memory leak of profile proxy
        apparmor: fix introspection of of task mode for unconfined tasks
        apparmor: check/put label on apparmor_sk_clone_security()
        apparmor: Use true and false for bool variable
        security/apparmor/label.c: Clean code by removing redundant instructions
        apparmor: Replace zero-length array with flexible-array
        apparmor: ensure that dfa state tables have entries
        apparmor: remove duplicate check of xattrs on profile attachment.
        apparmor: add outofband transition and use it in xattr match
        apparmor: fail unpack if profile mode is unknown
        apparmor: fix nnp subset test for unconfined
        apparmor: remove useless aafs_create_symlink
        apparmor: add proc subdir to attrs
        apparmor: add consistency check between state and dfa diff encode flags
        apparmor: add a valid state flags check
        AppArmor: Remove semicolon
        apparmor: Replace two seq_printf() calls by seq_puts() in aa_label_seq_xprint()
      a2b44706
    • Roberto Sassu's avatar
      ima: Remove __init annotation from ima_pcrread() · 8b8c704d
      Roberto Sassu authored
      Commit 6cc7c266 ("ima: Call ima_calc_boot_aggregate() in
      ima_eventdigest_init()") added a call to ima_calc_boot_aggregate() so that
      the digest can be recalculated for the boot_aggregate measurement entry if
      the 'd' template field has been requested. For the 'd' field, only SHA1 and
      MD5 digests are accepted.
      
      Given that ima_eventdigest_init() does not have the __init annotation, all
      functions called should not have it. This patch removes __init from
      ima_pcrread().
      
      Cc: stable@vger.kernel.org
      Fixes:  6cc7c266 ("ima: Call ima_calc_boot_aggregate() in ima_eventdigest_init()")
      Reported-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      Signed-off-by: default avatarRoberto Sassu <roberto.sassu@huawei.com>
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      8b8c704d
    • John Johansen's avatar
      apparmor: Fix memory leak of profile proxy · 3622ad25
      John Johansen authored
      When the proxy isn't replaced and the profile is removed, the proxy
      is being leaked resulting in a kmemleak check message of
      
      unreferenced object 0xffff888077a3a490 (size 16):
        comm "apparmor_parser", pid 128041, jiffies 4322684109 (age 1097.028s)
        hex dump (first 16 bytes):
          03 00 00 00 00 00 00 00 b0 92 fd 4b 81 88 ff ff  ...........K....
        backtrace:
          [<0000000084d5daf2>] aa_alloc_proxy+0x58/0xe0
          [<00000000ecc0e21a>] aa_alloc_profile+0x159/0x1a0
          [<000000004cc9ce15>] unpack_profile+0x275/0x1c40
          [<000000007332b3ca>] aa_unpack+0x1e7/0x7e0
          [<00000000e25e31bd>] aa_replace_profiles+0x18a/0x1d10
          [<00000000350d9415>] policy_update+0x237/0x650
          [<000000003fbf934e>] profile_load+0x122/0x160
          [<0000000047f7b781>] vfs_write+0x139/0x290
          [<000000008ad12358>] ksys_write+0xcd/0x170
          [<000000001a9daa7b>] do_syscall_64+0x70/0x310
          [<00000000b9efb0cf>] entry_SYSCALL_64_after_hwframe+0x49/0xb3
      
      Make sure to cleanup the profile's embedded label which will result
      on the proxy being properly freed.
      
      Fixes: 637f688d ("apparmor: switch from profiles to using labels on contexts")
      Signed-off-by: default avatarJohn Johansen <john.johansen@canonical.com>
      3622ad25
    • John Johansen's avatar
      apparmor: fix introspection of of task mode for unconfined tasks · dd2569fb
      John Johansen authored
      Fix two issues with introspecting the task mode.
      
      1. If a task is attached to a unconfined profile that is not the
         ns->unconfined profile then. Mode the mode is always reported
         as -
      
            $ ps -Z
            LABEL                               PID TTY          TIME CMD
            unconfined                         1287 pts/0    00:00:01 bash
            test (-)                           1892 pts/0    00:00:00 ps
      
         instead of the correct value of (unconfined) as shown below
      
            $ ps -Z
            LABEL                               PID TTY          TIME CMD
            unconfined                         2483 pts/0    00:00:01 bash
            test (unconfined)                  3591 pts/0    00:00:00 ps
      
      2. if a task is confined by a stack of profiles that are unconfined
         the output of label mode is again the incorrect value of (-) like
         above, instead of (unconfined). This is because the visibile
         profile count increment is skipped by the special casing of
         unconfined.
      
      Fixes: f1bd9041 ("apparmor: add the base fns() for domain labels")
      Signed-off-by: default avatarJohn Johansen <john.johansen@canonical.com>
      dd2569fb
    • Mauricio Faria de Oliveira's avatar
      apparmor: check/put label on apparmor_sk_clone_security() · 3b646abc
      Mauricio Faria de Oliveira authored
      Currently apparmor_sk_clone_security() does not check for existing
      label/peer in the 'new' struct sock; it just overwrites it, if any
      (with another reference to the label of the source sock.)
      
          static void apparmor_sk_clone_security(const struct sock *sk,
                                                 struct sock *newsk)
          {
                  struct aa_sk_ctx *ctx = SK_CTX(sk);
                  struct aa_sk_ctx *new = SK_CTX(newsk);
      
                  new->label = aa_get_label(ctx->label);
                  new->peer = aa_get_label(ctx->peer);
          }
      
      This might leak label references, which might overflow under load.
      Thus, check for and put labels, to prevent such errors.
      
      Note this is similarly done on:
      
          static int apparmor_socket_post_create(struct socket *sock, ...)
          ...
                  if (sock->sk) {
                          struct aa_sk_ctx *ctx = SK_CTX(sock->sk);
      
                          aa_put_label(ctx->label);
                          ctx->label = aa_get_label(label);
                  }
          ...
      
      Context:
      -------
      
      The label reference count leak is observed if apparmor_sock_graft()
      is called previously: this sets the 'ctx->label' field by getting
      a reference to the current label (later overwritten, without put.)
      
          static void apparmor_sock_graft(struct sock *sk, ...)
          {
                  struct aa_sk_ctx *ctx = SK_CTX(sk);
      
                  if (!ctx->label)
                          ctx->label = aa_get_current_label();
          }
      
      And that is the case on crypto/af_alg.c:af_alg_accept():
      
          int af_alg_accept(struct sock *sk, struct socket *newsock, ...)
          ...
                  struct sock *sk2;
                  ...
                  sk2 = sk_alloc(...);
                  ...
                  security_sock_graft(sk2, newsock);
                  security_sk_clone(sk, sk2);
          ...
      
      Apparently both calls are done on their own right, especially for
      other LSMs, being introduced in 2010/2014, before apparmor socket
      mediation in 2017 (see commits [1,2,3,4]).
      
      So, it looks OK there! Let's fix the reference leak in apparmor.
      
      Test-case:
      ---------
      
      Exercise that code path enough to overflow label reference count.
      
          $ cat aa-refcnt-af_alg.c
          #include <stdio.h>
          #include <string.h>
          #include <unistd.h>
          #include <sys/socket.h>
          #include <linux/if_alg.h>
      
          int main() {
                  int sockfd;
                  struct sockaddr_alg sa;
      
                  /* Setup the crypto API socket */
                  sockfd = socket(AF_ALG, SOCK_SEQPACKET, 0);
                  if (sockfd < 0) {
                          perror("socket");
                          return 1;
                  }
      
                  memset(&sa, 0, sizeof(sa));
                  sa.salg_family = AF_ALG;
                  strcpy((char *) sa.salg_type, "rng");
                  strcpy((char *) sa.salg_name, "stdrng");
      
                  if (bind(sockfd, (struct sockaddr *) &sa, sizeof(sa)) < 0) {
                          perror("bind");
                          return 1;
                  }
      
                  /* Accept a "connection" and close it; repeat. */
                  while (!close(accept(sockfd, NULL, 0)));
      
                  return 0;
          }
      
          $ gcc -o aa-refcnt-af_alg aa-refcnt-af_alg.c
      
          $ ./aa-refcnt-af_alg
          <a few hours later>
      
          [ 9928.475953] refcount_t overflow at apparmor_sk_clone_security+0x37/0x70 in aa-refcnt-af_alg[1322], uid/euid: 1000/1000
          ...
          [ 9928.507443] RIP: 0010:apparmor_sk_clone_security+0x37/0x70
          ...
          [ 9928.514286]  security_sk_clone+0x33/0x50
          [ 9928.514807]  af_alg_accept+0x81/0x1c0 [af_alg]
          [ 9928.516091]  alg_accept+0x15/0x20 [af_alg]
          [ 9928.516682]  SYSC_accept4+0xff/0x210
          [ 9928.519609]  SyS_accept+0x10/0x20
          [ 9928.520190]  do_syscall_64+0x73/0x130
          [ 9928.520808]  entry_SYSCALL_64_after_hwframe+0x3d/0xa2
      
      Note that other messages may be seen, not just overflow, depending on
      the value being incremented by kref_get(); on another run:
      
          [ 7273.182666] refcount_t: saturated; leaking memory.
          ...
          [ 7273.185789] refcount_t: underflow; use-after-free.
      
      Kprobes:
      -------
      
      Using kprobe events to monitor sk -> sk_security -> label -> count (kref):
      
      Original v5.7 (one reference leak every iteration)
      
       ... (af_alg_accept+0x0/0x1c0) label=0xffff8a0f36c25eb0 label_refcnt=0x11fd2
       ... (af_alg_release_parent+0x0/0xd0) label=0xffff8a0f36c25eb0 label_refcnt=0x11fd4
       ... (af_alg_accept+0x0/0x1c0) label=0xffff8a0f36c25eb0 label_refcnt=0x11fd3
       ... (af_alg_release_parent+0x0/0xd0) label=0xffff8a0f36c25eb0 label_refcnt=0x11fd5
       ... (af_alg_accept+0x0/0x1c0) label=0xffff8a0f36c25eb0 label_refcnt=0x11fd4
       ... (af_alg_release_parent+0x0/0xd0) label=0xffff8a0f36c25eb0 label_refcnt=0x11fd6
      
      Patched v5.7 (zero reference leak per iteration)
      
       ... (af_alg_accept+0x0/0x1c0) label=0xffff9ff376c25eb0 label_refcnt=0x593
       ... (af_alg_release_parent+0x0/0xd0) label=0xffff9ff376c25eb0 label_refcnt=0x594
       ... (af_alg_accept+0x0/0x1c0) label=0xffff9ff376c25eb0 label_refcnt=0x593
       ... (af_alg_release_parent+0x0/0xd0) label=0xffff9ff376c25eb0 label_refcnt=0x594
       ... (af_alg_accept+0x0/0x1c0) label=0xffff9ff376c25eb0 label_refcnt=0x593
       ... (af_alg_release_parent+0x0/0xd0) label=0xffff9ff376c25eb0 label_refcnt=0x594
      
      Commits:
      -------
      
      [1] commit 507cad35 ("crypto: af_alg - Make sure sk_security is initialized on accept()ed sockets")
      [2] commit 4c63f83c ("crypto: af_alg - properly label AF_ALG socket")
      [3] commit 2acce6aa ("Networking") a.k.a ("crypto: af_alg - Avoid sock_graft call warning)
      [4] commit 56974a6f ("apparmor: add base infastructure for socket mediation")
      
      Fixes: 56974a6f ("apparmor: add base infastructure for socket mediation")
      Reported-by: default avatarBrian Moyles <bmoyles@netflix.com>
      Signed-off-by: default avatarMauricio Faria de Oliveira <mfo@canonical.com>
      Signed-off-by: default avatarJohn Johansen <john.johansen@canonical.com>
      3b646abc
    • Linus Torvalds's avatar
      Merge tag 'char-misc-5.8-rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/char-misc · 9aa900c8
      Linus Torvalds authored
      Pull char/misc driver updates from Greg KH:
       "Here is the large set of char/misc driver patches for 5.8-rc1
      
        Included in here are:
      
         - habanalabs driver updates, loads
      
         - mhi bus driver updates
      
         - extcon driver updates
      
         - clk driver updates (approved by the clock maintainer)
      
         - firmware driver updates
      
         - fpga driver updates
      
         - gnss driver updates
      
         - coresight driver updates
      
         - interconnect driver updates
      
         - parport driver updates (it's still alive!)
      
         - nvmem driver updates
      
         - soundwire driver updates
      
         - visorbus driver updates
      
         - w1 driver updates
      
         - various misc driver updates
      
        In short, loads of different driver subsystem updates along with the
        drivers as well.
      
        All have been in linux-next for a while with no reported issues"
      
      * tag 'char-misc-5.8-rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/char-misc: (233 commits)
        habanalabs: correctly cast u64 to void*
        habanalabs: initialize variable to default value
        extcon: arizona: Fix runtime PM imbalance on error
        extcon: max14577: Add proper dt-compatible strings
        extcon: adc-jack: Fix an error handling path in 'adc_jack_probe()'
        extcon: remove redundant assignment to variable idx
        w1: omap-hdq: print dev_err if irq flags are not cleared
        w1: omap-hdq: fix interrupt handling which did show spurious timeouts
        w1: omap-hdq: fix return value to be -1 if there is a timeout
        w1: omap-hdq: cleanup to add missing newline for some dev_dbg
        /dev/mem: Revoke mappings when a driver claims the region
        misc: xilinx-sdfec: convert get_user_pages() --> pin_user_pages()
        misc: xilinx-sdfec: cleanup return value in xsdfec_table_write()
        misc: xilinx-sdfec: improve get_user_pages_fast() error handling
        nvmem: qfprom: remove incorrect write support
        habanalabs: handle MMU cache invalidation timeout
        habanalabs: don't allow hard reset with open processes
        habanalabs: GAUDI does not support soft-reset
        habanalabs: add print for soft reset due to event
        habanalabs: improve MMU cache invalidation code
        ...
      9aa900c8
    • Linus Torvalds's avatar
      Merge tag 'driver-core-5.8-rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/driver-core · f558b836
      Linus Torvalds authored
      Pull driver core updates from Greg KH:
       "Here is the set of driver core patches for 5.8-rc1.
      
        Not all that huge this release, just a number of small fixes and
        updates:
      
         - software node fixes
      
         - kobject now sends KOBJ_REMOVE when it is removed from sysfs, not
           when it is removed from memory (which could come much later)
      
         - device link additions and fixes based on testing on more devices
      
         - firmware core cleanups
      
         - other minor changes, full details in the shortlog
      
        All have been in linux-next for a while with no reported issues"
      
      * tag 'driver-core-5.8-rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/driver-core: (23 commits)
        driver core: Update device link status correctly for SYNC_STATE_ONLY links
        firmware_loader: change enum fw_opt to u32
        software node: implement software_node_unregister()
        kobject: send KOBJ_REMOVE uevent when the object is removed from sysfs
        driver core: Remove unnecessary is_fwnode_dev variable in device_add()
        drivers property: When no children in primary, try secondary
        driver core: platform: Fix spelling errors in platform.c
        driver core: Remove check in driver_deferred_probe_force_trigger()
        of: platform: Batch fwnode parsing when adding all top level devices
        driver core: fw_devlink: Add support for batching fwnode parsing
        driver core: Look for waiting consumers only for a fwnode's primary device
        driver core: Move code to the right part of the file
        Revert "Revert "driver core: Set fw_devlink to "permissive" behavior by default""
        drivers: base: Fix NULL pointer exception in __platform_driver_probe() if a driver developer is foolish
        firmware_loader: move fw_fallback_config to a private kernel symbol namespace
        driver core: Add missing '\n' in log messages
        driver/base/soc: Use kobj_to_dev() API
        Add documentation on meaning of -EPROBE_DEFER
        driver core: platform: remove redundant assignment to variable ret
        debugfs: Use the correct style for SPDX License Identifier
        ...
      f558b836