1. 08 Dec, 2017 8 commits
    • Eric Biggers's avatar
      pkcs7: return correct error code if pkcs7_check_authattrs() fails · 8ecb506d
      Eric Biggers authored
      If pkcs7_check_authattrs() returns an error code, we should pass that
      error code on, rather than using ENOMEM.
      
      Fixes: 99db4435 ("PKCS#7: Appropriately restrict authenticated attributes and content type")
      Signed-off-by: default avatarEric Biggers <ebiggers@google.com>
      Signed-off-by: default avatarDavid Howells <dhowells@redhat.com>
      Reviewed-by: default avatarJames Morris <james.l.morris@oracle.com>
      8ecb506d
    • Eric Biggers's avatar
      509: fix printing uninitialized stack memory when OID is empty · 8dfd2f22
      Eric Biggers authored
      Callers of sprint_oid() do not check its return value before printing
      the result.  In the case where the OID is zero-length, -EBADMSG was
      being returned without anything being written to the buffer, resulting
      in uninitialized stack memory being printed.  Fix this by writing
      "(bad)" to the buffer in the cases where -EBADMSG is returned.
      
      Fixes: 4f73175d ("X.509: Add utility functions to render OIDs as strings")
      Signed-off-by: default avatarEric Biggers <ebiggers@google.com>
      Signed-off-by: default avatarDavid Howells <dhowells@redhat.com>
      8dfd2f22
    • Eric Biggers's avatar
      X.509: fix buffer overflow detection in sprint_oid() · 47e0a208
      Eric Biggers authored
      In sprint_oid(), if the input buffer were to be more than 1 byte too
      small for the first snprintf(), 'bufsize' would underflow, causing a
      buffer overflow when printing the remainder of the OID.
      
      Fortunately this cannot actually happen currently, because no users pass
      in a buffer that can be too small for the first snprintf().
      
      Regardless, fix it by checking the snprintf() return value correctly.
      
      For consistency also tweak the second snprintf() check to look the same.
      
      Fixes: 4f73175d ("X.509: Add utility functions to render OIDs as strings")
      Cc: Takashi Iwai <tiwai@suse.de>
      Signed-off-by: default avatarEric Biggers <ebiggers@google.com>
      Signed-off-by: default avatarDavid Howells <dhowells@redhat.com>
      Reviewed-by: default avatarJames Morris <james.l.morris@oracle.com>
      47e0a208
    • Eric Biggers's avatar
      X.509: reject invalid BIT STRING for subjectPublicKey · 0f30cbea
      Eric Biggers authored
      Adding a specially crafted X.509 certificate whose subjectPublicKey
      ASN.1 value is zero-length caused x509_extract_key_data() to set the
      public key size to SIZE_MAX, as it subtracted the nonexistent BIT STRING
      metadata byte.  Then, x509_cert_parse() called kmemdup() with that bogus
      size, triggering the WARN_ON_ONCE() in kmalloc_slab().
      
      This appears to be harmless, but it still must be fixed since WARNs are
      never supposed to be user-triggerable.
      
      Fix it by updating x509_cert_parse() to validate that the value has a
      BIT STRING metadata byte, and that the byte is 0 which indicates that
      the number of bits in the bitstring is a multiple of 8.
      
      It would be nice to handle the metadata byte in asn1_ber_decoder()
      instead.  But that would be tricky because in the general case a BIT
      STRING could be implicitly tagged, and/or could legitimately have a
      length that is not a whole number of bytes.
      
      Here was the WARN (cleaned up slightly):
      
          WARNING: CPU: 1 PID: 202 at mm/slab_common.c:971 kmalloc_slab+0x5d/0x70 mm/slab_common.c:971
          Modules linked in:
          CPU: 1 PID: 202 Comm: keyctl Tainted: G    B            4.14.0-09238-g1d3b78bb #26
          Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.11.0-20171110_100015-anatol 04/01/2014
          task: ffff880033014180 task.stack: ffff8800305c8000
          Call Trace:
           __do_kmalloc mm/slab.c:3706 [inline]
           __kmalloc_track_caller+0x22/0x2e0 mm/slab.c:3726
           kmemdup+0x17/0x40 mm/util.c:118
           kmemdup include/linux/string.h:414 [inline]
           x509_cert_parse+0x2cb/0x620 crypto/asymmetric_keys/x509_cert_parser.c:106
           x509_key_preparse+0x61/0x750 crypto/asymmetric_keys/x509_public_key.c:174
           asymmetric_key_preparse+0xa4/0x150 crypto/asymmetric_keys/asymmetric_type.c:388
           key_create_or_update+0x4d4/0x10a0 security/keys/key.c:850
           SYSC_add_key security/keys/keyctl.c:122 [inline]
           SyS_add_key+0xe8/0x290 security/keys/keyctl.c:62
           entry_SYSCALL_64_fastpath+0x1f/0x96
      
      Fixes: 42d5ec27 ("X.509: Add an ASN.1 decoder")
      Cc: <stable@vger.kernel.org> # v3.7+
      Signed-off-by: default avatarEric Biggers <ebiggers@google.com>
      Signed-off-by: default avatarDavid Howells <dhowells@redhat.com>
      Reviewed-by: default avatarJames Morris <james.l.morris@oracle.com>
      0f30cbea
    • Eric Biggers's avatar
      ASN.1: check for error from ASN1_OP_END__ACT actions · 81a7be2c
      Eric Biggers authored
      asn1_ber_decoder() was ignoring errors from actions associated with the
      opcodes ASN1_OP_END_SEQ_ACT, ASN1_OP_END_SET_ACT,
      ASN1_OP_END_SEQ_OF_ACT, and ASN1_OP_END_SET_OF_ACT.  In practice, this
      meant the pkcs7_note_signed_info() action (since that was the only user
      of those opcodes).  Fix it by checking for the error, just like the
      decoder does for actions associated with the other opcodes.
      
      This bug allowed users to leak slab memory by repeatedly trying to add a
      specially crafted "pkcs7_test" key (requires CONFIG_PKCS7_TEST_KEY).
      
      In theory, this bug could also be used to bypass module signature
      verification, by providing a PKCS#7 message that is misparsed such that
      a signature's ->authattrs do not contain its ->msgdigest.  But it
      doesn't seem practical in normal cases, due to restrictions on the
      format of the ->authattrs.
      
      Fixes: 42d5ec27 ("X.509: Add an ASN.1 decoder")
      Cc: <stable@vger.kernel.org> # v3.7+
      Signed-off-by: default avatarEric Biggers <ebiggers@google.com>
      Signed-off-by: default avatarDavid Howells <dhowells@redhat.com>
      Reviewed-by: default avatarJames Morris <james.l.morris@oracle.com>
      81a7be2c
    • Eric Biggers's avatar
      ASN.1: fix out-of-bounds read when parsing indefinite length item · e0058f3a
      Eric Biggers authored
      In asn1_ber_decoder(), indefinitely-sized ASN.1 items were being passed
      to the action functions before their lengths had been computed, using
      the bogus length of 0x80 (ASN1_INDEFINITE_LENGTH).  This resulted in
      reading data past the end of the input buffer, when given a specially
      crafted message.
      
      Fix it by rearranging the code so that the indefinite length is resolved
      before the action is called.
      
      This bug was originally found by fuzzing the X.509 parser in userspace
      using libFuzzer from the LLVM project.
      
      KASAN report (cleaned up slightly):
      
          BUG: KASAN: slab-out-of-bounds in memcpy ./include/linux/string.h:341 [inline]
          BUG: KASAN: slab-out-of-bounds in x509_fabricate_name.constprop.1+0x1a4/0x940 crypto/asymmetric_keys/x509_cert_parser.c:366
          Read of size 128 at addr ffff880035dd9eaf by task keyctl/195
      
          CPU: 1 PID: 195 Comm: keyctl Not tainted 4.14.0-09238-g1d3b78bb #26
          Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.11.0-20171110_100015-anatol 04/01/2014
          Call Trace:
           __dump_stack lib/dump_stack.c:17 [inline]
           dump_stack+0xd1/0x175 lib/dump_stack.c:53
           print_address_description+0x78/0x260 mm/kasan/report.c:252
           kasan_report_error mm/kasan/report.c:351 [inline]
           kasan_report+0x23f/0x350 mm/kasan/report.c:409
           memcpy+0x1f/0x50 mm/kasan/kasan.c:302
           memcpy ./include/linux/string.h:341 [inline]
           x509_fabricate_name.constprop.1+0x1a4/0x940 crypto/asymmetric_keys/x509_cert_parser.c:366
           asn1_ber_decoder+0xb4a/0x1fd0 lib/asn1_decoder.c:447
           x509_cert_parse+0x1c7/0x620 crypto/asymmetric_keys/x509_cert_parser.c:89
           x509_key_preparse+0x61/0x750 crypto/asymmetric_keys/x509_public_key.c:174
           asymmetric_key_preparse+0xa4/0x150 crypto/asymmetric_keys/asymmetric_type.c:388
           key_create_or_update+0x4d4/0x10a0 security/keys/key.c:850
           SYSC_add_key security/keys/keyctl.c:122 [inline]
           SyS_add_key+0xe8/0x290 security/keys/keyctl.c:62
           entry_SYSCALL_64_fastpath+0x1f/0x96
      
          Allocated by task 195:
           __do_kmalloc_node mm/slab.c:3675 [inline]
           __kmalloc_node+0x47/0x60 mm/slab.c:3682
           kvmalloc ./include/linux/mm.h:540 [inline]
           SYSC_add_key security/keys/keyctl.c:104 [inline]
           SyS_add_key+0x19e/0x290 security/keys/keyctl.c:62
           entry_SYSCALL_64_fastpath+0x1f/0x96
      
      Fixes: 42d5ec27 ("X.509: Add an ASN.1 decoder")
      Reported-by: default avatarAlexander Potapenko <glider@google.com>
      Cc: <stable@vger.kernel.org> # v3.7+
      Signed-off-by: default avatarEric Biggers <ebiggers@google.com>
      Signed-off-by: default avatarDavid Howells <dhowells@redhat.com>
      e0058f3a
    • Eric Biggers's avatar
      KEYS: add missing permission check for request_key() destination · 4dca6ea1
      Eric Biggers authored
      When the request_key() syscall is not passed a destination keyring, it
      links the requested key (if constructed) into the "default" request-key
      keyring.  This should require Write permission to the keyring.  However,
      there is actually no permission check.
      
      This can be abused to add keys to any keyring to which only Search
      permission is granted.  This is because Search permission allows joining
      the keyring.  keyctl_set_reqkey_keyring(KEY_REQKEY_DEFL_SESSION_KEYRING)
      then will set the default request-key keyring to the session keyring.
      Then, request_key() can be used to add keys to the keyring.
      
      Both negatively and positively instantiated keys can be added using this
      method.  Adding negative keys is trivial.  Adding a positive key is a
      bit trickier.  It requires that either /sbin/request-key positively
      instantiates the key, or that another thread adds the key to the process
      keyring at just the right time, such that request_key() misses it
      initially but then finds it in construct_alloc_key().
      
      Fix this bug by checking for Write permission to the keyring in
      construct_get_dest_keyring() when the default keyring is being used.
      
      We don't do the permission check for non-default keyrings because that
      was already done by the earlier call to lookup_user_key().  Also,
      request_key_and_link() is currently passed a 'struct key *' rather than
      a key_ref_t, so the "possessed" bit is unavailable.
      
      We also don't do the permission check for the "requestor keyring", to
      continue to support the use case described by commit 8bbf4976
      ("KEYS: Alter use of key instantiation link-to-keyring argument") where
      /sbin/request-key recursively calls request_key() to add keys to the
      original requestor's destination keyring.  (I don't know of any users
      who actually do that, though...)
      
      Fixes: 3e30148c ("[PATCH] Keys: Make request-key create an authorisation key")
      Cc: <stable@vger.kernel.org>	# v2.6.13+
      Signed-off-by: default avatarEric Biggers <ebiggers@google.com>
      Signed-off-by: default avatarDavid Howells <dhowells@redhat.com>
      4dca6ea1
    • Eric Biggers's avatar
      KEYS: remove unnecessary get/put of explicit dest_keyring · a2d8737d
      Eric Biggers authored
      In request_key_and_link(), in the case where the dest_keyring was
      explicitly specified, there is no need to get another reference to
      dest_keyring before calling key_link(), then drop it afterwards.  This
      is because by definition, we already have a reference to dest_keyring.
      
      This change is useful because we'll be making
      construct_get_dest_keyring() able to return an error code, and we don't
      want to have to handle that error here for no reason.
      Signed-off-by: default avatarEric Biggers <ebiggers@google.com>
      Signed-off-by: default avatarDavid Howells <dhowells@redhat.com>
      a2d8737d
  2. 04 Dec, 2017 4 commits
    • Linus Torvalds's avatar
      Merge tag 'docs-4.15-fixes' of git://git.lwn.net/linux · fd6d2e50
      Linus Torvalds authored
      Pull documentation fixes from Jonathan Corbet:
       "A handful of documentation fixes.
      
        The most significant of these addresses a problem with the new warning
        mode: it can break the build when confronted with a source file
        containing malformed kerneldoc comments"
      
      * tag 'docs-4.15-fixes' of git://git.lwn.net/linux:
        Documentation: fix docs build error after source file removed
        scsi: documentation: Fix case of 'scsi_device' struct mention(s)
        genericirq.rst: Remove :c:func:`...` in code blocks
        dmaengine: doc : Fix warning "Title underline too short" while make xmldocs
        scripts/kernel-doc: Don't fail with status != 0 if error encountered with -none
      fd6d2e50
    • Linus Torvalds's avatar
      Merge tag 'for_linus' of git://git.kernel.org/pub/scm/linux/kernel/git/mst/vhost · 2391f0b4
      Linus Torvalds authored
      Pull virtio fixes from Michael Tsirkin:
       "virtio and qemu bugfixes
      
        A couple of bugfixes that just became ready"
      
      * tag 'for_linus' of git://git.kernel.org/pub/scm/linux/kernel/git/mst/vhost:
        virtio_balloon: fix increment of vb->num_pfns in fill_balloon()
        virtio: release virtio index when fail to device_register
        fw_cfg: fix driver remove
      2391f0b4
    • Linus Torvalds's avatar
      Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net · 236fa078
      Linus Torvalds authored
      Pull networking fixes from David Miller:
      
       1) Various TCP control block fixes, including one that crashes with
          SELinux, from David Ahern and Eric Dumazet.
      
       2) Fix ACK generation in rxrpc, from David Howells.
      
       3) ipvlan doesn't set the mark properly in the ipv4 route lookup key,
          from Gao Feng.
      
       4) SIT configuration doesn't take on the frag_off ipv4 field
          configuration properly, fix from Hangbin Liu.
      
       5) TSO can fail after device down/up on stmmac, fix from Lars Persson.
      
       6) Various bpftool fixes (mostly in JSON handling) from Quentin Monnet.
      
       7) Various SKB leak fixes in vhost/tun/tap (mostly observed as
          performance problems). From Wei Xu.
      
       8) mvpps's TX descriptors were not zero initialized, from Yan Markman.
      
      * git://git.kernel.org/pub/scm/linux/kernel/git/davem/net: (57 commits)
        tcp: use IPCB instead of TCP_SKB_CB in inet_exact_dif_match()
        tcp: add tcp_v4_fill_cb()/tcp_v4_restore_cb()
        rxrpc: Fix the MAINTAINERS record
        rxrpc: Use correct netns source in rxrpc_release_sock()
        liquidio: fix incorrect indentation of assignment statement
        stmmac: reset last TSO segment size after device open
        ipvlan: Add the skb->mark as flow4's member to lookup route
        s390/qeth: build max size GSO skbs on L2 devices
        s390/qeth: fix GSO throughput regression
        s390/qeth: fix thinko in IPv4 multicast address tracking
        tap: free skb if flags error
        tun: free skb in early errors
        vhost: fix skb leak in handle_rx()
        bnxt_en: Fix a variable scoping in bnxt_hwrm_do_send_msg()
        bnxt_en: fix dst/src fid for vxlan encap/decap actions
        bnxt_en: wildcard smac while creating tunnel decap filter
        bnxt_en: Need to unconditionally shut down RoCE in bnxt_shutdown
        phylink: ensure we take the link down when phylink_stop() is called
        sfp: warn about modules requiring address change sequence
        sfp: improve RX_LOS handling
        ...
      236fa078
    • Chris Metcalf's avatar
      arch/tile: mark as orphaned · 8ee5ad1d
      Chris Metcalf authored
      The chip family of TILEPro and TILE-Gx was developed by Tilera, which
      was eventually acquired by Mellanox.  The tile architecture was added to
      the kernel in 2010 and first appeared in 2.6.36.
      
      Now at Mellanox we are developing new chips based on the ARM64
      architecture; our last TILE-Gx chip (the Gx72) was released in 2013, and
      our customers using tile architecture products are not, as far as we
      know, looking to upgrade to newer kernel releases.  In the absence of
      someone in the community stepping up to take over maintainership, this
      commit marks the architecture as orphaned.
      
      Cc: Chris Metcalf <metcalf@alum.mit.edu>
      Signed-off-by: default avatarChris Metcalf <cmetcalf@mellanox.com>
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      8ee5ad1d
  3. 03 Dec, 2017 28 commits
    • Randy Dunlap's avatar
      Documentation: fix docs build error after source file removed · 9956cfef
      Randy Dunlap authored
      The pci/htirq.c file was removed so remove it from the documentation
      file also.
      
      Error: Cannot open file ../drivers/pci/htirq.c
      WARNING: kernel-doc '../scripts/kernel-doc -rst -enable-lineno -export ../drivers/pci/htirq.c' failed with return code 2
      
      Fixes: fd2fa6c1 ("x86/PCI: Remove unused HyperTransport interrupt support")
      Signed-off-by: default avatarRandy Dunlap <rdunlap@infradead.org>
      Signed-off-by: default avatarJonathan Corbet <corbet@lwn.net>
      9956cfef
    • David S. Miller's avatar
      Merge git://git.kernel.org/pub/scm/linux/kernel/git/bpf/bpf · c2eb6d07
      David S. Miller authored
      Daniel Borkmann says:
      
      ====================
      pull-request: bpf 2017-12-02
      
      The following pull-request contains BPF updates for your *net* tree.
      
      The main changes are:
      
      1) Fix a compilation warning in xdp redirect tracepoint due to
         missing bpf.h include that pulls in struct bpf_map, from Xie.
      
      2) Limit the maximum number of attachable BPF progs for a given
         perf event as long as uabi is not frozen yet. The hard upper
         limit is now 64 and therefore the same as with BPF multi-prog
         for cgroups. Also add related error checking for the sample
         BPF loader when enabling and attaching to the perf event, from
         Yonghong.
      
      3) Specifically set the RLIMIT_MEMLOCK for the test_verifier_log
         case, so that the test case can always pass and not fail in
         some environments due to too low default limit, also from
         Yonghong.
      
      4) Fix up a missing license header comment for kernel/bpf/offload.c,
         from Jakub.
      
      5) Several fixes for bpftool, among others a crash on incorrect
         arguments when json output is used, error message handling
         fixes on unknown options and proper destruction of json writer
         for some exit cases, all from Quentin.
      ====================
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      c2eb6d07
    • David S. Miller's avatar
      Merge branch 'tcp-cb-selinux-corruption' · e4485c74
      David S. Miller authored
      Eric Dumazet says:
      
      ====================
      tcp: add tcp_v4_fill_cb()/tcp_v4_restore_cb()
      
      James Morris reported kernel stack corruption bug that
      we tracked back to commit 971f10ec ("tcp: better TCP_SKB_CB
      layout to reduce cache line misses")
      
      First patch needs to be backported to kernels >= 3.18,
      while second patch needs to be backported to kernels >= 4.9, since
      this was the time when inet_exact_dif_match appeared.
      ====================
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      e4485c74
    • David Ahern's avatar
      tcp: use IPCB instead of TCP_SKB_CB in inet_exact_dif_match() · b4d1605a
      David Ahern authored
      After this fix : ("tcp: add tcp_v4_fill_cb()/tcp_v4_restore_cb()"),
      socket lookups happen while skb->cb[] has not been mangled yet by TCP.
      
      Fixes: a04a480d ("net: Require exact match for TCP socket lookups if dif is l3mdev")
      Signed-off-by: default avatarDavid Ahern <dsahern@gmail.com>
      Signed-off-by: default avatarEric Dumazet <edumazet@google.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      b4d1605a
    • Eric Dumazet's avatar
      tcp: add tcp_v4_fill_cb()/tcp_v4_restore_cb() · eeea10b8
      Eric Dumazet authored
      James Morris reported kernel stack corruption bug [1] while
      running the SELinux testsuite, and bisected to a recent
      commit bffa72cf ("net: sk_buff rbnode reorg")
      
      We believe this commit is fine, but exposes an older bug.
      
      SELinux code runs from tcp_filter() and might send an ICMP,
      expecting IP options to be found in skb->cb[] using regular IPCB placement.
      
      We need to defer TCP mangling of skb->cb[] after tcp_filter() calls.
      
      This patch adds tcp_v4_fill_cb()/tcp_v4_restore_cb() in a very
      similar way we added them for IPv6.
      
      [1]
      [  339.806024] SELinux: failure in selinux_parse_skb(), unable to parse packet
      [  339.822505] Kernel panic - not syncing: stack-protector: Kernel stack is corrupted in: ffffffff81745af5
      [  339.822505]
      [  339.852250] CPU: 4 PID: 3642 Comm: client Not tainted 4.15.0-rc1-test #15
      [  339.868498] Hardware name: LENOVO 10FGS0VA1L/30BC, BIOS FWKT68A   01/19/2017
      [  339.885060] Call Trace:
      [  339.896875]  <IRQ>
      [  339.908103]  dump_stack+0x63/0x87
      [  339.920645]  panic+0xe8/0x248
      [  339.932668]  ? ip_push_pending_frames+0x33/0x40
      [  339.946328]  ? icmp_send+0x525/0x530
      [  339.958861]  ? kfree_skbmem+0x60/0x70
      [  339.971431]  __stack_chk_fail+0x1b/0x20
      [  339.984049]  icmp_send+0x525/0x530
      [  339.996205]  ? netlbl_skbuff_err+0x36/0x40
      [  340.008997]  ? selinux_netlbl_err+0x11/0x20
      [  340.021816]  ? selinux_socket_sock_rcv_skb+0x211/0x230
      [  340.035529]  ? security_sock_rcv_skb+0x3b/0x50
      [  340.048471]  ? sk_filter_trim_cap+0x44/0x1c0
      [  340.061246]  ? tcp_v4_inbound_md5_hash+0x69/0x1b0
      [  340.074562]  ? tcp_filter+0x2c/0x40
      [  340.086400]  ? tcp_v4_rcv+0x820/0xa20
      [  340.098329]  ? ip_local_deliver_finish+0x71/0x1a0
      [  340.111279]  ? ip_local_deliver+0x6f/0xe0
      [  340.123535]  ? ip_rcv_finish+0x3a0/0x3a0
      [  340.135523]  ? ip_rcv_finish+0xdb/0x3a0
      [  340.147442]  ? ip_rcv+0x27c/0x3c0
      [  340.158668]  ? inet_del_offload+0x40/0x40
      [  340.170580]  ? __netif_receive_skb_core+0x4ac/0x900
      [  340.183285]  ? rcu_accelerate_cbs+0x5b/0x80
      [  340.195282]  ? __netif_receive_skb+0x18/0x60
      [  340.207288]  ? process_backlog+0x95/0x140
      [  340.218948]  ? net_rx_action+0x26c/0x3b0
      [  340.230416]  ? __do_softirq+0xc9/0x26a
      [  340.241625]  ? do_softirq_own_stack+0x2a/0x40
      [  340.253368]  </IRQ>
      [  340.262673]  ? do_softirq+0x50/0x60
      [  340.273450]  ? __local_bh_enable_ip+0x57/0x60
      [  340.285045]  ? ip_finish_output2+0x175/0x350
      [  340.296403]  ? ip_finish_output+0x127/0x1d0
      [  340.307665]  ? nf_hook_slow+0x3c/0xb0
      [  340.318230]  ? ip_output+0x72/0xe0
      [  340.328524]  ? ip_fragment.constprop.54+0x80/0x80
      [  340.340070]  ? ip_local_out+0x35/0x40
      [  340.350497]  ? ip_queue_xmit+0x15c/0x3f0
      [  340.361060]  ? __kmalloc_reserve.isra.40+0x31/0x90
      [  340.372484]  ? __skb_clone+0x2e/0x130
      [  340.382633]  ? tcp_transmit_skb+0x558/0xa10
      [  340.393262]  ? tcp_connect+0x938/0xad0
      [  340.403370]  ? ktime_get_with_offset+0x4c/0xb0
      [  340.414206]  ? tcp_v4_connect+0x457/0x4e0
      [  340.424471]  ? __inet_stream_connect+0xb3/0x300
      [  340.435195]  ? inet_stream_connect+0x3b/0x60
      [  340.445607]  ? SYSC_connect+0xd9/0x110
      [  340.455455]  ? __audit_syscall_entry+0xaf/0x100
      [  340.466112]  ? syscall_trace_enter+0x1d0/0x2b0
      [  340.476636]  ? __audit_syscall_exit+0x209/0x290
      [  340.487151]  ? SyS_connect+0xe/0x10
      [  340.496453]  ? do_syscall_64+0x67/0x1b0
      [  340.506078]  ? entry_SYSCALL64_slow_path+0x25/0x25
      
      Fixes: 971f10ec ("tcp: better TCP_SKB_CB layout to reduce cache line misses")
      Signed-off-by: default avatarEric Dumazet <edumazet@google.com>
      Reported-by: default avatarJames Morris <james.l.morris@oracle.com>
      Tested-by: default avatarJames Morris <james.l.morris@oracle.com>
      Tested-by: default avatarCasey Schaufler <casey@schaufler-ca.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      eeea10b8
    • Linus Torvalds's avatar
      Linux 4.15-rc2 · ae64f9bd
      Linus Torvalds authored
      ae64f9bd
    • Linus Torvalds's avatar
      Merge branch 'fixes' of git://git.armlinux.org.uk/~rmk/linux-arm · 87fc5c68
      Linus Torvalds authored
      Pull ARM fix from Russell King:
       "Just one fix this time around, for the late commit in the merge window
        that triggered a problem with qemu. Qemu is apparently also going to
        receive a fix for the discovered issue"
      
      * 'fixes' of git://git.armlinux.org.uk/~rmk/linux-arm:
        ARM: avoid faulting on qemu
      87fc5c68
    • Linus Torvalds's avatar
      Merge branch 'i2c/for-current' of git://git.kernel.org/pub/scm/linux/kernel/git/wsa/linux · ae4806a3
      Linus Torvalds authored
      Pull i2c fixes from Wolfram Sang:
       "Here are two bugfixes for I2C, fixing a memleak in the core and irq
        allocation for i801.
      
        Also three bugfixes for the at24 eeprom driver which Bartosz collected
        while taking over maintainership for this driver"
      
      * 'i2c/for-current' of git://git.kernel.org/pub/scm/linux/kernel/git/wsa/linux:
        eeprom: at24: check at24_read/write arguments
        eeprom: at24: fix reading from 24MAC402/24MAC602
        eeprom: at24: correctly set the size for at24mac402
        i2c: i2c-boardinfo: fix memory leaks on devinfo
        i2c: i801: Fix Failed to allocate irq -2147483648 error
      ae4806a3
    • Linus Torvalds's avatar
      Merge tag 'hwmon-for-linus-v4.15-rc2' of... · 49a418d7
      Linus Torvalds authored
      Merge tag 'hwmon-for-linus-v4.15-rc2' of git://git.kernel.org/pub/scm/linux/kernel/git/groeck/linux-staging
      
      Pull hwmon fixes from Guenter Roeck:
       "Fixes:
      
         - Drop reference to obsolete maintainer tree
      
         - Fix overflow bug in pmbus driver
      
         - Fix SMBUS timeout problem in jc42 driver
      
        For the SMBUS timeout handling, we had a brief discussion if this
        should be considered a bug fix or a feature. Peter says "it fixes real
        problems where the application misbehave due to faulty content when
        reading from an eeprom", and he needs the patch in his company's v4.14
        images. This is good enough for me and warrants backport to stable
        kernels"
      
      * tag 'hwmon-for-linus-v4.15-rc2' of git://git.kernel.org/pub/scm/linux/kernel/git/groeck/linux-staging:
        hwmon: (jc42) optionally try to disable the SMBUS timeout
        hwmon: (pmbus) Use 64bit math for DIRECT format values
        hwmon: Drop reference to Jean's tree
      49a418d7
    • David Howells's avatar
      rxrpc: Fix the MAINTAINERS record · bcd1d601
      David Howells authored
      Fix the MAINTAINERS record so that it's more obvious who the maintainer for
      AF_RXRPC is.
      Reported-by: default avatarJoe Perches <joe@perches.com>
      Reported-by: default avatarDavid Miller <davem@davemloft.net>
      Signed-off-by: default avatarDavid Howells <dhowells@redhat.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      bcd1d601
    • David Howells's avatar
      rxrpc: Use correct netns source in rxrpc_release_sock() · c5012564
      David Howells authored
      In rxrpc_release_sock() there may be no rx->local value to access, so we
      can't unconditionally follow it to the rxrpc network namespace information
      to poke the connection reapers.
      
      Instead, use the socket's namespace pointer to find the namespace.
      
      This unfixed code causes the following static checker warning:
      
      	net/rxrpc/af_rxrpc.c:898 rxrpc_release_sock()
      	error: we previously assumed 'rx->local' could be null (see line 887)
      
      Fixes: 3d18cbb7 ("rxrpc: Fix conn expiry timers")
      Reported-by: default avatarDan Carpenter <dan.carpenter@oracle.com>
      Signed-off-by: default avatarDavid Howells <dhowells@redhat.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      c5012564
    • Colin Ian King's avatar
      liquidio: fix incorrect indentation of assignment statement · 886afc1d
      Colin Ian King authored
      Remove one extraneous level of indentation on assignment statement.
      Signed-off-by: default avatarColin Ian King <colin.king@canonical.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      886afc1d
    • David S. Miller's avatar
      Merge tag 'linux-can-fixes-for-4.15-20171201' of... · ed75e1ac
      David S. Miller authored
      Merge tag 'linux-can-fixes-for-4.15-20171201' of git://git.kernel.org/pub/scm/linux/kernel/git/mkl/linux-can
      
      Marc Kleine-Budde says:
      
      ====================
      pull-request: can 2017-12-01
      
      this is a pull for net consisting of nine patches.
      
      The first three patches are by Jimmy Assarsson for the kvaser_usb driver
      and add the missing free()s in some error path, a signed/unsigned
      comparison and ratelimit the error messages in case of incomplete
      messages. Oliver Stäbler's patch for the ti_hecc driver fix the napi
      poll function's return value. The return values of the probe function of
      the peak_canfd and peak_pci PCI drivers are fixed by Stephane Grosjean's
      patch. Two patches by me for the flexcan driver update the
      bugs/features/quirks overview table and fix the error state transition
      for the VF610 SoC. The two patches by Martin Kelly for the mcba_usb
      driver fix a typo and a device disconnect bug.
      ====================
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      ed75e1ac
    • Wolfram Sang's avatar
      Merge tag 'at24-4.15-fixes-for-wolfram' of... · edef3098
      Wolfram Sang authored
      Merge tag 'at24-4.15-fixes-for-wolfram' of git://git.kernel.org/pub/scm/linux/kernel/git/brgl/linux into i2c/for-current
      
      Please consider pulling the following fixes for v4.15. While it doesn't
      fix any regression introduced in the v4.15 merge window, we have a
      feature in at24 since linux v4.8 - reading the mac address block from
      at24mac series - which turned out to be not working.
      
      This pull request contains changes that fix it together with a patch
      that hardens the read and write argument sanitization with
      out-of-bounds checks that were missing.
      edef3098
    • Lars Persson's avatar
      stmmac: reset last TSO segment size after device open · 45ab4b13
      Lars Persson authored
      The mss variable tracks the last max segment size sent to the TSO
      engine. We do not update the hardware as long as we receive skb:s with
      the same value in gso_size.
      
      During a network device down/up cycle (mapped to stmmac_release() and
      stmmac_open() callbacks) we issue a reset to the hardware and it
      forgets the setting for mss. However we did not zero out our mss
      variable so the next transmission of a gso packet happens with an
      undefined hardware setting.
      
      This triggers a hang in the TSO engine and eventuelly the netdev
      watchdog will bark.
      
      Fixes: f748be53 ("stmmac: support new GMAC4")
      Signed-off-by: default avatarLars Persson <larper@axis.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      45ab4b13
    • Gao Feng's avatar
      ipvlan: Add the skb->mark as flow4's member to lookup route · a98a4ebc
      Gao Feng authored
      Current codes don't use skb->mark to assign flowi4_mark, it would
      make the policy route rule with fwmark doesn't work as expected.
      Signed-off-by: default avatarGao Feng <gfree.wind@vip.163.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      a98a4ebc
    • David S. Miller's avatar
      Merge branch 's390-qeth-fixes' · af57b7ff
      David S. Miller authored
      Julian Wiedmann says:
      
      ====================
      s390/qeth: fixes 2017-12-01
      
      please apply the following three fixes for 4.15. These should also go
      back to stable.
      ====================
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      af57b7ff
    • Julian Wiedmann's avatar
      s390/qeth: build max size GSO skbs on L2 devices · 0cbff6d4
      Julian Wiedmann authored
      The current GSO skb size limit was copy&pasted over from the L3 path,
      where it is needed due to a TSO limitation.
      As L2 devices don't offer TSO support (and thus all GSO skbs are
      segmented before they reach the driver), there's no reason to restrict
      the stack in how large it may build the GSO skbs.
      
      Fixes: d52aec97 ("qeth: enable scatter/gather in layer 2 mode")
      Signed-off-by: default avatarJulian Wiedmann <jwi@linux.vnet.ibm.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      0cbff6d4
    • Julian Wiedmann's avatar
      s390/qeth: fix GSO throughput regression · 6d69b1f1
      Julian Wiedmann authored
      Using GSO with small MTUs currently results in a substantial throughput
      regression - which is caused by how qeth needs to map non-linear skbs
      into its IO buffer elements:
      compared to a linear skb, each GSO-segmented skb effectively consumes
      twice as many buffer elements (ie two instead of one) due to the
      additional header-only part. This causes the Output Queue to be
      congested with low-utilized IO buffers.
      
      Fix this as follows:
      If the MSS is low enough so that a non-SG GSO segmentation produces
      order-0 skbs (currently ~3500 byte), opt out from NETIF_F_SG. This is
      where we anticipate the biggest savings, since an SG-enabled
      GSO segmentation produces skbs that always consume at least two
      buffer elements.
      
      Larger MSS values continue to get a SG-enabled GSO segmentation, since
      1) the relative overhead of the additional header-only buffer element
      becomes less noticeable, and
      2) the linearization overhead increases.
      
      With the throughput regression fixed, re-enable NETIF_F_SG by default to
      reap the significant CPU savings of GSO.
      
      Fixes: 5722963a ("qeth: do not turn on SG per default")
      Reported-by: default avatarNils Hoppmann <niho@de.ibm.com>
      Signed-off-by: default avatarJulian Wiedmann <jwi@linux.vnet.ibm.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      6d69b1f1
    • Julian Wiedmann's avatar
      s390/qeth: fix thinko in IPv4 multicast address tracking · bc3ab705
      Julian Wiedmann authored
      Commit 5f78e29c ("qeth: optimize IP handling in rx_mode callback")
      reworked how secondary addresses are managed for qeth devices.
      Instead of dropping & subsequently re-adding all addresses on every
      ndo_set_rx_mode() call, qeth now keeps track of the addresses that are
      currently registered with the HW.
      On a ndo_set_rx_mode(), we thus only need to do (de-)registration
      requests for the addresses that have actually changed.
      
      On L3 devices, the lookup for IPv4 Multicast addresses checks the wrong
      hashtable - and thus never finds a match. As a result, we first delete
      *all* such addresses, and then re-add them again. So each set_rx_mode()
      causes a short period where the IPv4 Multicast addresses are not
      registered, and the card stops forwarding inbound traffic for them.
      
      Fix this by setting the ->is_multicast flag on the lookup object, thus
      enabling qeth_l3_ip_from_hash() to search the correct hashtable and
      find a match there.
      
      Fixes: 5f78e29c ("qeth: optimize IP handling in rx_mode callback")
      Signed-off-by: default avatarJulian Wiedmann <jwi@linux.vnet.ibm.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      bc3ab705
    • David S. Miller's avatar
      Merge branch 'vhost-skb-leaks' · 7344ba03
      David S. Miller authored
      Wei Xu says:
      
      ====================
      vhost: fix a few skb leaks
      
      Matthew found a roughly 40% tcp throughput regression with commit
      c67df11f(vhost_net: try batch dequing from skb array) as discussed
      in the following thread:
      https://www.mail-archive.com/netdev@vger.kernel.org/msg187936.html
      
      v4:
      - fix zero iov iterator count in tap/tap_do_read()(Jason)
      - don't put tun in case of EBADFD(Jason)
      - Replace msg->msg_control with new 'skb' when calling tun/tap_do_read()
      
      v3:
      - move freeing skb from vhost to tun/tap recvmsg() to not
        confuse the callers.
      
      v2:
      - add Matthew as the reporter, thanks matthew.
      - moving zero headcount check ahead instead of defer consuming skb
        due to jason and mst's comment.
      - add freeing skb in favor of recvmsg() fails.
      ====================
      Acked-by: default avatarMichael S. Tsirkin <mst@redhat.com>
      Tested-by: default avatarMatthew Rosato <mjrosato@linux.vnet.ibm.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      7344ba03
    • Wei Xu's avatar
      tap: free skb if flags error · 61d78537
      Wei Xu authored
      tap_recvmsg() supports accepting skb by msg_control after
      commit 3b4ba04a ("tap: support receiving skb from msg_control"),
      the skb if presented should be freed within the function, otherwise
      it would be leaked.
      Signed-off-by: default avatarWei Xu <wexu@redhat.com>
      Reported-by: default avatarMatthew Rosato <mjrosato@linux.vnet.ibm.com>
      Acked-by: default avatarMichael S. Tsirkin <mst@redhat.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      61d78537
    • Wei Xu's avatar
      tun: free skb in early errors · c33ee15b
      Wei Xu authored
      tun_recvmsg() supports accepting skb by msg_control after
      commit ac77cfd4 ("tun: support receiving skb through msg_control"),
      the skb if presented should be freed no matter how far it can go
      along, otherwise it would be leaked.
      
      This patch fixes several missed cases.
      Signed-off-by: default avatarWei Xu <wexu@redhat.com>
      Reported-by: default avatarMatthew Rosato <mjrosato@linux.vnet.ibm.com>
      Acked-by: default avatarMichael S. Tsirkin <mst@redhat.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      c33ee15b
    • Wei Xu's avatar
      vhost: fix skb leak in handle_rx() · 6e474083
      Wei Xu authored
      Matthew found a roughly 40% tcp throughput regression with commit
      c67df11f(vhost_net: try batch dequing from skb array) as discussed
      in the following thread:
      https://www.mail-archive.com/netdev@vger.kernel.org/msg187936.html
      
      Eventually we figured out that it was a skb leak in handle_rx()
      when sending packets to the VM. This usually happens when a guest
      can not drain out vq as fast as vhost fills in, afterwards it sets
      off the traffic jam and leaks skb(s) which occurs as no headcount
      to send on the vq from vhost side.
      
      This can be avoided by making sure we have got enough headcount
      before actually consuming a skb from the batched rx array while
      transmitting, which is simply done by moving checking the zero
      headcount a bit ahead.
      Signed-off-by: default avatarWei Xu <wexu@redhat.com>
      Reported-by: default avatarMatthew Rosato <mjrosato@linux.vnet.ibm.com>
      Acked-by: default avatarMichael S. Tsirkin <mst@redhat.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      6e474083
    • David S. Miller's avatar
      Merge branch 'bnxt_en-fixes' · fa935ca2
      David S. Miller authored
      Michael Chan says:
      
      ====================
      bnxt_en: Fixes.
      
      A shutdown fix for SMARTNIC, 2 fixes related to TC Flower vxlan
      filters, and the last one fixes an out-of-scope variable when sending
      short firmware messages.
      ====================
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      fa935ca2
    • Vasundhara Volam's avatar
      bnxt_en: Fix a variable scoping in bnxt_hwrm_do_send_msg() · ebd5818c
      Vasundhara Volam authored
      short_input variable is assigned to another data pointer which is
      referred out of its scope. Fix it by moving short_input definition
      to the beginning of bnxt_hwrm_do_send_msg() function.
      
      No failure has been reported so far due to this issue.
      
      Fixes: e605db80 ("bnxt_en: Support for Short Firmware Message")
      Signed-off-by: default avatarVasundhara Volam <vasundhara-v.volam@broadcom.com>
      Signed-off-by: default avatarMichael Chan <michael.chan@broadcom.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      ebd5818c
    • Sathya Perla's avatar
      bnxt_en: fix dst/src fid for vxlan encap/decap actions · e9ecc731
      Sathya Perla authored
      For flows that involve a vxlan encap action, the vxlan sock
      interface may be specified as the outgoing interface. The driver
      must resolve the outgoing PF interface used by this socket and
      use the dst_fid of the PF in the hwrm_cfa_encap_record_alloc cmd.
      
      Similarily for flows that have a vxlan decap action, the
      fid of the incoming PF interface must be used as the src_fid in
      the hwrm_cfa_decap_filter_alloc cmd.
      
      Fixes: 8c95f773 ("bnxt_en: add support for Flower based vxlan encap/decap offload")
      Signed-off-by: default avatarSathya Perla <sathya.perla@broadcom.com>
      Signed-off-by: default avatarMichael Chan <michael.chan@broadcom.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      e9ecc731
    • Sunil Challa's avatar
      bnxt_en: wildcard smac while creating tunnel decap filter · c8fb7b82
      Sunil Challa authored
      While creating a decap filter the tunnel smac need not (and must not) be
      specified as we cannot ascertain the neighbor in the recv path. 'ttl'
      match is also not needed for the decap filter and must be wild-carded.
      
      Fixes: f484f678 ("bnxt_en: add hwrm FW cmds for cfa_encap_record and decap_filter")
      Signed-off-by: default avatarSunil Challa <sunilkumar.challa@broadcom.com>
      Signed-off-by: default avatarMichael Chan <michael.chan@broadcom.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      c8fb7b82