In commit c60ac5693c ("powerpc: Update kernel VSID range", 2013-03-13)
we lost a check on the region number (the top four bits of the effective
address) for addresses below PAGE_OFFSET. That commit replaced a check
that the top 18 bits were all zero with a check that bits 46 - 59 were
zero (performed for all addresses, not just user addresses).
This means that userspace can access an address like 0x1000_0xxx_xxxx_xxxx
and we will insert a valid SLB entry for it. The VSID used will be the
same as if the top 4 bits were 0, but the page size will be some random
value obtained by indexing beyond the end of the mm_ctx_high_slices_psize
array in the paca. If that page size is the same as would be used for
region 0, then userspace just has an alias of the region 0 space. If the
page size is different, then no HPTE will be found for the access, and
the process will get a SIGSEGV (since hash_page_mm() will refuse to create
a HPTE for the bogus address).
The access beyond the end of the mm_ctx_high_slices_psize can be at most
5.5MB past the array, and so will be in RAM somewhere. Since the access
is a load performed in real mode, it won't fault or crash the kernel.
At most this bug could perhaps leak a little bit of information about
blocks of 32 bytes of memory located at offsets of i * 512kB past the
paca->mm_ctx_high_slices_psize array, for 1 <= i <= 11.
Fixes: c60ac5693c ("powerpc: Update kernel VSID range")
Cc: stable@vger.kernel.org # v3.9+
Signed-off-by: Paul Mackerras <paulus@ozlabs.org>
Reviewed-by: Aneesh Kumar K.V <aneesh.kumar@linux.vnet.ibm.com>
Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
Commit 7aef413656 ("powerpc32: rewrite csum_partial_copy_generic()
based on copy_tofrom_user()") introduced a bug when destination address
is odd and len is lower than cacheline size.
In that case the resulting csum value doesn't have to be rotated one
byte because the cache-aligned copy part is skipped so no alignment
is performed.
Fixes: 7aef413656 ("powerpc32: rewrite csum_partial_copy_generic() based on copy_tofrom_user()")
Cc: stable@vger.kernel.org # v4.6+
Reported-by: Alessio Igor Bogani <alessio.bogani@elettra.eu>
Signed-off-by: Christophe Leroy <christophe.leroy@c-s.fr>
Tested-by: Alessio Igor Bogani <alessio.bogani@elettra.eu>
Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
In pnv_ioda_free_pe(), the PE object (including the associated PE
number) is cleared before resetting the corresponding bit in the
PE allocation bitmap. It means PE#0 is always released to the bitmap
wrongly.
This fixes above issue by caching the PE number before the PE object
is cleared.
Fixes: 1e9167726c ("powerpc/powernv: Use PE instead of number during setup and release"
Cc: stable@vger.kernel.org # v4.7+
Signed-off-by: Gavin Shan <gwshan@linux.vnet.ibm.com>
Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
Tomer Tayar says:
====================
qed*: Debug data collection
This patch series adds the support of debug data collection in the qed driver,
and the means to extract it in the qede driver via the get_regs operation.
Changes from V1:
- Respin of the series after rebasing next-next.
- Remove the first patch as it seems that its V1 version was already applied
(commit '4102426f9b7b3627c8c23a54d70363e81c93f9b7').
====================
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Tomer Tayar <Tomer.Tayar@qlogic.com>
Signed-off-by: Yuval Mintz <Yuval.Mintz@qlogic.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
This patch adds the support for dumping and formatting the HW/FW debug data.
Signed-off-by: Tomer Tayar <Tomer.Tayar@qlogic.com>
Signed-off-by: Yuval Mintz <Yuval.Mintz@qlogic.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
SOme statements in the driver only served to inform
which functions were entered. Ftrace can do that just as good without
needing memory. Remove the statements.
Signed-off-by: Oliver Neukum <oneukum@suse.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
We get 4 warnings when building kernel with W=1:
drivers/net/ethernet/qlogic/qed/qed_selftest.c:6:5: warning: no previous prototype for 'qed_selftest_memory' [-Wmissing-prototypes]
drivers/net/ethernet/qlogic/qed/qed_selftest.c:19:5: warning: no previous prototype for 'qed_selftest_interrupt' [-Wmissing-prototypes]
drivers/net/ethernet/qlogic/qed/qed_selftest.c:32:5: warning: no previous prototype for 'qed_selftest_register' [-Wmissing-prototypes]
drivers/net/ethernet/qlogic/qed/qed_selftest.c:55:5: warning: no previous prototype for 'qed_selftest_clock' [-Wmissing-prototypes]
In fact, these functions are declared in qed_selftest.h, so this patch
add missing header dependencies.
Signed-off-by: Baoyou Xie <baoyou.xie@linaro.org>
Acked-by: Yuval Mintz <Yuval.Mintz@qlogic.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
udp_diag_destroy does look up the IPv4 UDP hashtable for mapped
addresses, but it gets the IPv4 address to look up from the
beginning of the IPv6 address instead of the end.
Tested: https://android-review.googlesource.com/269874
Fixes: 5d77dca828 ("net: diag: support SOCK_DESTROY for UDP sockets")
Signed-off-by: Lorenzo Colitti <lorenzo@google.com>
Acked-by: Eric Dumazet <edumazet@google.com>
Acked-by: David Ahern <dsa@cumulusnetworks.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
This bug was detected by kmemleak:
unreferenced object 0xffff8804269cc3c0 (size 64):
comm "criu", pid 1042, jiffies 4294907360 (age 13.713s)
hex dump (first 32 bytes):
a0 32 cc 2c 04 88 ff ff 00 00 00 00 00 00 00 00 .2.,............
00 01 00 00 00 00 ad de 00 02 00 00 00 00 ad de ................
backtrace:
[<ffffffff8184dffa>] kmemleak_alloc+0x4a/0xa0
[<ffffffff8124720f>] kmem_cache_alloc_trace+0x10f/0x280
[<ffffffffa02864cc>] __netlink_diag_dump+0x26c/0x290 [netlink_diag]
v2: don't remove a reference on a rhashtable_iter structure to
release it from netlink_diag_dump_done
Cc: Herbert Xu <herbert@gondor.apana.org.au>
Fixes: ad20207432 ("netlink: Use rhashtable walk interface in diag dump")
Signed-off-by: Andrei Vagin <avagin@openvz.org>
Acked-by: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: David S. Miller <davem@davemloft.net>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQIVAwUAV9Az6vSw1s6N8H32AQLnlg/8C2LbVZXDNjWZAMBft6RiD2BndZGlfD1V
8pDqgjdlC18CY8FUYBQCaKndyzOWM+K3dw+e8aix8qKorzK0Lfdahilt/HKN3XS3
g/BUJvVIoJtM561zN4Z8WIvkWVOHWWA1ZVykzRcqA/9AmuEApxzrbDTCEXwyl6A0
88xO9By6GI3MTuWZJ7gFaFXMqToVV81T9OfLf1b7PYWfk5KJG3TFrm/lsl5+cnts
cmaptfnEucKmmS3jswYRT8Dj875gsgP3yzgyxigBNUQK13S+VHBdeQb/pHY+GXDA
scK3UYaPSZLgUvlWah63zShyrFguw5XNma8YM4A/BOjbuY4lg8SskMyXdaXfA78k
8p8BdBzrRfkgajh0wi+K6F6O0BUwxRPUS+hp4ijahUtisFSKRTDodPddzVfIb0NT
VYWcWD2x2l6+PfQ2V4t5VdsQfh1AzJ+4+5ajkm+YFjZ56v16nDh1KXrpIWgjYeTl
+Hroi4pMtyhfKfqBh2mhjLwYg0v2CjEJFJ/inQ60K24KFJly5v1un5mxjCTzJAUx
mYucf6U7Xls64VQfg+SmozJjcGYJAR87nas0o4p6YRY7bk54Jjs6kF6ufQvoNbsd
hEeAC6X6HjE/9WcyHcj6d4se2DhvfC+2TM+nECUasxxl/PSR9MnEfk1DU3ZNLBI0
bKkf4JC8Cw0=
=b6BX
-----END PGP SIGNATURE-----
Merge tag 'rxrpc-rewrite-20160907-2' of git://git.kernel.org/pub/scm/linux/kernel/git/dhowells/linux-fs
David Howells says:
====================
rxrpc: Local abort tracepoint
Here are two patches. They need to be applied on top of the just-posted
call refcount overhaul patch:
(1) Fix the return value of some call completion helpers.
(2) Add a tracepoint that allows local aborts to be debugged.
====================
Signed-off-by: David S. Miller <davem@davemloft.net>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQIVAwUAV9As3/Sw1s6N8H32AQJauw/+IAVW6pYAN4CpDmf8V38x0oyy8ecwOIXF
bpDlniJ4xvxz4VyHLZEYBsbf9SOeFTFYgxBv4x0Mlm6T1TtbD+4fmvA/O2wEDnyD
wH+EAu1rPKnUII2YiytktdzeiXNrQBlhF4RCTzq3SewsqoP6WDobJsU7k/hrgrie
9DuhZshpDXZW2hwtPVoZ42Th+9Mway+//39MLK5fc61uLKQwlkcGAibe6GnfQIgv
rIh0niIZHgW+6Ezf7NOuYgxrFWG+/NQ8W34FZ75Exj5P/183+fn0P0i5wHKBwopV
W7yC2HhG/OrxJU3li7FTzm0WaDbqhtLiUNOLHNGJpDinb9b6svL1T/pwqkWT46PK
BO7z1IiZ4X0AoazUMlIG3LIu+HanI041SYa4iY1QE1yXDG0Mf7tIvPXWGw/jj7vS
8aOcBm1DPYYx8TLcdPxuFUW0EtpgDz5hoThfk1kETg2lood85WfuptT3wDA+QvU9
YCY5XbZtXib1yU02EqWDEEYQhMx6BfFFjW0IOouPYKr1jarW7aEaSISTDww2ELes
iSkVlZyD67fMQ2Vu9nSMJg0wCY+BwBQlsbDyjBO1NHImRwwV/wI7qZqRdX+2ogdg
wmLLqTzltKTUlM7Cr2z+M/oF0kVyjDodDtzsGjRSoGpzimqx3nidzRrvzqZntV7y
EwvbGTnOhy4=
=emxf
-----END PGP SIGNATURE-----
Merge tag 'rxrpc-rewrite-20160907-1' of git://git.kernel.org/pub/scm/linux/kernel/git/dhowells/linux-fs
David Howells says:
====================
rxrpc: Overhaul call refcounting
Here's a set of mostly small patches leading up to one big one.
The big patch at the end of the series overhauls how rxrpc_call refcounting
is handled, making it more sane so that calls bound to user IDs are _only_
released from socket operations or kernel API functions. Further, the
patch stops calls from holding refs on their parent socket - which can
prevent the socket from being cleaned up.
The second largest patch improves the call tracking tracepoint by providing
extra information about the situation in which gets and puts occur. This
allows distinctions to be drawn between refs held by the socket user ID
tree, refs held by the work queue (to be implemented by a future patch) and
other refs.
The other patches include a couple of cleanups and some simple alterations
to avoid NULL pointer dereferences in the big patch.
====================
Signed-off-by: David S. Miller <davem@davemloft.net>
ucb1x00 has used IRQ probing since it's dawn to find the GPIO interrupt
that it's connected to. However, commit 23393d49fb ("gpio: kill off
set_irq_flags usage") broke this by disabling IRQ probing on GPIO
interrupts. Fix this.
Fixes: 23393d49fb ("gpio: kill off set_irq_flags usage")
Signed-off-by: Russell King <rmk+kernel@armlinux.org.uk>
Signed-off-by: Linus Walleij <linus.walleij@linaro.org>
The MCP23S08 driver certainly accesses fields inside the
struct gpio_chip that are only available under CONFIG_OF_GPIO
not just CONFIG_OF, so update the Kconfig and driver to reflect
this.
Cc: Alexander Stein <alexander.stein@systec-electronic.com>
Cc: Phil Reid <preid@electromag.com.au>
Reported-by: kbuild test robot <fengguang.wu@intel.com>
Signed-off-by: Linus Walleij <linus.walleij@linaro.org>
This reverts commit 7d4defe21c.
The commit was pointless, manically trembling in the dark for
a solution. The real fixes are:
commit 048c28c91e
("gpio: make any OF dependent driver depend on OF_GPIO")
commit 2527ecc919
("gpio: Fix OF build problem on UM")
Reported-by: Chris Wilson <chris@chris-wilson.co.uk>
Signed-off-by: Linus Walleij <linus.walleij@linaro.org>
- move page-spanning check behind a CONFIG since it's triggering false positives
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
Comment: Kees Cook <kees@outflux.net>
iQIcBAABCgAGBQJX0F3qAAoJEIly9N/cbcAmaxEP/R737i+XhP4VOv+rYW050NHB
K+FDeLv5/Gx56JrHRRWwj80K5/9F09wS929AWcaTDjEb2NKp/o/6W/gN1eVdGlJF
K3UQk+Kmncb44poVoHkjMRAl6+sfKm6mTWZBTjBECKwQuCFyDoDoqDXhn5IXTlw9
Ig+TTOSgNw9gRke3ECtFynbVnDWx/Ry/axfT9vGXhFOkWclMUFy2UOdDSTtFAB6x
yw5hdrfGakk2BPscHLO1xNqRuVLRUSXZVUiJGIQ6AiUupm34Yqmm69mrMuxaOtPC
Ai3zhNGDuYClcGJAiPJYX+7nRjgPCWAdlyzQqLp5hwx63TJ+gxvhmxoFOJxEmHE/
99i2Ak073Es6WII532Eknk3vV+UJzQNT/HO+0LcrJFkOEp9EHfVUb19CngQTaX7Q
UbfYdyFgp3y24cRp7v0tP8gE2LCrsRe0UEhUq2NGmrerw3caNqZGHS9Od5OYEM8D
uIhaotWoOv9Z0r+DZMGkUjfqeLb6RWNcUoWc5wZ3VYG27BM/pfhRxKf/2aw6O9u0
2Jk1QJxBr+/8DQ500xu/IBOP9V7aGAc4nxKyqUlwA05/JEFGiAzCwqfZW5CKTxgD
5Ht994WbTEH3/VaAskKnwggeHvttiEpehBCdVA4bXuhBhJhmPjFiKHX7uRrcM2GV
/yH3UTkPnr/VD/I2ndiX
=r8BE
-----END PGP SIGNATURE-----
Merge tag 'usercopy-v4.8-rc6-part2' of git://git.kernel.org/pub/scm/linux/kernel/git/kees/linux
Pull more hardened usercopyfixes from Kees Cook:
- force check_object_size() to be inline too
- move page-spanning check behind a CONFIG since it's triggering false
positives
[ Changed the page-spanning config option to depend on EXPERT in the
merge. That way it still gets build testing, and you can enable it if
you want to, but is never enabled for "normal" configurations ]
* tag 'usercopy-v4.8-rc6-part2' of git://git.kernel.org/pub/scm/linux/kernel/git/kees/linux:
usercopy: remove page-spanning test for now
usercopy: force check_object_size() inline
A custom allocator without __GFP_COMP that copies to userspace has been
found in vmw_execbuf_process[1], so this disables the page-span checker
by placing it behind a CONFIG for future work where such things can be
tracked down later.
[1] https://bugzilla.redhat.com/show_bug.cgi?id=1373326
Reported-by: Vinson Lee <vlee@freedesktop.org>
Fixes: f5509cc18d ("mm: Hardened usercopy")
Signed-off-by: Kees Cook <keescook@chromium.org>
Just for good measure, make sure that check_object_size() is always
inlined too, as already done for copy_*_user() and __copy_*_user().
Suggested-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Kees Cook <keescook@chromium.org>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
Comment: Kees Cook <kees@outflux.net>
iQIcBAABCgAGBQJX0D/IAAoJEIly9N/cbcAmORYQAIzhZ+tFuXkOrEJx0efQx8ik
8ix0wBrh0KTDQkMWQxUnDyIr+7vNcH0oOkH3kwgYaShAZif4oq6TGkdvgJJQr+ca
ZsBcEdasYvglcr/7hEF4cH28h3YqN7HwW+Mx8IqrBQqqjly7V2jamBBd/YXOcDK9
gqXooH1He9QVtVb0uC/AVFVY+st37iuqrreLFKWrX52FaUQ+7f0svN4LWC9b1UEq
UQyi+HMMRbovum9+2WDKPpl8oEZvXE7CiWexwl2G9qBCpm/AhragArl9BhrA31eE
0PPuVBTtypPNvKVieboXUhTg5eet+nFXtlea+/CLWfbqxpecsNiqMgSIg+aWOnz4
Y6Te5P7oSwhto0WzXvilxjvShvjHgTo98PY9Qj0bBb7ECCbI09GfoDf3SPYayTwC
9zPC04mJihr+6h8QdmYgfuHzTVjMxb6YOmAorz805cJ0vHtdPIP4Gkei4R1tNUkG
TNQNXKef/UJbImL17pFu70Ru6/J58OgDuMuAAuswsFt7KELw4DZhmJL+KnYdPG1G
gHirQd1HtQlsBoVvQAwmQjBp+TqFoY3oiv4Y2oq7IEk/ZCs3XJaEYKm90CoZlm4a
sMtA0j+9rWqNirzuyWUeJfkd48yjcbOzSimzSCTsNVVsbyeA1yyapAdHSTWWm554
zEubN4LCJoGiH/FWnX6U
=UgsA
-----END PGP SIGNATURE-----
Merge tag 'seccomp-v4.8-rc6' of git://git.kernel.org/pub/scm/linux/kernel/git/kees/linux
Pull seccomp fixes from Kees Cook:
"Fix UM seccomp vs ptrace, after reordering landed"
* tag 'seccomp-v4.8-rc6' of git://git.kernel.org/pub/scm/linux/kernel/git/kees/linux:
seccomp: Remove 2-phase API documentation
um/ptrace: Fix the syscall number update after a ptrace
um/ptrace: Fix the syscall_trace_leave call
ath.git fixes for 4.8. Major changes:
ath10k
* fix racy rx status retrieval from htt context
* QCA9887 support is not experimental anymore, remove the warning message
ath9k
* fix regression with led GPIOs
* fix AR5416 GPIO access warning
usercopy and the recent compile-time checks.
- Switches hardened usercopy to only check non-const size arguments to avoid
meaningless checks on likely-sane const values.
- Updates lkdtm usercopy tests to compenstate for the const checking.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
Comment: Kees Cook <kees@outflux.net>
iQIcBAABCgAGBQJXzxqiAAoJEIly9N/cbcAmsHkP/jD/htMTw+Yf5ZxafEHLO3yA
IPxwxvEYGHcgmKeFlrjhssOqw1hs0q8D4DVRnlu1NV4XF4b9b+Jz3Tf7PoOhgLLR
f4m0TYzX1tVmiK3qAuVbRQGnA1i08CPhiKPNzo43x+ldBPf7nRQufxkLVBrVmFJa
qSQMZ2Am483xzEwFwRrlYyqsLwlJOA69rMRPJ+n3NLR/f8xRCkGigIvBVdUXBXkk
0v9EhZ+si6dWHFbfu0fhqlintnrOfcLPf6WmsSl/b5HkHqf/J1OW8FRgnDSDEqaQ
/NIap9Ba33ASySilX/qZ7ioSnSVvkL2VmVy5yR2hRBYou1122SXVh2+NwRmmTkCV
avNZZuGaR3Bhmu8xUpDicddCC1Vo13jcyB3/iKZkdfHj89RpCWhJRi/+SOoXpCrq
ABnMNSoFVIlmDA5aggnevS4or3hOoTp9LosPY/86M4+cYnpIFyZJd4SzwXNg58U6
aEmal9ypfss5kF4gSnZBLnLhE4XYkjSrvxGaRhYeyDI/3mMAKUb1/VeaiMqVAvfs
J9k9kOtLspYv5gTDfKK+yucqVTmRIbr/z1jikH+KX+OSR3HRUrcWm1wEWZCdxa5I
2CeZY0q3kAZK5pGvaAxgJlvYfEHShHio19Poc0qsMW2UcwB62YNJ/ybuKFHnZM+Y
ACqYh+dcH2v/2DNxigcH
=bFFM
-----END PGP SIGNATURE-----
Merge tag 'usercopy-v4.8-rc6' of git://git.kernel.org/pub/scm/linux/kernel/git/kees/linux
Pull hardened usercopy fixes from Kees Cook:
- inline copy_*_user() for correct use of __builtin_const_p() for
hardened usercopy and the recent compile-time checks.
- switch hardened usercopy to only check non-const size arguments to
avoid meaningless checks on likely-sane const values.
- update lkdtm usercopy tests to compenstate for the const checking.
* tag 'usercopy-v4.8-rc6' of git://git.kernel.org/pub/scm/linux/kernel/git/kees/linux:
lkdtm: adjust usercopy tests to bypass const checks
usercopy: fold builtin_const check into inline function
x86/uaccess: force copy_*_user() to be inlined
Update the syscall number after each PTRACE_SETREGS on ORIG_*AX.
This is needed to get the potentially altered syscall number in the
seccomp filters after RET_TRACE.
This fix four seccomp_bpf tests:
> [ RUN ] TRACE_syscall.skip_after_RET_TRACE
> seccomp_bpf.c:1560:TRACE_syscall.skip_after_RET_TRACE:Expected -1 (18446744073709551615) == syscall(39) (26)
> seccomp_bpf.c:1561:TRACE_syscall.skip_after_RET_TRACE:Expected 1 (1) == (*__errno_location ()) (22)
> [ FAIL ] TRACE_syscall.skip_after_RET_TRACE
> [ RUN ] TRACE_syscall.kill_after_RET_TRACE
> TRACE_syscall.kill_after_RET_TRACE: Test exited normally instead of by signal (code: 1)
> [ FAIL ] TRACE_syscall.kill_after_RET_TRACE
> [ RUN ] TRACE_syscall.skip_after_ptrace
> seccomp_bpf.c:1622:TRACE_syscall.skip_after_ptrace:Expected -1 (18446744073709551615) == syscall(39) (26)
> seccomp_bpf.c:1623:TRACE_syscall.skip_after_ptrace:Expected 1 (1) == (*__errno_location ()) (22)
> [ FAIL ] TRACE_syscall.skip_after_ptrace
> [ RUN ] TRACE_syscall.kill_after_ptrace
> TRACE_syscall.kill_after_ptrace: Test exited normally instead of by signal (code: 1)
> [ FAIL ] TRACE_syscall.kill_after_ptrace
Fixes: 26703c636c ("um/ptrace: run seccomp after ptrace")
Signed-off-by: Mickaël Salaün <mic@digikod.net>
Acked-by: Kees Cook <keescook@chromium.org>
Cc: Jeff Dike <jdike@addtoit.com>
Cc: Richard Weinberger <richard@nod.at>
Cc: James Morris <jmorris@namei.org>
Cc: user-mode-linux-devel@lists.sourceforge.net
Signed-off-by: James Morris <james.l.morris@oracle.com>
Signed-off-by: Kees Cook <keescook@chromium.org>
Keep the same semantic as before the commit 26703c636c: deallocate
audit context and fake a proper syscall exit.
This fix a kernel panic triggered by the seccomp_bpf test:
> [ RUN ] global.ERRNO_valid
> BUG: failure at kernel/auditsc.c:1504/__audit_syscall_entry()!
> Kernel panic - not syncing: BUG!
Fixes: 26703c636c ("um/ptrace: run seccomp after ptrace")
Signed-off-by: Mickaël Salaün <mic@digikod.net>
Acked-by: Kees Cook <keescook@chromium.org>
Cc: Jeff Dike <jdike@addtoit.com>
Cc: Richard Weinberger <richard@nod.at>
Cc: James Morris <jmorris@namei.org>
Cc: user-mode-linux-devel@lists.sourceforge.net
Signed-off-by: James Morris <james.l.morris@oracle.com>
Signed-off-by: Kees Cook <keescook@chromium.org>
Add a tracepoint for working out where local aborts happen. Each
tracepoint call is labelled with a 3-letter code so that they can be
distinguished - and the DATA sequence number is added too where available.
rxrpc_kernel_abort_call() also takes a 3-letter code so that AFS can
indicate the circumstances when it aborts a call.
Signed-off-by: David Howells <dhowells@redhat.com>
rxrpc_set_call_completion() returns bool, not int, so the ret variable
should match this.
rxrpc_call_completed() and __rxrpc_call_completed() should return the value
of rxrpc_set_call_completion().
Signed-off-by: David Howells <dhowells@redhat.com>
rxrpc calls shouldn't hold refs on the sock struct. This was done so that
the socket wouldn't go away whilst the call was in progress, such that the
call could reach the socket's queues.
However, we can mark the socket as requiring an RCU release and rely on the
RCU read lock.
To make this work, we do:
(1) rxrpc_release_call() removes the call's call user ID. This is now
only called from socket operations and not from the call processor:
rxrpc_accept_call() / rxrpc_kernel_accept_call()
rxrpc_reject_call() / rxrpc_kernel_reject_call()
rxrpc_kernel_end_call()
rxrpc_release_calls_on_socket()
rxrpc_recvmsg()
Though it is also called in the cleanup path of
rxrpc_accept_incoming_call() before we assign a user ID.
(2) Pass the socket pointer into rxrpc_release_call() rather than getting
it from the call so that we can get rid of uninitialised calls.
(3) Fix call processor queueing to pass a ref to the work queue and to
release that ref at the end of the processor function (or to pass it
back to the work queue if we have to requeue).
(4) Skip out of the call processor function asap if the call is complete
and don't requeue it if the call is complete.
(5) Clean up the call immediately that the refcount reaches 0 rather than
trying to defer it. Actual deallocation is deferred to RCU, however.
(6) Don't hold socket refs for allocated calls.
(7) Use the RCU read lock when queueing a message on a socket and treat
the call's socket pointer according to RCU rules and check it for
NULL.
We also need to use the RCU read lock when viewing a call through
procfs.
(8) Transmit the final ACK/ABORT to a client call in rxrpc_release_call()
if this hasn't been done yet so that we can then disconnect the call.
Once the call is disconnected, it won't have any access to the
connection struct and the UDP socket for the call work processor to be
able to send the ACK. Terminal retransmission will be handled by the
connection processor.
(9) Release all calls immediately on the closing of a socket rather than
trying to defer this. Incomplete calls will be aborted.
The call refcount model is much simplified. Refs are held on the call by:
(1) A socket's user ID tree.
(2) A socket's incoming call secureq and acceptq.
(3) A kernel service that has a call in progress.
(4) A queued call work processor. We have to take care to put any call
that we failed to queue.
(5) sk_buffs on a socket's receive queue. A future patch will get rid of
this.
Whilst we're at it, we can do:
(1) Get rid of the RXRPC_CALL_EV_RELEASE event. Release is now done
entirely from the socket routines and never from the call's processor.
(2) Get rid of the RXRPC_CALL_DEAD state. Calls now end in the
RXRPC_CALL_COMPLETE state.
(3) Get rid of the rxrpc_call::destroyer work item. Calls are now torn
down when their refcount reaches 0 and then handed over to RCU for
final cleanup.
(4) Get rid of the rxrpc_call::deadspan timer. Calls are cleaned up
immediately they're finished with and don't hang around.
Post-completion retransmission is handled by the connection processor
once the call is disconnected.
(5) Get rid of the dead call expiry setting as there's no longer a timer
to set.
(6) rxrpc_destroy_all_calls() can just check that the call list is empty.
Signed-off-by: David Howells <dhowells@redhat.com>
Use rxrpc_is_service_call() rather than rxrpc_conn_is_service() if the call
is available just in case call->conn is NULL.
Signed-off-by: David Howells <dhowells@redhat.com>
Pass the connection pointer to rxrpc_post_packet_to_call() as the call
might get disconnected whilst we're looking at it, but the connection
pointer determined by rxrpc_data_read() is guaranteed by RCU for the
duration of the call.
Signed-off-by: David Howells <dhowells@redhat.com>
Cache the security index in the rxrpc_call struct so that we can get at it
even when the call has been disconnected and the connection pointer
cleared.
Signed-off-by: David Howells <dhowells@redhat.com>
Use call->peer rather than call->conn->params.peer to avoid the possibility
of call->conn being NULL and, whilst we're at it, check it for NULL before we
access it.
Signed-off-by: David Howells <dhowells@redhat.com>
Improve the call tracking tracepoint by showing more differentiation
between some of the put and get events, including:
(1) Getting and putting refs for the socket call user ID tree.
(2) Getting and putting refs for queueing and failing to queue the call
processor work item.
Note that these aren't necessarily used in this patch, but will be taken
advantage of in future patches.
An enum is added for the event subtype numbers rather than coding them
directly as decimal numbers and a table of 3-letter strings is provided
rather than a sequence of ?: operators.
Signed-off-by: David Howells <dhowells@redhat.com>
User-space can choose to omit NL80211_ATTR_SSID and only provide raw
IE TLV data. When doing so it can provide SSID IE with length exceeding
the allowed size. The driver further processes this IE copying it
into a local variable without checking the length. Hence stack can be
corrupted and used as exploit.
Cc: stable@vger.kernel.org # v4.7
Reported-by: Daxing Guo <freener.gdx@gmail.com>
Reviewed-by: Hante Meuleman <hante.meuleman@broadcom.com>
Reviewed-by: Pieter-Paul Giesberts <pieter-paul.giesberts@broadcom.com>
Reviewed-by: Franky Lin <franky.lin@broadcom.com>
Signed-off-by: Arend van Spriel <arend.vanspriel@broadcom.com>
Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
A regression was introduced in commit id 79d4db1214 ("ath9k: cleanup
led_pin initial") that broken the WLAN status led on my laptop with
AR9287 after suspending and resuming.
Steps to reproduce:
* Suspend (laptop)
* Resume (laptop)
* Observe that the WLAN led no longer turns ON/OFF depending on the
status and is always red
Even though for my case it only needs to be set to OUT in ath9k_start
but for consistency bring back the IN direction setting as well.
Fixes: 79d4db1214 ("ath9k: cleanup led_pin initial")
Cc: Miaoqing Pan <miaoqing@codeaurora.org>
Cc: Kalle Valo <kvalo@qca.qualcomm.com>
Cc: <stable@vger.kernel.org> # 4.7+
Link: https://bugzilla.kernel.org/show_bug.cgi?id=151711
Signed-off-by: Giedrius Statkevičius <giedrius.statkevicius@gmail.com>
[kvalo@qca.qualcomm.com: improve commit log]
Signed-off-by: Kalle Valo <kvalo@qca.qualcomm.com>
When building a kernel with CONFIG_PM_SLEEP=n, we
get the following warning:
drivers/usb/dwc3/dwc3-pci.c:253:12: warning: 'dwc3_pci_pm_dummy' defined but not used
In order to fix this, we should only define
dwc3_pci_pm_dummy() when CONFIG_PM_SLEEP is defined.
Fixes: f6c274e11e ("usb: dwc3: pci: runtime_resume child device")
Reported-by: Arnd Bergmann <arnd@arndb.de>
Acked-by: Arnd Bergmann <arnd@arndb.de>
Signed-off-by: Felipe Balbi <felipe.balbi@linux.intel.com>
gpio_to_irq does not return NO_IRQ but instead returns a negative
error code on failure. Returning NO_IRQ from the function has no
negative effects as we only compare the result to the expected
interrupt number, but it's better to return a proper failure
code for consistency, and we should remove NO_IRQ from the kernel
entirely.
Signed-off-by: Arnd Bergmann <arnd@arndb.de>
Acked-by: Richard Cochran <richardcochran@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Reported-by: Ma Yuying <yuma@redhat.com>
Suggested-by: Jarod Wilson <jarod@redhat.com>
Signed-off-by: Bert Kenward <bkenward@solarflare.com>
Reviewed-by: Jarod Wilson <jarod@redhat.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
The newly added bpf_overflow_handler function is only built of both
CONFIG_EVENT_TRACING and CONFIG_BPF_SYSCALL are enabled, but the caller
only checks the latter:
kernel/events/core.c: In function 'perf_event_alloc':
kernel/events/core.c:9106:27: error: 'bpf_overflow_handler' undeclared (first use in this function)
This changes the caller so we also skip this call if CONFIG_EVENT_TRACING
is disabled entirely.
Signed-off-by: Arnd Bergmann <arnd@arndb.de>
Fixes: aa6a5f3cb2 ("perf, bpf: add perf events core support for BPF_PROG_TYPE_PERF_EVENT programs")
Acked-by: Alexei Starovoitov <ast@kernel.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
We get 1 warning when building kernel with W=1:
drivers/net/ethernet/arc/emac_mdio.c:107:5: warning: no previous prototype for 'arc_mdio_reset' [-Wmissing-prototypes]
In fact, this function is only used in the file in which it is
declared and don't need a declaration, but can be made static.
so this patch marks this function with 'static'.
Signed-off-by: Baoyou Xie <baoyou.xie@linaro.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
We get a few warnings when building kernel with W=1:
drivers/net/usb/lan78xx.c:1182:6: warning: no previous prototype for 'lan78xx_defer_kevent' [-Wmissing-prototypes]
drivers/net/usb/lan78xx.c:1409:5: warning: no previous prototype for 'lan78xx_nway_reset' [-Wmissing-prototypes]
drivers/net/usb/lan78xx.c:2000:5: warning: no previous prototype for 'lan78xx_set_mac_addr' [-Wmissing-prototypes]
....
In fact, these functions are only used in the file in which they are
declared and don't need a declaration, but can be made static.
so this patch marks these functions with 'static'.
Signed-off-by: Baoyou Xie <baoyou.xie@linaro.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
Adds support for several infrastructure operations that are done as part of
debug data collection.
Signed-off-by: Tomer Tayar <Tomer.Tayar@qlogic.com>
Signed-off-by: Yuval Mintz <Yuval.Mintz@qlogic.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Alexander Duyck <aduyck@mirantis.com>
Tested-by: Yuval Mintz <Yuval.Mintz@qlogic.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
In general, when DAD detected IPv6 duplicate address, ifp->state
will be set to INET6_IFADDR_STATE_ERRDAD and DAD is stopped by a
delayed work, the call tree should be like this:
ndisc_recv_ns
-> addrconf_dad_failure <- missing ifp put
-> addrconf_mod_dad_work
-> schedule addrconf_dad_work()
-> addrconf_dad_stop() <- missing ifp hold before call it
addrconf_dad_failure() called with ifp refcont holding but not put.
addrconf_dad_work() call addrconf_dad_stop() without extra holding
refcount. This will not cause any issue normally.
But the race between addrconf_dad_failure() and addrconf_dad_work()
may cause ifp refcount leak and netdevice can not be unregister,
dmesg show the following messages:
IPv6: eth0: IPv6 duplicate address fe80::XX:XXXX:XXXX:XX detected!
...
unregister_netdevice: waiting for eth0 to become free. Usage count = 1
Cc: stable@vger.kernel.org
Fixes: c15b1ccadb ("ipv6: move DAD and addrconf_verify processing
to workqueue")
Signed-off-by: Wei Yongjun <weiyongjun1@huawei.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
There is a code path where we are calling __iowrite64_copy() on
an address that is not 64-bit aligned. This causes an exception on
some architectures such as arm64. Fix that code path by using
__iowrite32_copy().
Reported-by: JD Zheng <jiandong.zheng@broadcom.com>
Signed-off-by: Michael Chan <michael.chan@broadcom.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
When deleting an IP address from an interface, there is a clean-up of
routes which refer to this local address. However, there was no check to
see that the VRF matched. This meant that deletion wasn't confined to
the VRF it should have been.
To solve this, a new field has been added to fib_info to hold a table
id. When removing fib entries corresponding to a local ip address, this
table id is also used in the comparison.
The table id is populated when the fib_info is created. This was already
done in some places, but not in ip_rt_ioctl(). This has now been fixed.
Fixes: 021dd3b8a1 ("net: Add routes to the table associated with the device")
Acked-by: David Ahern <dsa@cumulusnetworks.com>
Tested-by: David Ahern <dsa@cumulusnetworks.com>
Signed-off-by: Mark Tomlinson <mark.tomlinson@alliedtelesis.co.nz>
Signed-off-by: David S. Miller <davem@davemloft.net>
