Commit Graph

811127 Commits

Author SHA1 Message Date
Mathieu Malaterre
583c531853 bpf: Make function btf_name_offset_valid static
Initially in commit 69b693f0ae ("bpf: btf: Introduce BPF Type Format
(BTF)") the function 'btf_name_offset_valid' was introduced as static
function it was later on changed to a non-static one, and then finally
in commit 23127b33ec ("bpf: Create a new btf_name_by_offset() for
non type name use case") the function prototype was removed.

Revert back to original implementation and make the function static.
Remove warning triggered with W=1:

  kernel/bpf/btf.c:470:6: warning: no previous prototype for 'btf_name_offset_valid' [-Wmissing-prototypes]

Fixes: 23127b33ec ("bpf: Create a new btf_name_by_offset() for non type name use case")
Signed-off-by: Mathieu Malaterre <malat@debian.org>
Acked-by: Martin KaFai Lau <kafai@fb.com>
Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
2019-01-17 16:47:05 +01:00
Stanislav Fomichev
f67ad87ab3 selftests/bpf: retry tests that expect build-id
While running test_progs in a loop I found out that I'm sometimes hitting
"Didn't find expected build ID from the map" error.

Looking at stack_map_get_build_id_offset() it seems that it is racy (by
design) and can sometimes return BPF_STACK_BUILD_ID_IP (i.e. can't trylock
current->mm->mmap_sem).

Let's retry this test a single time.

Fixes: 13790d1cc7 ("bpf: add selftest for stackmap with build_id in NMI context")
Acked-by: Song Liu <songliubraving@fb.com>
Signed-off-by: Stanislav Fomichev <sdf@google.com>
Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
2019-01-17 16:43:18 +01:00
Stanislav Fomichev
4af396ae48 bpf: zero out build_id for BPF_STACK_BUILD_ID_IP
When returning BPF_STACK_BUILD_ID_IP from stack_map_get_build_id_offset,
make sure that build_id field is empty. Since we are using percpu
free list, there is a possibility that we might reuse some previous
bpf_stack_build_id with non-zero build_id.

Fixes: 615755a77b ("bpf: extend stackmap to save binary_build_id+offset instead of address")
Acked-by: Song Liu <songliubraving@fb.com>
Signed-off-by: Stanislav Fomichev <sdf@google.com>
Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
2019-01-17 16:42:35 +01:00
Stanislav Fomichev
0b698005a9 bpf: don't assume build-id length is always 20 bytes
Build-id length is not fixed to 20, it can be (`man ld` /--build-id):
  * 128-bit (uuid)
  * 160-bit (sha1)
  * any length specified in ld --build-id=0xhexstring

To fix the issue of missing BPF_STACK_BUILD_ID_VALID for shorter build-ids,
assume that build-id is somewhere in the range of 1 .. 20.
Set the remaining bytes to zero.

v2:
* don't introduce new "len = min(BPF_BUILD_ID_SIZE, nhdr->n_descsz)",
  we already know that nhdr->n_descsz <= BPF_BUILD_ID_SIZE if we enter
  this 'if' condition

Fixes: 615755a77b ("bpf: extend stackmap to save binary_build_id+offset instead of address")
Acked-by: Song Liu <songliubraving@fb.com>
Signed-off-by: Stanislav Fomichev <sdf@google.com>
Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
2019-01-17 16:42:35 +01:00
David Howells
34fa47612b afs: Fix race in async call refcounting
There's a race between afs_make_call() and afs_wake_up_async_call() in the
case that an error is returned from rxrpc_kernel_send_data() after it has
queued the final packet.

afs_make_call() will try and clean up the mess, but the call state may have
been moved on thereby causing afs_process_async_call() to also try and to
delete the call.

Fix this by:

 (1) Getting an extra ref for an asynchronous call for the call itself to
     hold.  This makes sure the call doesn't evaporate on us accidentally
     and will allow the call to be retained by the caller in a future
     patch.  The ref is released on leaving afs_make_call() or
     afs_wait_for_call_to_complete().

 (2) In the event of an error from rxrpc_kernel_send_data():

     (a) Don't set the call state to AFS_CALL_COMPLETE until *after* the
     	 call has been aborted and ended.  This prevents
     	 afs_deliver_to_call() from doing anything with any notifications
     	 it gets.

     (b) Explicitly end the call immediately to prevent further callbacks.

     (c) Cancel any queued async_work and wait for the work if it's
     	 executing.  This allows us to be sure the race won't recur when we
     	 change the state.  We put the work queue's ref on the call if we
     	 managed to cancel it.

     (d) Put the call's ref that we got in (1).  This belongs to us as long
     	 as the call is in state AFS_CALL_CL_REQUESTING.

Fixes: 341f741f04 ("afs: Refcount the afs_call struct")
Signed-off-by: David Howells <dhowells@redhat.com>
2019-01-17 15:17:28 +00:00
David Howells
7a75b0079a afs: Provide a function to get a ref on a call
Provide a function to get a reference on an afs_call struct.

Signed-off-by: David Howells <dhowells@redhat.com>
2019-01-17 15:17:28 +00:00
David Howells
59d49076ae afs: Fix key refcounting in file locking code
Fix the refcounting of the authentication keys in the file locking code.
The vnode->lock_key member points to a key on which it expects to be
holding a ref, but it isn't always given an extra ref, however.

Fixes: 0fafdc9f88 ("afs: Fix file locking")
Signed-off-by: David Howells <dhowells@redhat.com>
2019-01-17 15:17:28 +00:00
Marc Dionne
4882a27cec afs: Don't set vnode->cb_s_break in afs_validate()
A cb_interest record is not necessarily attached to the vnode on entry to
afs_validate(), which can cause an oops when we try to bring the vnode's
cb_s_break up to date in the default case (ie. no current callback promise
and the vnode has not been deleted).

Fix this by simply removing the line, as vnode->cb_s_break will be set when
needed by afs_register_server_cb_interest() when we next get a callback
promise from RPC call.

The oops looks something like:

    BUG: unable to handle kernel NULL pointer dereference at 0000000000000018
    ...
    RIP: 0010:afs_validate+0x66/0x250 [kafs]
    ...
    Call Trace:
     afs_d_revalidate+0x8d/0x340 [kafs]
     ? __d_lookup+0x61/0x150
     lookup_dcache+0x44/0x70
     ? lookup_dcache+0x44/0x70
     __lookup_hash+0x24/0xa0
     do_unlinkat+0x11d/0x2c0
     __x64_sys_unlink+0x23/0x30
     do_syscall_64+0x4d/0xf0
     entry_SYSCALL_64_after_hwframe+0x44/0xa9

Fixes: ae3b7361dc ("afs: Fix validation/callback interaction")
Signed-off-by: Marc Dionne <marc.dionne@auristor.com>
Signed-off-by: David Howells <dhowells@redhat.com>
2019-01-17 15:15:52 +00:00
Logan Gunthorpe
d2fd6e8191 PCI: Fix __initdata issue with "pci=disable_acs_redir" parameter
The disable_acs_redir parameter stores a pointer to the string passed to
pci_setup().  However, the string passed to PCI setup is actually a
temporary copy allocated in static __initdata memory.  After init, once the
memory is freed, it is no longer valid to reference this pointer.

This bug was noticed in v5.0-rc1 after a change in commit c5eb119007
("PCI / PM: Allow runtime PM without callback functions") caused
pci_disable_acs_redir() to be called during shutdown which manifested
as an unable to handle kernel paging request at:

  RIP: 0010:pci_enable_acs+0x3f/0x1e0
  Call Trace:
     pci_restore_state.part.44+0x159/0x3c0
     pci_restore_standard_config+0x33/0x40
     pci_pm_runtime_resume+0x2b/0xd0
     ? pci_restore_standard_config+0x40/0x40
     __rpm_callback+0xbc/0x1b0
     rpm_callback+0x1f/0x70
     ? pci_restore_standard_config+0x40/0x40
      rpm_resume+0x4f9/0x710
     ? pci_conf1_read+0xb6/0xf0
     ? pci_conf1_write+0xb2/0xe0
     __pm_runtime_resume+0x47/0x70
     pci_device_shutdown+0x1e/0x60
     device_shutdown+0x14a/0x1f0
     kernel_restart+0xe/0x50
     __do_sys_reboot+0x1ee/0x210
     ? __fput+0x144/0x1d0
     do_writev+0x5e/0xf0
     ? do_writev+0x5e/0xf0
     do_syscall_64+0x48/0xf0
     entry_SYSCALL_64_after_hwframe+0x44/0xa9

It was also likely possible to trigger this bug when hotplugging PCI
devices.

To fix this, instead of storing a pointer, we use kstrdup() to copy the
disable_acs_redir_param to its own buffer which will never be freed.

Fixes: aaca43fda7 ("PCI: Add "pci=disable_acs_redir=" parameter for peer-to-peer support")
Tested-by: Jarkko Nikula <jarkko.nikula@linux.intel.com>
Signed-off-by: Logan Gunthorpe <logang@deltatee.com>
Signed-off-by: Bjorn Helgaas <bhelgaas@google.com>
Reviewed-by: Jarkko Nikula <jarkko.nikula@linux.intel.com>
2019-01-17 08:46:34 -06:00
Masahiro Yamada
e00d888048 kbuild: mark prepare0 as PHONY to fix external module build
Commit c3ff2a5193 ("powerpc/32: add stack protector support")
caused kernel panic on PowerPC when an external module is used with
CONFIG_STACKPROTECTOR because the 'prepare' target was not executed
for the external module build.

Commit e07db28eea ("kbuild: fix single target build for external
module") turned it into a build error because the 'prepare' target is
now executed but the 'prepare0' target is missing for the external
module build.

External module on arm/arm64 with CONFIG_STACKPROTECTOR_PER_TASK is
also broken in the same way.

Move 'PHONY += prepare0' to the common place. GNU Make is fine with
missing rule for phony targets. I also removed the comment which is
wrong irrespective of this commit.

I minimize the change so it can be easily backported to 4.20.x

To fix v4.20, please backport e07db28eea ("kbuild: fix single target
build for external module"), and then this commit.

Link: https://bugzilla.kernel.org/show_bug.cgi?id=201891
Fixes: e07db28eea ("kbuild: fix single target build for external module")
Fixes: c3ff2a5193 ("powerpc/32: add stack protector support")
Fixes: 189af46571 ("ARM: smp: add support for per-task stack canaries")
Fixes: 0a1213fa74 ("arm64: enable per-task stack canaries")
Cc: linux-stable <stable@vger.kernel.org> # v4.20
Reported-by: Samuel Holland <samuel@sholland.org>
Reported-by: Alexey Kardashevskiy <aik@ozlabs.ru>
Signed-off-by: Masahiro Yamada <yamada.masahiro@socionext.com>
Acked-by: Ard Biesheuvel <ard.biesheuvel@linaro.org>
Tested-by: Alexey Kardashevskiy <aik@ozlabs.ru>
2019-01-17 23:42:59 +09:00
Masahiro Yamada
1b504a7bb1 openrisc: remove unneeded code in arch/openrisc/Makefile
- LDFLAGS_vmlinux is cleared by the top Makefile

 - 'all: vmlinux' is specified by the top Makefile

Signed-off-by: Masahiro Yamada <yamada.masahiro@socionext.com>
2019-01-17 23:42:59 +09:00
Masahiro Yamada
558ee616d1 nds32: remove unneeded code in arch/nds32/Makefile
- scripts/Kbuild.include already defined 'comma'

 - The top Makefile has 'PHONY += FORCE'

 - include/asm-*/ was moved to arch/*/include/asm/ a decade ago

Signed-off-by: Masahiro Yamada <yamada.masahiro@socionext.com>
2019-01-17 23:42:37 +09:00
Jani Nikula
15c05196ff Merge tag 'gvt-fixes-2018-01-17' of https://github.com/intel/gvt-linux into drm-intel-fixes
gvt-fixes-2018-01-17

- Fix one register cmd parser failure (Colin)
- Fix region cleanup for vGPU destroy (Henry)
- Fix mmap size check (Zhenyu)

Signed-off-by: Jani Nikula <jani.nikula@intel.com>
From: Zhenyu Wang <zhenyuw@linux.intel.com>
Link: https://patchwork.freedesktop.org/patch/msgid/20190117074604.GI18272@zhen-hp.sh.intel.com
2019-01-17 11:49:51 +02:00
Linus Torvalds
7fbfee7c80 Merge branch 'fixes-v5.0-rc2' of git://git.kernel.org/pub/scm/linux/kernel/git/jmorris/linux-security
Pull security subsystem fixes from James Morris:
 "Fixes for the security subsystem.

  The first (by Casey actually - it's misattributed) fixes a regression
  introduced with the LSM stacking changes"

* 'fixes-v5.0-rc2' of git://git.kernel.org/pub/scm/linux/kernel/git/jmorris/linux-security:
  LSM: Check for NULL cred-security on free
  Yama: Check for pid death before checking ancestry
  seccomp: fix UAF in user-trap code
2019-01-17 16:54:58 +12:00
Willem de Bruijn
0f149c9fec udp: with udp_segment release on error path
Failure __ip_append_data triggers udp_flush_pending_frames, but these
tests happen later. The skb must be freed directly.

Fixes: bec1f6f697 ("udp: generate gso with UDP_SEGMENT")
Reported-by: Eric Dumazet <edumazet@google.com>
Signed-off-by: Willem de Bruijn <willemb@google.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2019-01-16 15:48:11 -08:00
Taehee Yoo
1a9352687c net: bpfilter: change section name of bpfilter UMH blob.
The section of bpfilter UMH blob is the ".bpfilter_umh". but this is not
an explicit section. so linking warning occurred at compile time for the
powerpc.
So, this patch makes use of the ".rodata" instead of the ".bpfilter_umh".

Config condition:

CONFIG_BPFILTER=y
CONFIG_BPFILTER_UMH=y

Result:

ld: warning: orphan section `.bpfilter_umh' from
`net/bpfilter/bpfilter_umh_blob.o' being placed in section `.bpfilter_umh'

Fixes: 61fbf5933d ("net: bpfilter: restart bpfilter_umh when error occurred")
Reported-by: Stephen Rothwell <sfr@canb.auug.org.au>
Signed-off-by: Taehee Yoo <ap420073@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2019-01-16 15:46:46 -08:00
James Morris
a5795fd38e LSM: Check for NULL cred-security on free
From: Casey Schaufler <casey@schaufler-ca.com>

Check that the cred security blob has been set before trying
to clean it up. There is a case during credential initialization
that could result in this.

Signed-off-by: Casey Schaufler <casey@schaufler-ca.com>
Acked-by: John Johansen <john.johansen@canonical.com>
Signed-off-by: James Morris <james.morris@microsoft.com>
Reported-by: syzbot+69ca07954461f189e808@syzkaller.appspotmail.com
2019-01-16 15:41:11 -08:00
Andrew Lunn
9e857a40dc net: phy: Add missing features to PHY drivers
The bcm87xx and micrel driver has PHYs which are missing the .features
value. Add them. The bcm87xx is a 10G FEC only PHY. Add the needed
features definition of this PHY.

Fixes: 719655a149 ("net: phy: Replace phy driver features u32 with link_mode bitmap")
Reported-by: Scott Wood <oss@buserror.net>
Reported-by: Camelia Groza <camelia.groza@nxp.com>
Signed-off-by: Andrew Lunn <andrew@lunn.ch>
Signed-off-by: David S. Miller <davem@davemloft.net>
2019-01-16 15:41:02 -08:00
David Francis
35dad45d5c drm/amd/display: Detach backlight from stream
[Why]
Backlight is conceptually a property of links, not streams.
All backlight programming is done on links, but there is a
stream property bl_pwm_level that is used to restore backlight
on dpms on and s3 resume.  This is unnecessary, as backlight
is already restored by hardware with no driver intervention.

[How]
Remove bl_pwm_level, and the stream argument to set_backlight

Bug: https://bugs.freedesktop.org/show_bug.cgi?id=109375
Signed-off-by: David Francis <David.Francis@amd.com>
Reviewed-by: Harry Wentland <Harry.Wentland@amd.com>
Acked-by: Anthony Koo <Anthony.Koo@amd.com>
Acked-by: Leo Li <sunpeng.li@amd.com>
Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
(cherry picked from commit 923fe49512)
2019-01-16 17:11:47 -05:00
Jakub Kicinski
a5a82d8411 ipv6: route: place a warning with duplicated string with correct extack
"IPv6: " prefix is already added by pr_fmt, no need to include
it again in the pr_warn() format.  The message predates extack
support, we can replace the whole thing with an extack message.

Suggested-by: David Ahern <dsahern@gmail.com>
Signed-off-by: Jakub Kicinski <jakub.kicinski@netronome.com>
Reviewed-by: David Ahern <dsahern@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2019-01-16 14:06:34 -08:00
Davide Caratti
91fa038d94 selftests: tc-testing: fix parsing of ife type
In iproute2 commit 90c5c969f0b9 ("fix print_0xhex on 32 bit"), the format
specifier for the ife type changed from 0x%X to %#llX, causing systematic
failures in the following TDC test cases:

 7682 - Create valid ife encode action with mark and pass control
 ef47 - Create valid ife encode action with mark and pipe control
 df43 - Create valid ife encode action with mark and continue control
 e4cf - Create valid ife encode action with mark and drop control
 ccba - Create valid ife encode action with mark and reclassify control
 a1cf - Create valid ife encode action with mark and jump control
 cb3d - Create valid ife encode action with mark value at 32-bit maximum
 95ed - Create valid ife encode action with prio and pass control
 aa17 - Create valid ife encode action with prio and pipe control
 74c7 - Create valid ife encode action with prio and continue control
 7a97 - Create valid ife encode action with prio and drop control
 f66b - Create valid ife encode action with prio and reclassify control
 3056 - Create valid ife encode action with prio and jump control
 7dd3 - Create valid ife encode action with prio value at 32-bit maximum
 05bb - Create valid ife encode action with tcindex and pass control
 ce65 - Create valid ife encode action with tcindex and pipe control
 09cd - Create valid ife encode action with tcindex and continue control
 8eb5 - Create valid ife encode action with tcindex and continue control
 451a - Create valid ife encode action with tcindex and drop control
 d76c - Create valid ife encode action with tcindex and reclassify control
 e731 - Create valid ife encode action with tcindex and jump control
 b7b8 - Create valid ife encode action with tcindex value at 16-bit maximum
 2a9c - Create valid ife encode action with mac src parameter
 cf5c - Create valid ife encode action with mac dst parameter
 2353 - Create valid ife encode action with mac src and mac dst parameters
 552c - Create valid ife encode action with mark and type parameters
 0421 - Create valid ife encode action with prio and type parameters
 4017 - Create valid ife encode action with tcindex and type parameters
 fac3 - Create valid ife encode action with index at 32-bit maximnum
 7c25 - Create valid ife decode action with pass control
 dccb - Create valid ife decode action with pipe control
 7bb9 - Create valid ife decode action with continue control
 d9ad - Create valid ife decode action with drop control
 219f - Create valid ife decode action with reclassify control
 8f44 - Create valid ife decode action with jump control
 b330 - Create ife encode action with cookie

Change 'matchPattern' values, allowing '0' and '0x0' if ife type is equal
to 0, and accepting both '0x' and '0X' otherwise, to let these tests pass
both with old and new tc binaries.
While at it, fix a small typo in test case fac3 ('maximnum'->'maximum').

Signed-off-by: Davide Caratti <dcaratti@redhat.com>
Acked-by: Stephen Hemminger <stephen@networkplumber.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
2019-01-16 14:05:42 -08:00
Konstantin Khlebnikov
01b833ab44 net/core/neighbour: fix kmemleak minimal reference count for hash tables
This should be 1 for normal allocations, 0 disables leak reporting.

Signed-off-by: Konstantin Khlebnikov <khlebnikov@yandex-team.ru>
Reported-by: Cong Wang <xiyou.wangcong@gmail.com>
Fixes: 85704cb8dc ("net/core/neighbour: tell kmemleak about hash tables")
Signed-off-by: David S. Miller <davem@davemloft.net>
2019-01-16 13:39:18 -08:00
Xin Long
400b8b9a2a sctp: allocate sctp_sockaddr_entry with kzalloc
The similar issue as fixed in Commit 4a2eb0c37b ("sctp: initialize
sin6_flowinfo for ipv6 addrs in sctp_inet6addr_event") also exists
in sctp_inetaddr_event, as Alexander noticed.

To fix it, allocate sctp_sockaddr_entry with kzalloc for both sctp
ipv4 and ipv6 addresses, as does in sctp_v4/6_copy_addrlist().

Reported-by: Alexander Potapenko <glider@google.com>
Signed-off-by: Xin Long <lucien.xin@gmail.com>
Reported-by: syzbot+ae0c70c0c2d40c51bb92@syzkaller.appspotmail.com
Acked-by: Marcelo Ricardo Leitner <marcelo.leitner@gmail.com>
Acked-by: Neil Horman <nhorman@tuxdriver.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2019-01-16 13:38:06 -08:00
Xin Long
20704bd163 erspan: build the header with the right proto according to erspan_ver
As said in draft-foschiano-erspan-03#section4:

   Different frame variants known as "ERSPAN Types" can be
   distinguished based on the GRE "Protocol Type" field value: Type I
   and II's value is 0x88BE while Type III's is 0x22EB [ETYPES].

So set it properly in erspan_xmit() according to erspan_ver. While at
it, also remove the unused parameter 'proto' in erspan_fb_xmit().

Fixes: 94d7d8f292 ("ip6_gre: add erspan v2 support")
Reported-by: Jianlin Shi <jishi@redhat.com>
Signed-off-by: Xin Long <lucien.xin@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2019-01-16 13:36:43 -08:00
Ross Lagerwall
04a4af334b openvswitch: Avoid OOB read when parsing flow nlattrs
For nested and variable attributes, the expected length of an attribute
is not known and marked by a negative number.  This results in an OOB
read when the expected length is later used to check if the attribute is
all zeros. Fix this by using the actual length of the attribute rather
than the expected length.

Signed-off-by: Ross Lagerwall <ross.lagerwall@citrix.com>
Acked-by: Pravin B Shelar <pshelar@ovn.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
2019-01-16 13:35:21 -08:00
Dmitry Bezrukov
9098f21f4c net: usb: aqc111: Extend HWID table by TRENDnet device
New device of TRENDnet based on aqc111u
Add this ID to blacklist of cdc_ether driver as well

Signed-off-by: Dmitry Bezrukov <dmitry.bezrukov@aquantia.com>
Signed-off-by: Igor Russkikh <igor.russkikh@aquantia.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2019-01-16 13:32:42 -08:00
Cong Wang
cd0c4e70fc net_sched: refetch skb protocol for each filter
Martin reported a set of filters don't work after changing
from reclassify to continue. Looking into the code, it
looks like skb protocol is not always fetched for each
iteration of the filters. But, as demonstrated by Martin,
TC actions could modify skb->protocol, for example act_vlan,
this means we have to refetch skb protocol in each iteration,
rather than using the one we fetch in the beginning of the loop.

This bug is _not_ introduced by commit 3b3ae88026
("net: sched: consolidate tc_classify{,_compat}"), technically,
if act_vlan is the only action that modifies skb protocol, then
it is commit c7e2b9689e ("sched: introduce vlan action") which
introduced this bug.

Reported-by: Martin Olsson <martin.olsson+netdev@sentorsecurity.com>
Cc: Jamal Hadi Salim <jhs@mojatatu.com>
Cc: Jiri Pirko <jiri@resnulli.us>
Signed-off-by: Cong Wang <xiyou.wangcong@gmail.com>
Acked-by: Jamal Hadi Salim <jhs@mojatatu.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2019-01-16 13:25:11 -08:00
Kees Cook
9474f4e7cd Yama: Check for pid death before checking ancestry
It's possible that a pid has died before we take the rcu lock, in which
case we can't walk the ancestry list as it may be detached. Instead, check
for death first before doing the walk.

Reported-by: syzbot+a9ac39bf55329e206219@syzkaller.appspotmail.com
Fixes: 2d514487fa ("security: Yama LSM")
Cc: stable@vger.kernel.org
Suggested-by: Oleg Nesterov <oleg@redhat.com>
Signed-off-by: Kees Cook <keescook@chromium.org>
Signed-off-by: James Morris <james.morris@microsoft.com>
2019-01-16 12:00:56 -08:00
Jerome Brunet
3705add0b7 dt-bindings: reset: meson-axg: fix SPDX license id
As reported, the SPDX license id is not placed correctly and the variant
of the BSD License used should be specified.

Fixes: c16292578f ("dt-bindings: reset: Add bindings for the Meson-AXG SoC Reset Controller")
Reported-by: Thomas Gleixner <tglx@linutronix.de>
Signed-off-by: Jerome Brunet <jbrunet@baylibre.com>
Reviewed-by: Thomas Gleixner <tglx@linutronix.de>
Signed-off-by: Rob Herring <robh@kernel.org>
2019-01-16 12:50:27 -06:00
Krzysztof Kozlowski
9eac0ae168 dt-bindings: soc: qcom: Fix trivial language typos
Fix few trivial language typos in bindings.

Signed-off-by: Krzysztof Kozlowski <krzk@kernel.org>
Signed-off-by: Rob Herring <robh@kernel.org>
2019-01-16 12:50:27 -06:00
Otto Sabart
889f4ce60e doc: gpio-mvebu: fix broken reference to cp110-system-controller0.txt file
The cp110-system-controller0.txt file was renamed to
cp110-system-controller.txt.

Fixes: 4aa5496980 ("dt-bindings: cp110: rename cp110 syscon file")
Signed-off-by: Otto Sabart <ottosabart@seberm.com>
Signed-off-by: Rob Herring <robh@kernel.org>
2019-01-16 12:50:27 -06:00
Julia Lawall
28b170e88b OF: properties: add missing of_node_put
Add an of_node_put when the result of of_graph_get_remote_port_parent is
not available.

The semantic match that finds this problem is as follows
(http://coccinelle.lip6.fr):

// <smpl>
@r exists@
local idexpression e;
expression x;
@@
e = of_graph_get_remote_port_parent(...);
... when != x = e
    when != true e == NULL
    when != of_node_put(e)
    when != of_fwnode_handle(e)
(
return e;
|
*return ...;
)
// </smpl>

Signed-off-by: Julia Lawall <Julia.Lawall@lip6.fr>
Cc: stable@vger.kernel.org
Signed-off-by: Rob Herring <robh@kernel.org>
2019-01-16 12:49:53 -06:00
Juergen Gross
867cefb4cb xen: Fix x86 sched_clock() interface for xen
Commit f94c8d1169 ("sched/clock, x86/tsc: Rework the x86 'unstable'
sched_clock() interface") broke Xen guest time handling across
migration:

[  187.249951] Freezing user space processes ... (elapsed 0.001 seconds) done.
[  187.251137] OOM killer disabled.
[  187.251137] Freezing remaining freezable tasks ... (elapsed 0.001 seconds) done.
[  187.252299] suspending xenstore...
[  187.266987] xen:grant_table: Grant tables using version 1 layout
[18446743811.706476] OOM killer enabled.
[18446743811.706478] Restarting tasks ... done.
[18446743811.720505] Setting capacity to 16777216

Fix that by setting xen_sched_clock_offset at resume time to ensure a
monotonic clock value.

[boris: replaced pr_info() with pr_info_once() in xen_callback_vector()
 to avoid printing with incorrect timestamp during resume (as we
 haven't re-adjusted the clock yet)]

Fixes: f94c8d1169 ("sched/clock, x86/tsc: Rework the x86 'unstable' sched_clock() interface")
Cc: <stable@vger.kernel.org> # 4.11
Reported-by: Hans van Kranenburg <hans.van.kranenburg@mendix.com>
Signed-off-by: Juergen Gross <jgross@suse.com>
Tested-by: Hans van Kranenburg <hans.van.kranenburg@mendix.com>
Signed-off-by: Boris Ostrovsky <boris.ostrovsky@oracle.com>
2019-01-16 13:06:05 -05:00
Ming Lei
c45b1fa243 nvme-pci: fix nvme_setup_irqs()
When -ENOSPC is returned from pci_alloc_irq_vectors_affinity(),
we still try to allocate multiple irq vectors again, so irq queues
covers the admin queue actually. But we don't consider that, then
number of the allocated irq vector may be same with sum of
io_queues[HCTX_TYPE_DEFAULT] and io_queues[HCTX_TYPE_READ], this way
is obviously wrong, and finally breaks nvme_pci_map_queues(), and
warning from pci_irq_get_affinity() is triggered.

IRQ queues should cover admin queues, this patch makes this
point explicitely in nvme_calc_io_queues().

We got severl boot failure internal report on aarch64, so please
consider to fix it in v4.20.

Fixes: 6451fe73fa ("nvme: fix irq vs io_queue calculations")
Signed-off-by: Ming Lei <ming.lei@redhat.com>
Reviewed-by: Keith Busch <keith.busch@intel.com>
Tested-by: fin4478 <fin4478@hotmail.com>
Signed-off-by: Christoph Hellwig <hch@lst.de>
Signed-off-by: Jens Axboe <axboe@kernel.dk>
2019-01-16 09:44:28 -07:00
Sagi Grimberg
fb8658581a nvmet-tcp: fix uninitialized variable access
If we end up in nvmet_tcp_try_recv_one with a bogus state
queue receive state we will access result which is uninitialized.

Initialize restult to 0 which will be considered as if no data
was received by the tcp socket.

Fixes: 872d26a391 ("nvmet-tcp: add NVMe over TCP target driver")
Reported-by: Dan Carpenter <dan.carpenter@oracle.com>
Signed-off-by: Sagi Grimberg <sagi@grimberg.me>
Signed-off-by: Christoph Hellwig <hch@lst.de>
Signed-off-by: Jens Axboe <axboe@kernel.dk>
2019-01-16 09:44:20 -07:00
Peter Rosin
890d14d2d4 fbdev: fbmem: convert CONFIG_FB_LOGO_CENTER into a cmd line option
A command line option is much more flexible than a config option and
the supporting code is small. Gets rid of #ifdefs in the code too...

Suggested-by: Geert Uytterhoeven <geert@linux-m68k.org>
Cc: Jonathan Corbet <corbet@lwn.net>
Signed-off-by: Peter Rosin <peda@axentia.se>
Signed-off-by: Bartlomiej Zolnierkiewicz <b.zolnierkie@samsung.com>
2019-01-16 17:42:35 +01:00
Hans Verkuil
240809ef66 media: vim2m: only cancel work if it is for right context
cancel_delayed_work_sync() was called for any queue, but it should only
be called for the queue that is associated with the currently running job.

Otherwise, if two filehandles are streaming at the same time, then closing the
first will cancel the work which might still be running for a job from the
second filehandle. As a result the second filehandle will never be able to
finish the job and an attempt to stop streaming on that second filehandle will
stall.

Fixes: 52117be68b ("media: vim2m: use cancel_delayed_work_sync instead of flush_schedule_work")

Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl>
Cc: <stable@vger.kernel.org>      # for v4.20 and up
Signed-off-by: Mauro Carvalho Chehab <mchehab+samsung@kernel.org>
2019-01-16 11:13:25 -05:00
Sakari Ailus
7fe9f01c04 media: v4l: ioctl: Validate num_planes for debug messages
The num_planes field in struct v4l2_pix_format_mplane is used in a loop
before validating it. As the use is printing a debug message in this case,
just cap the value to the maximum allowed.

Signed-off-by: Sakari Ailus <sakari.ailus@linux.intel.com>
Cc: stable@vger.kernel.org
Reviewed-by: Thierry Reding <treding@nvidia.com>
Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl>
Cc: <stable@vger.kernel.org>      # for v4.12 and up
Signed-off-by: Mauro Carvalho Chehab <mchehab+samsung@kernel.org>
2019-01-16 11:12:38 -05:00
Sakari Ailus
9048b2e15b media: v4l: ioctl: Validate num_planes before using it
The for loop to reset the memory of the plane reserved fields runs over
num_planes provided by the user without validating it. Ensure num_planes
is no more than VIDEO_MAX_PLANES before the loop.

Fixes: 4e1e0eb0e0 ("media: v4l2-ioctl: Zero v4l2_plane_pix_format reserved fields")

Signed-off-by: Sakari Ailus <sakari.ailus@linux.intel.com>
Reviewed-by: Thierry Reding <treding@nvidia.com>
Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl>
Signed-off-by: Mauro Carvalho Chehab <mchehab+samsung@kernel.org>
2019-01-16 11:12:10 -05:00
Thierry Reding
dd91642ac7 media: v4l2-ioctl: Clear only per-plane reserved fields
Currently the IOCTL code clears everything after the per-plane
bytesperline field in struct v4l2_format. The intent was to only clear
the per-plane reserved fields since there is data in struct v4l2_format
after the per-plane format data that userspace may have filled in.

Fixes: 4e1e0eb0e0 ("media: v4l2-ioctl: Zero v4l2_plane_pix_format reserved fields")

Signed-off-by: Thierry Reding <treding@nvidia.com>
Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl>
[hverkuil-cisco@xs4all.nl: fix checkpatch alignment warning]
Signed-off-by: Mauro Carvalho Chehab <mchehab+samsung@kernel.org>
2019-01-16 11:10:49 -05:00
Christoph Hellwig
227a76b647 swiotlb: clear io_tlb_start and io_tlb_end in swiotlb_exit
Otherwise is_swiotlb_buffer will return false positives when
we first initialize a swiotlb buffer, but then free it because
we have an IOMMU available.

Fixes: 55897af630 ("dma-direct: merge swiotlb_dma_ops into the dma_direct code")
Reported-by: Sibren Vasse <sibren@sibrenvasse.nl>
Signed-off-by: Christoph Hellwig <hch@lst.de>
Tested-by: Sibren Vasse <sibren@sibrenvasse.nl>
Signed-off-by: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com>
2019-01-16 09:59:17 -05:00
Masahiro Yamada
be3bb599d8 ia64: remove redundant 'export AWK'
This is exported by the top Makefile.

Signed-off-by: Masahiro Yamada <yamada.masahiro@socionext.com>
2019-01-16 23:31:18 +09:00
Masahiro Yamada
b421b8a6cb kbuild: remove unused archmrproper
No one uses archmrproper.

Signed-off-by: Masahiro Yamada <yamada.masahiro@socionext.com>
2019-01-16 23:31:17 +09:00
Ming Lei
7809167da5 block: don't lose track of REQ_INTEGRITY flag
We need to pass bio->bi_opf after bio intergrity preparing, otherwise
the flag of REQ_INTEGRITY may not be set on the allocated request, then
breaks block integrity.

Fixes: f9afca4d36 ("blk-mq: pass in request/bio flags to queue mapping")
Cc: Hannes Reinecke <hare@suse.com>
Cc: Keith Busch <keith.busch@intel.com>
Signed-off-by: Ming Lei <ming.lei@redhat.com>
Signed-off-by: Jens Axboe <axboe@kernel.dk>
2019-01-16 07:28:10 -07:00
Andrey Konovalov
7fa1e2e6af kasan, arm64: remove redundant ARCH_SLAB_MINALIGN define
Defining ARCH_SLAB_MINALIGN in arch/arm64/include/asm/cache.h when KASAN
is off is not needed, as it is defined in defined in include/linux/slab.h
as ifndef.

Signed-off-by: Andrey Konovalov <andreyknvl@google.com>
Signed-off-by: Will Deacon <will.deacon@arm.com>
2019-01-16 12:09:11 +00:00
Ard Biesheuvel
1598ecda7b arm64: kaslr: ensure randomized quantities are clean to the PoC
kaslr_early_init() is called with the kernel mapped at its
link time offset, and if it returns with a non-zero offset,
the kernel is unmapped and remapped again at the randomized
offset.

During its execution, kaslr_early_init() also randomizes the
base of the module region and of the linear mapping of DRAM,
and sets two variables accordingly. However, since these
variables are assigned with the caches on, they may get lost
during the cache maintenance that occurs when unmapping and
remapping the kernel, so ensure that these values are cleaned
to the PoC.

Acked-by: Catalin Marinas <catalin.marinas@arm.com>
Fixes: f80fb3a3d5 ("arm64: add support for kernel ASLR")
Cc: <stable@vger.kernel.org> # v4.6+
Signed-off-by: Ard Biesheuvel <ard.biesheuvel@linaro.org>
Signed-off-by: Will Deacon <will.deacon@arm.com>
2019-01-16 12:00:46 +00:00
James Morse
2f97967503 arm64: kpti: Update arm64_kernel_use_ng_mappings() when forced on
Since commit b89d82ef01 ("arm64: kpti: Avoid rewriting early page
tables when KASLR is enabled"), a kernel built with CONFIG_RANDOMIZE_BASE
can decide early whether to use non-global mappings by checking the
kaslr_offset().

A kernel built without CONFIG_RANDOMIZE_BASE, instead checks the
cpufeature static-key.

This leaves a gap where CONFIG_RANDOMIZE_BASE was enabled, no
kaslr seed was provided, but kpti was forced on using the cmdline
option.

When the decision is made late, kpti_install_ng_mappings() will re-write
the page tables, but arm64_kernel_use_ng_mappings()'s value does not
change as it only tests the cpufeature static-key if
CONFIG_RANDOMIZE_BASE is disabled.
This function influences PROT_DEFAULT via PTE_MAYBE_NG, and causes
pgattr_change_is_safe() to catch nG->G transitions when the unchanged
PROT_DEFAULT is used as part of PAGE_KERNEL_RO:
[    1.942255] alternatives: patching kernel code
[    1.998288] ------------[ cut here ]------------
[    2.000693] kernel BUG at arch/arm64/mm/mmu.c:165!
[    2.019215] Internal error: Oops - BUG: 0 [#1] PREEMPT SMP
[    2.020257] Modules linked in:
[    2.020807] CPU: 0 PID: 1 Comm: swapper/0 Not tainted 5.0.0-rc2 #51
[    2.021917] Hardware name: linux,dummy-virt (DT)
[    2.022790] pstate: 40000005 (nZcv daif -PAN -UAO)
[    2.023742] pc : __create_pgd_mapping+0x508/0x6d0
[    2.024671] lr : __create_pgd_mapping+0x500/0x6d0

[    2.058059] Process swapper/0 (pid: 1, stack limit = 0x(____ptrval____))
[    2.059369] Call trace:
[    2.059845]  __create_pgd_mapping+0x508/0x6d0
[    2.060684]  update_mapping_prot+0x48/0xd0
[    2.061477]  mark_linear_text_alias_ro+0xdc/0xe4
[    2.070502]  smp_cpus_done+0x90/0x98
[    2.071216]  smp_init+0x100/0x114
[    2.071878]  kernel_init_freeable+0xd4/0x220
[    2.072750]  kernel_init+0x10/0x100
[    2.073455]  ret_from_fork+0x10/0x18

[    2.075414] ---[ end trace 3572f3a7782292de ]---
[    2.076389] Kernel panic - not syncing: Attempted to kill init! exitcode=0x0000000b

If arm64_kernel_unmapped_at_el0() is true, arm64_kernel_use_ng_mappings()
should also be true.

Signed-off-by: James Morse <james.morse@arm.com>
CC: Ard Biesheuvel <ard.biesheuvel@linaro.org>
CC: John Garry <john.garry@huawei.com>
CC: Will Deacon <will.deacon@arm.com>
Signed-off-by: Will Deacon <will.deacon@arm.com>
2019-01-16 11:55:11 +00:00
Timotej Lazar
f2f98c1d7f net: phy: meson-gxl: Use the genphy_soft_reset callback
Since the referenced commit, Ethernet fails to come up at boot on the
board meson-gxl-s905x-libretech-cc. Fix this by re-enabling the
genphy_soft_reset callback for the Amlogic Meson GXL PHY driver.

Fixes: 6e2d85ec05 ("net: phy: Stop with excessive soft reset")
Signed-off-by: Timotej Lazar <timotej.lazar@araneo.si>
Reviewed-by: Florian Fainelli <f.fainelli@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2019-01-15 22:27:34 -08:00
yupeng
a6c7c7aac2 net: add document for several snmp counters
add document for below counters:
TcpEstabResets
TcpAttemptFails
TcpOutRsts
TcpExtTCPSACKDiscard
TcpExtTCPDSACKIgnoredOld
TcpExtTCPDSACKIgnoredNoUndo
TcpExtTCPSackShifted
TcpExtTCPSackMerged
TcpExtTCPSackShiftFallback
TcpExtTCPWantZeroWindowAdv
TcpExtTCPToZeroWindowAdv
TcpExtTCPFromZeroWindowAdv
TcpExtDelayedACKs
TcpExtDelayedACKLocked
TcpExtDelayedACKLost
TcpExtTCPLossProbes
TcpExtTCPLossProbeRecovery

Signed-off-by: yupeng <yupeng0921@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2019-01-15 22:03:06 -08:00
Eric Dumazet
26fc181e6c fou, fou6: do not assume linear skbs
Both gue_err() and gue6_err() incorrectly assume
linear skbs. Fix them to use pskb_may_pull().

BUG: KMSAN: uninit-value in gue6_err+0x475/0xc40 net/ipv6/fou6.c:101
CPU: 0 PID: 18083 Comm: syz-executor1 Not tainted 5.0.0-rc1+ #7
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Call Trace:
 <IRQ>
 __dump_stack lib/dump_stack.c:77 [inline]
 dump_stack+0x173/0x1d0 lib/dump_stack.c:113
 kmsan_report+0x12e/0x2a0 mm/kmsan/kmsan.c:600
 __msan_warning+0x82/0xf0 mm/kmsan/kmsan_instr.c:313
 gue6_err+0x475/0xc40 net/ipv6/fou6.c:101
 __udp6_lib_err_encap_no_sk net/ipv6/udp.c:434 [inline]
 __udp6_lib_err_encap net/ipv6/udp.c:491 [inline]
 __udp6_lib_err+0x18d0/0x2590 net/ipv6/udp.c:522
 udplitev6_err+0x118/0x130 net/ipv6/udplite.c:27
 icmpv6_notify+0x462/0x9f0 net/ipv6/icmp.c:784
 icmpv6_rcv+0x18ac/0x3fa0 net/ipv6/icmp.c:872
 ip6_protocol_deliver_rcu+0xb5a/0x23a0 net/ipv6/ip6_input.c:394
 ip6_input_finish net/ipv6/ip6_input.c:434 [inline]
 NF_HOOK include/linux/netfilter.h:289 [inline]
 ip6_input+0x2b6/0x350 net/ipv6/ip6_input.c:443
 dst_input include/net/dst.h:450 [inline]
 ip6_rcv_finish+0x4e7/0x6d0 net/ipv6/ip6_input.c:76
 NF_HOOK include/linux/netfilter.h:289 [inline]
 ipv6_rcv+0x34b/0x3f0 net/ipv6/ip6_input.c:272
 __netif_receive_skb_one_core net/core/dev.c:4973 [inline]
 __netif_receive_skb net/core/dev.c:5083 [inline]
 process_backlog+0x756/0x10e0 net/core/dev.c:5923
 napi_poll net/core/dev.c:6346 [inline]
 net_rx_action+0x78b/0x1a60 net/core/dev.c:6412
 __do_softirq+0x53f/0x93a kernel/softirq.c:293
 do_softirq_own_stack+0x49/0x80 arch/x86/entry/entry_64.S:1039
 </IRQ>
 do_softirq kernel/softirq.c:338 [inline]
 __local_bh_enable_ip+0x16f/0x1a0 kernel/softirq.c:190
 local_bh_enable+0x36/0x40 include/linux/bottom_half.h:32
 rcu_read_unlock_bh include/linux/rcupdate.h:696 [inline]
 ip6_finish_output2+0x1d64/0x25f0 net/ipv6/ip6_output.c:121
 ip6_finish_output+0xae4/0xbc0 net/ipv6/ip6_output.c:154
 NF_HOOK_COND include/linux/netfilter.h:278 [inline]
 ip6_output+0x5ca/0x710 net/ipv6/ip6_output.c:171
 dst_output include/net/dst.h:444 [inline]
 ip6_local_out+0x164/0x1d0 net/ipv6/output_core.c:176
 ip6_send_skb+0xfa/0x390 net/ipv6/ip6_output.c:1727
 udp_v6_send_skb+0x1733/0x1d20 net/ipv6/udp.c:1169
 udpv6_sendmsg+0x424e/0x45d0 net/ipv6/udp.c:1466
 inet_sendmsg+0x54a/0x720 net/ipv4/af_inet.c:798
 sock_sendmsg_nosec net/socket.c:621 [inline]
 sock_sendmsg net/socket.c:631 [inline]
 ___sys_sendmsg+0xdb9/0x11b0 net/socket.c:2116
 __sys_sendmmsg+0x580/0xad0 net/socket.c:2211
 __do_sys_sendmmsg net/socket.c:2240 [inline]
 __se_sys_sendmmsg+0xbd/0xe0 net/socket.c:2237
 __x64_sys_sendmmsg+0x56/0x70 net/socket.c:2237
 do_syscall_64+0xbc/0xf0 arch/x86/entry/common.c:291
 entry_SYSCALL_64_after_hwframe+0x63/0xe7
RIP: 0033:0x457ec9
Code: 6d b7 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 3b b7 fb ff c3 66 2e 0f 1f 84 00 00 00 00
RSP: 002b:00007f4a5204fc78 EFLAGS: 00000246 ORIG_RAX: 0000000000000133
RAX: ffffffffffffffda RBX: 0000000000000004 RCX: 0000000000457ec9
RDX: 00000000040001ab RSI: 0000000020000240 RDI: 0000000000000003
RBP: 000000000073bf00 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 00007f4a520506d4
R13: 00000000004c4ce5 R14: 00000000004d85d8 R15: 00000000ffffffff

Uninit was created at:
 kmsan_save_stack_with_flags mm/kmsan/kmsan.c:205 [inline]
 kmsan_internal_poison_shadow+0x92/0x150 mm/kmsan/kmsan.c:159
 kmsan_kmalloc+0xa6/0x130 mm/kmsan/kmsan_hooks.c:176
 kmsan_slab_alloc+0xe/0x10 mm/kmsan/kmsan_hooks.c:185
 slab_post_alloc_hook mm/slab.h:446 [inline]
 slab_alloc_node mm/slub.c:2754 [inline]
 __kmalloc_node_track_caller+0xe9e/0xff0 mm/slub.c:4377
 __kmalloc_reserve net/core/skbuff.c:140 [inline]
 __alloc_skb+0x309/0xa20 net/core/skbuff.c:208
 alloc_skb include/linux/skbuff.h:1012 [inline]
 alloc_skb_with_frags+0x1c7/0xac0 net/core/skbuff.c:5288
 sock_alloc_send_pskb+0xafd/0x10a0 net/core/sock.c:2091
 sock_alloc_send_skb+0xca/0xe0 net/core/sock.c:2108
 __ip6_append_data+0x42ed/0x5dc0 net/ipv6/ip6_output.c:1443
 ip6_append_data+0x3c2/0x650 net/ipv6/ip6_output.c:1619
 icmp6_send+0x2f5c/0x3c40 net/ipv6/icmp.c:574
 icmpv6_send+0xe5/0x110 net/ipv6/ip6_icmp.c:43
 ip6_link_failure+0x5c/0x2c0 net/ipv6/route.c:2231
 dst_link_failure include/net/dst.h:427 [inline]
 vti_xmit net/ipv4/ip_vti.c:229 [inline]
 vti_tunnel_xmit+0xf3b/0x1ea0 net/ipv4/ip_vti.c:265
 __netdev_start_xmit include/linux/netdevice.h:4382 [inline]
 netdev_start_xmit include/linux/netdevice.h:4391 [inline]
 xmit_one net/core/dev.c:3278 [inline]
 dev_hard_start_xmit+0x604/0xc40 net/core/dev.c:3294
 __dev_queue_xmit+0x2e48/0x3b80 net/core/dev.c:3864
 dev_queue_xmit+0x4b/0x60 net/core/dev.c:3897
 neigh_direct_output+0x42/0x50 net/core/neighbour.c:1511
 neigh_output include/net/neighbour.h:508 [inline]
 ip6_finish_output2+0x1d4e/0x25f0 net/ipv6/ip6_output.c:120
 ip6_finish_output+0xae4/0xbc0 net/ipv6/ip6_output.c:154
 NF_HOOK_COND include/linux/netfilter.h:278 [inline]
 ip6_output+0x5ca/0x710 net/ipv6/ip6_output.c:171
 dst_output include/net/dst.h:444 [inline]
 ip6_local_out+0x164/0x1d0 net/ipv6/output_core.c:176
 ip6_send_skb+0xfa/0x390 net/ipv6/ip6_output.c:1727
 udp_v6_send_skb+0x1733/0x1d20 net/ipv6/udp.c:1169
 udpv6_sendmsg+0x424e/0x45d0 net/ipv6/udp.c:1466
 inet_sendmsg+0x54a/0x720 net/ipv4/af_inet.c:798
 sock_sendmsg_nosec net/socket.c:621 [inline]
 sock_sendmsg net/socket.c:631 [inline]
 ___sys_sendmsg+0xdb9/0x11b0 net/socket.c:2116
 __sys_sendmmsg+0x580/0xad0 net/socket.c:2211
 __do_sys_sendmmsg net/socket.c:2240 [inline]
 __se_sys_sendmmsg+0xbd/0xe0 net/socket.c:2237
 __x64_sys_sendmmsg+0x56/0x70 net/socket.c:2237
 do_syscall_64+0xbc/0xf0 arch/x86/entry/common.c:291
 entry_SYSCALL_64_after_hwframe+0x63/0xe7

Fixes: b8a51b38e4 ("fou, fou6: ICMP error handlers for FoU and GUE")
Signed-off-by: Eric Dumazet <edumazet@google.com>
Reported-by: syzbot <syzkaller@googlegroups.com>
Cc: Stefano Brivio <sbrivio@redhat.com>
Cc: Sabrina Dubroca <sd@queasysnail.net>
Signed-off-by: David S. Miller <davem@davemloft.net>
2019-01-15 22:01:31 -08:00