1. 02 Jul, 2019 4 commits
    • Stefano Garzarella's avatar
      vsock/virtio: use RCU to avoid use-after-free on the_virtio_vsock · 9c7a5582
      Stefano Garzarella authored
      Some callbacks used by the upper layers can run while we are in the
      .remove(). A potential use-after-free can happen, because we free
      the_virtio_vsock without knowing if the callbacks are over or not.
      
      To solve this issue we move the assignment of the_virtio_vsock at the
      end of .probe(), when we finished all the initialization, and at the
      beginning of .remove(), before to release resources.
      For the same reason, we do the same also for the vdev->priv.
      
      We use RCU to be sure that all callbacks that use the_virtio_vsock
      ended before freeing it. This is not required for callbacks that
      use vdev->priv, because after the vdev->config->del_vqs() we are sure
      that they are ended and will no longer be invoked.
      
      We also take the mutex during the .remove() to avoid that .probe() can
      run while we are resetting the device.
      Signed-off-by: default avatarStefano Garzarella <sgarzare@redhat.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      9c7a5582
    • Taehee Yoo's avatar
      vxlan: do not destroy fdb if register_netdevice() is failed · 7c31e54a
      Taehee Yoo authored
      __vxlan_dev_create() destroys FDB using specific pointer which indicates
      a fdb when error occurs.
      But that pointer should not be used when register_netdevice() fails because
      register_netdevice() internally destroys fdb when error occurs.
      
      This patch makes vxlan_fdb_create() to do not link fdb entry to vxlan dev
      internally.
      Instead, a new function vxlan_fdb_insert() is added to link fdb to vxlan
      dev.
      
      vxlan_fdb_insert() is called after calling register_netdevice().
      This routine can avoid situation that ->ndo_uninit() destroys fdb entry
      in error path of register_netdevice().
      Hence, error path of __vxlan_dev_create() routine can have an opportunity
      to destroy default fdb entry by hand.
      
      Test command
          ip link add bonding_masters type vxlan id 0 group 239.1.1.1 \
      	    dev enp0s9 dstport 4789
      
      Splat looks like:
      [  213.392816] kasan: GPF could be caused by NULL-ptr deref or user memory access
      [  213.401257] general protection fault: 0000 [#1] SMP DEBUG_PAGEALLOC KASAN PTI
      [  213.402178] CPU: 0 PID: 1414 Comm: ip Not tainted 5.2.0-rc5+ #256
      [  213.402178] RIP: 0010:vxlan_fdb_destroy+0x120/0x220 [vxlan]
      [  213.402178] Code: df 48 8b 2b 48 89 fa 48 c1 ea 03 80 3c 02 00 0f 85 06 01 00 00 4c 8b 63 08 48 b8 00 00 00 00 00 fc d
      [  213.402178] RSP: 0018:ffff88810cb9f0a0 EFLAGS: 00010202
      [  213.402178] RAX: dffffc0000000000 RBX: ffff888101d4a8c8 RCX: 0000000000000000
      [  213.402178] RDX: 1bd5a00000000040 RSI: ffff888101d4a8c8 RDI: ffff888101d4a8d0
      [  213.402178] RBP: 0000000000000000 R08: fffffbfff22b72d9 R09: 0000000000000000
      [  213.402178] R10: 00000000ffffffef R11: 0000000000000000 R12: dead000000000200
      [  213.402178] R13: ffff88810cb9f1f8 R14: ffff88810efccda0 R15: ffff88810efccda0
      [  213.402178] FS:  00007f7f6621a0c0(0000) GS:ffff88811b000000(0000) knlGS:0000000000000000
      [  213.402178] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
      [  213.402178] CR2: 000055746f0807d0 CR3: 00000001123e0000 CR4: 00000000001006f0
      [  213.402178] Call Trace:
      [  213.402178]  __vxlan_dev_create+0x3a9/0x7d0 [vxlan]
      [  213.402178]  ? vxlan_changelink+0x740/0x740 [vxlan]
      [  213.402178]  ? rcu_read_unlock+0x60/0x60 [vxlan]
      [  213.402178]  ? __kasan_kmalloc.constprop.3+0xa0/0xd0
      [  213.402178]  vxlan_newlink+0x8d/0xc0 [vxlan]
      [  213.402178]  ? __vxlan_dev_create+0x7d0/0x7d0 [vxlan]
      [  213.554119]  ? __netlink_ns_capable+0xc3/0xf0
      [  213.554119]  __rtnl_newlink+0xb75/0x1180
      [  213.554119]  ? rtnl_link_unregister+0x230/0x230
      [ ... ]
      
      Fixes: 0241b836 ("vxlan: fix default fdb entry netlink notify ordering during netdev create")
      Suggested-by: default avatarRoopa Prabhu <roopa@cumulusnetworks.com>
      Signed-off-by: default avatarTaehee Yoo <ap420073@gmail.com>
      Acked-by: default avatarRoopa Prabhu <roopa@cumulusnetworks.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      7c31e54a
    • Marcelo Ricardo Leitner's avatar
      sctp: fix error handling on stream scheduler initialization · 4d141581
      Marcelo Ricardo Leitner authored
      It allocates the extended area for outbound streams only on sendmsg
      calls, if they are not yet allocated.  When using the priority
      stream scheduler, this initialization may imply into a subsequent
      allocation, which may fail.  In this case, it was aborting the stream
      scheduler initialization but leaving the ->ext pointer (allocated) in
      there, thus in a partially initialized state.  On a subsequent call to
      sendmsg, it would notice the ->ext pointer in there, and trip on
      uninitialized stuff when trying to schedule the data chunk.
      
      The fix is undo the ->ext initialization if the stream scheduler
      initialization fails and avoid the partially initialized state.
      
      Although syzkaller bisected this to commit 4ff40b86 ("sctp: set
      chunk transport correctly when it's a new asoc"), this bug was actually
      introduced on the commit I marked below.
      
      Reported-by: syzbot+c1a380d42b190ad1e559@syzkaller.appspotmail.com
      Fixes: 5bbbbe32 ("sctp: introduce stream scheduler foundations")
      Tested-by: default avatarXin Long <lucien.xin@gmail.com>
      Signed-off-by: default avatarMarcelo Ricardo Leitner <marcelo.leitner@gmail.com>
      Acked-by: default avatarNeil Horman <nhorman@redhat.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      4d141581
    • Cong Wang's avatar
      netrom: fix a memory leak in nr_rx_frame() · c8c8218e
      Cong Wang authored
      When the skb is associated with a new sock, just assigning
      it to skb->sk is not sufficient, we have to set its destructor
      to free the sock properly too.
      
      Reported-by: syzbot+d6636a36d3c34bd88938@syzkaller.appspotmail.com
      Signed-off-by: default avatarCong Wang <xiyou.wangcong@gmail.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      c8c8218e
  2. 01 Jul, 2019 5 commits
  3. 30 Jun, 2019 6 commits
  4. 29 Jun, 2019 9 commits
    • Baruch Siach's avatar
      net: dsa: mv88e6xxx: wait after reset deactivation · 7b75e49d
      Baruch Siach authored
      Add a 1ms delay after reset deactivation. Otherwise the chip returns
      bogus ID value. This is observed with 88E6390 (Peridot) chip.
      Signed-off-by: default avatarBaruch Siach <baruch@tkos.co.il>
      Reviewed-by: default avatarAndrew Lunn <andrew@lunn.ch>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      7b75e49d
    • Guilherme G. Piccoli's avatar
      bnx2x: Prevent ptp_task to be rescheduled indefinitely · 3c91f25c
      Guilherme G. Piccoli authored
      Currently bnx2x ptp worker tries to read a register with timestamp
      information in case of TX packet timestamping and in case it fails,
      the routine reschedules itself indefinitely. This was reported as a
      kworker always at 100% of CPU usage, which was narrowed down to be
      bnx2x ptp_task.
      
      By following the ioctl handler, we could narrow down the problem to
      an NTP tool (chrony) requesting HW timestamping from bnx2x NIC with
      RX filter zeroed; this isn't reproducible for example with ptp4l
      (from linuxptp) since this tool requests a supported RX filter.
      It seems NIC FW timestamp mechanism cannot work well with
      RX_FILTER_NONE - driver's PTP filter init routine skips a register
      write to the adapter if there's not a supported filter request.
      
      This patch addresses the problem of bnx2x ptp thread's everlasting
      reschedule by retrying the register read 10 times; between the read
      attempts the thread sleeps for an increasing amount of time starting
      in 1ms to give FW some time to perform the timestamping. If it still
      fails after all retries, we bail out in order to prevent an unbound
      resource consumption from bnx2x.
      
      The patch also adds an ethtool statistic for accounting the skipped
      TX timestamp packets and it reduces the priority of timestamping
      error messages to prevent log flooding. The code was tested using
      both linuxptp and chrony.
      Reported-and-tested-by: default avatarPrzemyslaw Hausman <przemyslaw.hausman@canonical.com>
      Suggested-by: default avatarSudarsana Reddy Kalluru <skalluru@marvell.com>
      Signed-off-by: default avatarGuilherme G. Piccoli <gpiccoli@canonical.com>
      Acked-by: default avatarSudarsana Reddy Kalluru <skalluru@marvell.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      3c91f25c
    • Eric Dumazet's avatar
      igmp: fix memory leak in igmpv3_del_delrec() · e5b1c6c6
      Eric Dumazet authored
      im->tomb and/or im->sources might not be NULL, but we
      currently overwrite their values blindly.
      
      Using swap() will make sure the following call to kfree_pmc(pmc)
      will properly free the psf structures.
      
      Tested with the C repro provided by syzbot, which basically does :
      
       socket(PF_INET, SOCK_DGRAM, IPPROTO_IP) = 3
       setsockopt(3, SOL_IP, IP_ADD_MEMBERSHIP, "\340\0\0\2\177\0\0\1\0\0\0\0", 12) = 0
       ioctl(3, SIOCSIFFLAGS, {ifr_name="lo", ifr_flags=0}) = 0
       setsockopt(3, SOL_IP, IP_MSFILTER, "\340\0\0\2\177\0\0\1\1\0\0\0\1\0\0\0\377\377\377\377", 20) = 0
       ioctl(3, SIOCSIFFLAGS, {ifr_name="lo", ifr_flags=IFF_UP}) = 0
       exit_group(0)                    = ?
      
      BUG: memory leak
      unreferenced object 0xffff88811450f140 (size 64):
        comm "softirq", pid 0, jiffies 4294942448 (age 32.070s)
        hex dump (first 32 bytes):
          00 00 00 00 00 00 00 00 ff ff ff ff 00 00 00 00  ................
          00 00 00 00 00 00 00 00 01 00 00 00 00 00 00 00  ................
        backtrace:
          [<00000000c7bad083>] kmemleak_alloc_recursive include/linux/kmemleak.h:43 [inline]
          [<00000000c7bad083>] slab_post_alloc_hook mm/slab.h:439 [inline]
          [<00000000c7bad083>] slab_alloc mm/slab.c:3326 [inline]
          [<00000000c7bad083>] kmem_cache_alloc_trace+0x13d/0x280 mm/slab.c:3553
          [<000000009acc4151>] kmalloc include/linux/slab.h:547 [inline]
          [<000000009acc4151>] kzalloc include/linux/slab.h:742 [inline]
          [<000000009acc4151>] ip_mc_add1_src net/ipv4/igmp.c:1976 [inline]
          [<000000009acc4151>] ip_mc_add_src+0x36b/0x400 net/ipv4/igmp.c:2100
          [<000000004ac14566>] ip_mc_msfilter+0x22d/0x310 net/ipv4/igmp.c:2484
          [<0000000052d8f995>] do_ip_setsockopt.isra.0+0x1795/0x1930 net/ipv4/ip_sockglue.c:959
          [<000000004ee1e21f>] ip_setsockopt+0x3b/0xb0 net/ipv4/ip_sockglue.c:1248
          [<0000000066cdfe74>] udp_setsockopt+0x4e/0x90 net/ipv4/udp.c:2618
          [<000000009383a786>] sock_common_setsockopt+0x38/0x50 net/core/sock.c:3126
          [<00000000d8ac0c94>] __sys_setsockopt+0x98/0x120 net/socket.c:2072
          [<000000001b1e9666>] __do_sys_setsockopt net/socket.c:2083 [inline]
          [<000000001b1e9666>] __se_sys_setsockopt net/socket.c:2080 [inline]
          [<000000001b1e9666>] __x64_sys_setsockopt+0x26/0x30 net/socket.c:2080
          [<00000000420d395e>] do_syscall_64+0x76/0x1a0 arch/x86/entry/common.c:301
          [<000000007fd83a4b>] entry_SYSCALL_64_after_hwframe+0x44/0xa9
      
      Fixes: 24803f38 ("igmp: do not remove igmp souce list info when set link down")
      Signed-off-by: default avatarEric Dumazet <edumazet@google.com>
      Cc: Hangbin Liu <liuhangbin@gmail.com>
      Reported-by: syzbot+6ca1abd0db68b5173a4f@syzkaller.appspotmail.com
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      e5b1c6c6
    • David S. Miller's avatar
      Merge branch 'Sub-ns-increment-fixes-in-Macb-PTP' · c09fedd6
      David S. Miller authored
      Harini Katakam says:
      
      ====================
      Sub ns increment fixes in Macb PTP
      
      The subns increment register fields are not captured correctly in the
      driver. Fix the same and also increase the subns incr resolution.
      
      Sub ns resolution was increased to 24 bits in r1p06f2 version. To my
      knowledge, this PTP driver, with its current BD time stamp
      implementation, is only useful to that version or above. So, I have
      increased the resolution unconditionally. Please let me know if there
      is any IP versions incompatible with this - there is no register to
      obtain this information from.
      
      Changes from RFC:
      None
      ====================
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      c09fedd6
    • Harini Katakam's avatar
      net: macb: Fix SUBNS increment and increase resolution · 7ad342bc
      Harini Katakam authored
      The subns increment register has 24 bits as follows:
      RegBit[15:0] = Subns[23:8]; RegBit[31:24] = Subns[7:0]
      
      Fix the same in the driver and increase sub ns resolution to the
      best capable, 24 bits. This should be the case on all GEM versions
      that this PTP driver supports.
      Signed-off-by: default avatarHarini Katakam <harini.katakam@xilinx.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      7ad342bc
    • Harini Katakam's avatar
      net: macb: Add separate definition for PPM fraction · a8ee4dc1
      Harini Katakam authored
      The scaled ppm parameter passed to _adjfine() contains a 16 bit
      fraction. This just happens to be the same as SUBNSINCR_SIZE now.
      Hence define this separately.
      Signed-off-by: default avatarHarini Katakam <harini.katakam@xilinx.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      a8ee4dc1
    • Jiunn Chang's avatar
      packet: Fix undefined behavior in bit shift · 79293f49
      Jiunn Chang authored
      Shifting signed 32-bit value by 31 bits is undefined.  Changing most
      significant bit to unsigned.
      
      Changes included in v2:
        - use subsystem specific subject lines
        - CC required mailing lists
      Signed-off-by: default avatarJiunn Chang <c0d1n61at3@gmail.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      79293f49
    • Florian Westphal's avatar
      net: make skb_dst_force return true when dst is refcounted · b60a7738
      Florian Westphal authored
      netfilter did not expect that skb_dst_force() can cause skb to lose its
      dst entry.
      
      I got a bug report with a skb->dst NULL dereference in netfilter
      output path.  The backtrace contains nf_reinject(), so the dst might have
      been cleared when skb got queued to userspace.
      
      Other users were fixed via
      if (skb_dst(skb)) {
      	skb_dst_force(skb);
      	if (!skb_dst(skb))
      		goto handle_err;
      }
      
      But I think its preferable to make the 'dst might be cleared' part
      of the function explicit.
      
      In netfilter case, skb with a null dst is expected when queueing in
      prerouting hook, so drop skb for the other hooks.
      
      v2:
       v1 of this patch returned true in case skb had no dst entry.
       Eric said:
         Say if we have two skb_dst_force() calls for some reason
         on the same skb, only the first one will return false.
      
       This now returns false even when skb had no dst, as per Erics
       suggestion, so callers might need to check skb_dst() first before
       skb_dst_force().
      Signed-off-by: default avatarFlorian Westphal <fw@strlen.de>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      b60a7738
    • Xin Long's avatar
      sctp: not bind the socket in sctp_connect · 9b6c0887
      Xin Long authored
      Now when sctp_connect() is called with a wrong sa_family, it binds
      to a port but doesn't set bp->port, then sctp_get_af_specific will
      return NULL and sctp_connect() returns -EINVAL.
      
      Then if sctp_bind() is called to bind to another port, the last
      port it has bound will leak due to bp->port is NULL by then.
      
      sctp_connect() doesn't need to bind ports, as later __sctp_connect
      will do it if bp->port is NULL. So remove it from sctp_connect().
      While at it, remove the unnecessary sockaddr.sa_family len check
      as it's already done in sctp_inet_connect.
      
      Fixes: 644fbdea ("sctp: fix the issue that flags are ignored when using kernel_connect")
      Reported-by: syzbot+079bf326b38072f849d9@syzkaller.appspotmail.com
      Signed-off-by: default avatarXin Long <lucien.xin@gmail.com>
      Acked-by: default avatarMarcelo Ricardo Leitner <marcelo.leitner@gmail.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      9b6c0887
  5. 28 Jun, 2019 16 commits
    • Maxime Chevallier's avatar
      net: mvpp2: prs: Don't override the sign bit in SRAM parser shift · 8ec3ede5
      Maxime Chevallier authored
      The Header Parser allows identifying various fields in the packet
      headers, used for various kind of filtering and classification
      steps.
      
      This is a re-entrant process, where the offset in the packet header
      depends on the previous lookup results. This offset is represented in
      the SRAM results of the TCAM, as a shift to be operated.
      
      This shift can be negative in some cases, such as in IPv6 parsing.
      
      This commit prevents overriding the sign bit when setting the shift
      value, which could cause instabilities when parsing IPv6 flows.
      
      Fixes: 3f518509 ("ethernet: Add new driver for Marvell Armada 375 network unit")
      Suggested-by: default avatarAlan Winkowski <walan@marvell.com>
      Signed-off-by: default avatarMaxime Chevallier <maxime.chevallier@bootlin.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      8ec3ede5
    • Russell King's avatar
      net: phylink: further documentation clarifications · 32e454ef
      Russell King authored
      Clarify the validate() behaviour in a few cases which weren't mentioned
      in the documentation, but which are necessary for users to get the
      correct behaviour.
      Signed-off-by: default avatarRussell King <rmk+kernel@armlinux.org.uk>
      Reviewed-by: default avatarAndrew Lunn <andrew@lunn.ch>
      Reviewed-by: default avatarFlorian Fainelli <f.fainelli@gmail.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      32e454ef
    • Marek Vasut's avatar
      net: ethernet: ti: cpsw: Assign OF node to slave devices · 337d1727
      Marek Vasut authored
      Assign OF node to CPSW slave devices, otherwise it is not possible to
      bind e.g. DSA switch to them. Without this patch, the DSA code tries
      to find the ethernet device by OF match, but fails to do so because
      the slave device has NULL OF node.
      Signed-off-by: default avatarMarek Vasut <marex@denx.de>
      Cc: David S. Miller <davem@davemloft.net>
      Cc: Ivan Khoronzhuk <ivan.khoronzhuk@linaro.org>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      337d1727
    • David S. Miller's avatar
      Merge git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf · 7c3d310d
      David S. Miller authored
      Pablo Neira Ayuso says:
      
      ====================
      Netfilter/IPVS fixes for net
      
      The following patchset contains Netfilter fixes for net:
      
      1) Fix memleak reported by syzkaller when registering IPVS hooks,
         patch from Julian Anastasov.
      
      2) Fix memory leak in start_sync_thread, also from Julian.
      
      3) Fix conntrack deletion via ctnetlink, from Felix Kaechele.
      
      4) Fix reject for ICMP due to incorrect checksum handling, from
         He Zhe.
      ====================
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      7c3d310d
    • Benedikt Spranger's avatar
      net: dsa: b53: Disable all ports on setup · 75dad252
      Benedikt Spranger authored
      A b53 device may configured through an external EEPROM like the switch
      device on the Lamobo R1 router board. The configuration of a port may
      therefore differ from the reset configuration of the switch.
      
      The switch configuration reported by the DSA subsystem is different until
      the port is configured by DSA i.e. a port can be active, while the DSA
      subsystem reports the port is inactive. Disable all ports and not only
      the unused ones to put all ports into a well defined state.
      Signed-off-by: default avatarBenedikt Spranger <b.spranger@linutronix.de>
      Reviewed-by: default avatarFlorian Fainelli <f.fainelli@gmail.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      75dad252
    • He Zhe's avatar
      netfilter: Fix remainder of pseudo-header protocol 0 · 5d154984
      He Zhe authored
      Since v5.1-rc1, some types of packets do not get unreachable reply with the
      following iptables setting. Fox example,
      
      $ iptables -A INPUT -p icmp --icmp-type 8 -j REJECT
      $ ping 127.0.0.1 -c 1
      PING 127.0.0.1 (127.0.0.1) 56(84) bytes of data.
      — 127.0.0.1 ping statistics —
      1 packets transmitted, 0 received, 100% packet loss, time 0ms
      
      We should have got the following reply from command line, but we did not.
      From 127.0.0.1 icmp_seq=1 Destination Port Unreachable
      
      Yi Zhao reported it and narrowed it down to:
      7fc38225 ("netfilter: reject: skip csum verification for protocols that don't support it"),
      
      This is because nf_ip_checksum still expects pseudo-header protocol type 0 for
      packets that are of neither TCP or UDP, and thus ICMP packets are mistakenly
      treated as TCP/UDP.
      
      This patch corrects the conditions in nf_ip_checksum and all other places that
      still call it with protocol 0.
      
      Fixes: 7fc38225 ("netfilter: reject: skip csum verification for protocols that don't support it")
      Reported-by: default avatarYi Zhao <yi.zhao@windriver.com>
      Signed-off-by: default avatarHe Zhe <zhe.he@windriver.com>
      Signed-off-by: default avatarPablo Neira Ayuso <pablo@netfilter.org>
      5d154984
    • David S. Miller's avatar
      Merge tag 'mac80211-for-davem-2019-06-28' of... · e7792df8
      David S. Miller authored
      Merge tag 'mac80211-for-davem-2019-06-28' of git://git.kernel.org/pub/scm/linux/kernel/git/jberg/mac80211
      
      Johannes Berg says:
      
      ====================
      Just a single patch:
       * 1<<31 is undefined, use 1U<<31 in nl80211.h UAPI
      ====================
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      e7792df8
    • David S. Miller's avatar
      Merge tag 'batadv-net-for-davem-20190627' of git://git.open-mesh.org/linux-merge · 2c377b5a
      David S. Miller authored
      Simon Wunderlich says:
      
      ====================
      Here are some batman-adv bugfixes:
      
       - fix a leaked TVLV handler which wasn't unregistered, by Jeremy Sowden
      
       - fix duplicated OGMs when interfaces are set UP, by Sven Eckelmann
      ====================
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      2c377b5a
    • David S. Miller's avatar
      Merge tag 'wireless-drivers-for-davem-2019-06-28' of... · e78557ba
      David S. Miller authored
      Merge tag 'wireless-drivers-for-davem-2019-06-28' of git://git.kernel.org/pub/scm/linux/kernel/git/kvalo/wireless-drivers
      
      Kalle Valo says:
      
      ====================
      wireless-drivers fixes for 5.2
      
      Hopefully the last set of fixes for 5.2. Nothing special this around,
      only small fixes and support for new cards.
      
      iwlwifi
      
      * add new cards for 22000 series and smaller fixes
      
      wl18xx
      
      * fix a clang warning about unused variables
      
      mwifiex
      
      * properly handle small vendor IEs (a regression from the recent
        security fix)
      
      ath
      
      * fix few SPDX tags
      
      mt76
      
      * fix A-MSDU aggregation which got broken in v5.2-rc1
      ====================
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      e78557ba
    • Jiunn Chang's avatar
      nl80211: Fix undefined behavior in bit shift · d2ce8d6b
      Jiunn Chang authored
      Shifting signed 32-bit value by 31 bits is undefined.  Changing most
      significant bit to unsigned.
      Signed-off-by: default avatarJiunn Chang <c0d1n61at3@gmail.com>
      Signed-off-by: default avatarJohannes Berg <johannes.berg@intel.com>
      d2ce8d6b
    • Linus Torvalds's avatar
      Merge tag 'clk-fixes-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/clk/linux · 556e2f60
      Linus Torvalds authored
      Pull clk fixes from Stephen Boyd:
       "A handful of clk driver fixes and one core framework fix
      
         - Do a DT/firmware lookup in clk_core_get() even when the DT index is
           a nonsensical value
      
         - Fix some clk data typos in the Amlogic DT headers/code
      
         - Avoid returning junk in the TI clk driver when an invalid clk is
           looked for
      
         - Fix dividers for the emac clks on Stratix10 SoCs
      
         - Fix default HDA rates on Tegra210 to correct distorted audio"
      
      * tag 'clk-fixes-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/clk/linux:
        clk: socfpga: stratix10: fix divider entry for the emac clocks
        clk: Do a DT parent lookup even when index < 0
        clk: tegra210: Fix default rates for HDA clocks
        clk: ti: clkctrl: Fix returning uninitialized data
        clk: meson: meson8b: fix a typo in the VPU parent names array variable
        clk: meson: fix MPLL 50M binding id typo
      556e2f60
    • Linus Torvalds's avatar
      Merge tag 'for-5.2/dm-fixes-2' of... · 65ee21eb
      Linus Torvalds authored
      Merge tag 'for-5.2/dm-fixes-2' of git://git.kernel.org/pub/scm/linux/kernel/git/device-mapper/linux-dm
      
      Pull device mapper fixes from Mike Snitzer:
      
       - Fix incorrect uses of kstrndup and DM logging macros in DM's early
         init code.
      
       - Fix DM log-writes target's handling of super block sectors so updates
         are made in order through use of completion.
      
       - Fix DM core's argument splitting code to avoid undefined behaviour
         reported as a side-effect of UBSAN analysis on ppc64le.
      
       - Fix DM verity target to limit the amount of error messages that can
         result from a corrupt block being found.
      
      * tag 'for-5.2/dm-fixes-2' of git://git.kernel.org/pub/scm/linux/kernel/git/device-mapper/linux-dm:
        dm verity: use message limit for data block corruption message
        dm table: don't copy from a NULL pointer in realloc_argv()
        dm log writes: make sure super sector log updates are written in order
        dm init: remove trailing newline from calls to DMERR() and DMINFO()
        dm init: fix incorrect uses of kstrndup()
      65ee21eb
    • Linus Torvalds's avatar
      Merge tag 'for-linus-20190627' of gitolite.kernel.org:pub/scm/linux/kernel/git/brauner/linux · 7a702b4e
      Linus Torvalds authored
      Pull pidfd fixes from Christian Brauner:
       "Userspace tools and libraries such as strace or glibc need a cheap and
        reliable way to tell whether CLONE_PIDFD is supported. The easiest way
        is to pass an invalid fd value in the return argument, perform the
        syscall and verify the value in the return argument has been changed
        to a valid fd.
      
        However, if CLONE_PIDFD is specified we currently check if pidfd == 0
        and return EINVAL if not.
      
        The check for pidfd == 0 was originally added to enable us to abuse
        the return argument for passing additional flags along with
        CLONE_PIDFD in the future.
      
        However, extending legacy clone this way would be a terrible idea and
        with clone3 on the horizon and the ability to reuse CLONE_DETACHED
        with CLONE_PIDFD there's no real need for this clutch. So remove the
        pidfd == 0 check and help userspace out.
      
        Also, accordig to Al, anon_inode_getfd() should only be used past the
        point of no failure and ksys_close() should not be used at all since
        it is far too easy to get wrong. Al's motto being "basically, once
        it's in descriptor table, it's out of your control". So Al's patch
        switches back to what we already had in v1 of the original patchset
        and uses a anon_inode_getfile() + put_user() + fd_install() sequence
        in the success path and a fput() + put_unused_fd() in the failure
        path.
      
        The other two changes should be trivial"
      
      * tag 'for-linus-20190627' of gitolite.kernel.org:pub/scm/linux/kernel/git/brauner/linux:
        proc: remove useless d_is_dir() check
        copy_process(): don't use ksys_close() on cleanups
        samples: make pidfd-metadata fail gracefully on older kernels
        fork: don't check parent_tidptr with CLONE_PIDFD
      7a702b4e
    • Linus Torvalds's avatar
      Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/hid/hid · 763cf1f2
      Linus Torvalds authored
      Pull HID fixes from Jiri Kosina:
      
       - fix for one corner case in HID++ protocol with respect to handling
         very long reports, from Hans de Goede
      
       - power management fix in Intel-ISH driver, from Hyungwoo Yang
      
       - use-after-free fix in Intel-ISH driver, from Dan Carpenter
      
       - a couple of new device IDs/quirks from Kai-Heng Feng, Kyle Godbey and
         Oleksandr Natalenko
      
      * 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/hid/hid:
        HID: intel-ish-hid: fix wrong driver_data usage
        HID: multitouch: Add pointstick support for ALPS Touchpad
        HID: logitech-dj: Fix forwarding of very long HID++ reports
        HID: uclogic: Add support for Huion HS64 tablet
        HID: chicony: add another quirk for PixArt mouse
        HID: intel-ish-hid: Fix a use after free in load_fw_from_host()
      763cf1f2
    • Linus Torvalds's avatar
      Merge tag 'armsoc-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/soc/soc · fe2da896
      Linus Torvalds authored
      Pull ARM SoC fixes from Olof Johansson:
       "A smaller batch of fixes, nothing that stands out as risky or scary.
      
        Mostly DTS tweaks for a few issues:
      
         - GPU fixlets for Meson
      
         - CPU idle fix for LS1028A
      
         - PWM interrupt fixes for i.MX6UL
      
        Also, enable a driver (FSL_EDMA) on arm64 defconfig, and a warning and
        two MAINTAINER tweaks"
      
      * tag 'armsoc-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/soc/soc:
        ARM: dts: imx6ul: fix PWM[1-4] interrupts
        ARM: omap2: remove incorrect __init annotation
        ARM: dts: gemini Fix up DNS-313 compatible string
        ARM: dts: Blank D-Link DIR-685 console
        arm64: defconfig: Enable FSL_EDMA driver
        arm64: dts: ls1028a: Fix CPU idle fail.
        MAINTAINERS: BCM53573: Add internal Broadcom mailing list
        MAINTAINERS: BCM2835: Add internal Broadcom mailing list
        ARM: dts: meson8b: fix the operating voltage of the Mali GPU
        ARM: dts: meson8b: drop undocumented property from the Mali GPU node
        ARM: dts: meson8: fix GPU interrupts and drop an undocumented property
      fe2da896
    • Linus Torvalds's avatar
      Merge tag 'afs-fixes-20190620' of git://git.kernel.org/pub/scm/linux/kernel/git/dhowells/linux-fs · cd0f3aae
      Linus Torvalds authored
      Pull AFS fixes from David Howells:
       "The in-kernel AFS client has been undergoing testing on opendev.org on
        one of their mirror machines. They are using AFS to hold data that is
        then served via apache, and Ian Wienand had reported seeing oopses,
        spontaneous machine reboots and updates to volumes going missing. This
        patch series appears to have fixed the problem, very probably due to
        patch (2), but it's not 100% certain.
      
        (1) Fix the printing of the "vnode modified" warning to exclude checks
            on files for which we don't have a callback promise from the
            server (and so don't expect the server to tell us when it
            changes).
      
            Without this, for every file or directory for which we still have
            an in-core inode that gets changed on the server, we may get a
            message logged when we next look at it. This can happen in bulk
            if, for instance, someone does "vos release" to update a R/O
            volume from a R/W volume and a whole set of files are all changed
            together.
      
            We only really want to log a message if the file changed and the
            server didn't tell us about it or we failed to track the state
            internally.
      
        (2) Fix accidental corruption of either afs_vlserver struct objects or
            the the following memory locations (which could hold anything).
            The issue is caused by a union that points to two different
            structs in struct afs_call (to save space in the struct). The call
            cleanup code assumes that it can simply call the cleanup for one
            of those structs if not NULL - when it might be actually pointing
            to the other struct.
      
            This means that every Volume Location RPC op is going to corrupt
            something.
      
        (3) Fix an uninitialised spinlock. This isn't too bad, it just causes
            a one-off warning if lockdep is enabled when "vos release" is
            called, but the spinlock still behaves correctly.
      
        (4) Fix the setting of i_block in the inode. This causes du, for
            example, to produce incorrect results, but otherwise should not be
            dangerous to the kernel"
      
      * tag 'afs-fixes-20190620' of git://git.kernel.org/pub/scm/linux/kernel/git/dhowells/linux-fs:
        afs: Fix setting of i_blocks
        afs: Fix uninitialised spinlock afs_volume::cb_break_lock
        afs: Fix vlserver record corruption
        afs: Fix over zealous "vnode modified" warnings
      cd0f3aae