Commit Graph

766473 Commits

Author SHA1 Message Date
Daniel Borkmann
a447da7d00 tls: fix use-after-free in tls_push_record
syzkaller managed to trigger a use-after-free in tls like the
following:

  BUG: KASAN: use-after-free in tls_push_record.constprop.15+0x6a2/0x810 [tls]
  Write of size 1 at addr ffff88037aa08000 by task a.out/2317

  CPU: 3 PID: 2317 Comm: a.out Not tainted 4.17.0+ #144
  Hardware name: LENOVO 20FBCTO1WW/20FBCTO1WW, BIOS N1FET47W (1.21 ) 11/28/2016
  Call Trace:
   dump_stack+0x71/0xab
   print_address_description+0x6a/0x280
   kasan_report+0x258/0x380
   ? tls_push_record.constprop.15+0x6a2/0x810 [tls]
   tls_push_record.constprop.15+0x6a2/0x810 [tls]
   tls_sw_push_pending_record+0x2e/0x40 [tls]
   tls_sk_proto_close+0x3fe/0x710 [tls]
   ? tcp_check_oom+0x4c0/0x4c0
   ? tls_write_space+0x260/0x260 [tls]
   ? kmem_cache_free+0x88/0x1f0
   inet_release+0xd6/0x1b0
   __sock_release+0xc0/0x240
   sock_close+0x11/0x20
   __fput+0x22d/0x660
   task_work_run+0x114/0x1a0
   do_exit+0x71a/0x2780
   ? mm_update_next_owner+0x650/0x650
   ? handle_mm_fault+0x2f5/0x5f0
   ? __do_page_fault+0x44f/0xa50
   ? mm_fault_error+0x2d0/0x2d0
   do_group_exit+0xde/0x300
   __x64_sys_exit_group+0x3a/0x50
   do_syscall_64+0x9a/0x300
   ? page_fault+0x8/0x30
   entry_SYSCALL_64_after_hwframe+0x44/0xa9

This happened through fault injection where aead_req allocation in
tls_do_encryption() eventually failed and we returned -ENOMEM from
the function. Turns out that the use-after-free is triggered from
tls_sw_sendmsg() in the second tls_push_record(). The error then
triggers a jump to waiting for memory in sk_stream_wait_memory()
resp. returning immediately in case of MSG_DONTWAIT. What follows is
the trim_both_sgl(sk, orig_size), which drops elements from the sg
list added via tls_sw_sendmsg(). Now the use-after-free gets triggered
when the socket is being closed, where tls_sk_proto_close() callback
is invoked. The tls_complete_pending_work() will figure that there's
a pending closed tls record to be flushed and thus calls into the
tls_push_pending_closed_record() from there. ctx->push_pending_record()
is called from the latter, which is the tls_sw_push_pending_record()
from sw path. This again calls into tls_push_record(). And here the
tls_fill_prepend() will panic since the buffer address has been freed
earlier via trim_both_sgl(). One way to fix it is to move the aead
request allocation out of tls_do_encryption() early into tls_push_record().
This means we don't prep the tls header and advance state to the
TLS_PENDING_CLOSED_RECORD before allocation which could potentially
fail happened. That fixes the issue on my side.

Fixes: 3c4d755915 ("tls: kernel TLS support")
Reported-by: syzbot+5c74af81c547738e1684@syzkaller.appspotmail.com
Reported-by: syzbot+709f2810a6a05f11d4d3@syzkaller.appspotmail.com
Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
Acked-by: Dave Watson <davejwatson@fb.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2018-06-15 09:14:30 -07:00
David S. Miller
695ad876d0 Merge branch 'l2tp-l2tp_ppp-must-ignore-non-PPP-sessions'
Guillaume Nault says:

====================
l2tp: l2tp_ppp must ignore non-PPP sessions

The original L2TP code was written for version 2 of the protocol, which
could only carry PPP sessions. Then L2TPv3 generalised the protocol so that
it could transport different kinds of pseudo-wires. But parts of the
l2tp_ppp module still break in presence of non-PPP sessions.

Assuming L2TPv2 tunnels can only transport PPP sessions is right, but
l2tp_netlink failed to ensure that (fixed in patch 1).
When retrieving a session from an arbitrary tunnel, l2tp_ppp needs to
filter out non-PPP sessions (last occurrence fixed in patch 2).
====================

Signed-off-by: David S. Miller <davem@davemloft.net>
2018-06-15 09:12:37 -07:00
Guillaume Nault
ecd012e45a l2tp: filter out non-PPP sessions in pppol2tp_tunnel_ioctl()
pppol2tp_tunnel_ioctl() can act on an L2TPv3 tunnel, in which case
'session' may be an Ethernet pseudo-wire.

However, pppol2tp_session_ioctl() expects a PPP pseudo-wire, as it
assumes l2tp_session_priv() points to a pppol2tp_session structure. For
an Ethernet pseudo-wire l2tp_session_priv() points to an l2tp_eth_sess
structure instead, making pppol2tp_session_ioctl() access invalid
memory.

Fixes: d9e31d17ce ("l2tp: Add L2TP ethernet pseudowire support")
Signed-off-by: Guillaume Nault <g.nault@alphalink.fr>
Signed-off-by: David S. Miller <davem@davemloft.net>
2018-06-15 09:12:37 -07:00
Guillaume Nault
de9bada5d3 l2tp: reject creation of non-PPP sessions on L2TPv2 tunnels
The /proc/net/pppol2tp handlers (pppol2tp_seq_*()) iterate over all
L2TPv2 tunnels, and rightfully expect that only PPP sessions can be
found there. However, l2tp_netlink accepts creating Ethernet sessions
regardless of the underlying tunnel version.

This confuses pppol2tp_seq_session_show(), which expects that
l2tp_session_priv() returns a pppol2tp_session structure. When the
session is an Ethernet pseudo-wire, a struct l2tp_eth_sess is returned
instead. This leads to invalid memory access when
pppol2tp_session_get_sock() later tries to dereference ps->sk.

Fixes: d9e31d17ce ("l2tp: Add L2TP ethernet pseudowire support")
Signed-off-by: Guillaume Nault <g.nault@alphalink.fr>
Signed-off-by: David S. Miller <davem@davemloft.net>
2018-06-15 09:12:37 -07:00
David S. Miller
eab9a2d5f3 Merge branch 'mlxsw-IPv6-and-reference-counting-fixes'
Ido Schimmel says:

====================
mlxsw: IPv6 and reference counting fixes

The first three patches fix a mismatch between the new IPv6 behavior
introduced in commit f34436a430 ("net/ipv6: Simplify route replace and
appending into multipath route") and mlxsw. The patches allow the driver
to support multipathing in IPv6 overlays with GRE tunnel devices. A
selftest will be submitted when net-next opens.

The last patch fixes a reference count problem of the port_vlan struct.
I plan to simplify the code in net-next, so that reference counting is
not necessary anymore.
====================

Signed-off-by: David S. Miller <davem@davemloft.net>
2018-06-15 09:11:17 -07:00
Petr Machata
9e25826ffc mlxsw: spectrum_switchdev: Fix port_vlan refcounting
Switchdev notifications for addition of SWITCHDEV_OBJ_ID_PORT_VLAN are
distributed not only on clean addition, but also when flags on an
existing VLAN are changed. mlxsw_sp_bridge_port_vlan_add() calls
mlxsw_sp_port_vlan_get() to get at the port_vlan in question, which
implicitly references the object. This then leads to discrepancies in
reference counting when the VLAN is removed. spectrum.c warns about the
problem when the module is removed:

[13578.493090] WARNING: CPU: 0 PID: 2454 at drivers/net/ethernet/mellanox/mlxsw/spectrum.c:2973 mlxsw_sp_port_remove+0xfd/0x110 [mlxsw_spectrum]
[...]
[13578.627106] Call Trace:
[13578.629617]  mlxsw_sp_fini+0x2a/0xe0 [mlxsw_spectrum]
[13578.634748]  mlxsw_core_bus_device_unregister+0x3e/0x130 [mlxsw_core]
[13578.641290]  mlxsw_pci_remove+0x13/0x40 [mlxsw_pci]
[13578.646238]  pci_device_remove+0x31/0xb0
[13578.650244]  device_release_driver_internal+0x14f/0x220
[13578.655562]  driver_detach+0x32/0x70
[13578.659183]  bus_remove_driver+0x47/0xa0
[13578.663134]  pci_unregister_driver+0x1e/0x80
[13578.667486]  mlxsw_sp_module_exit+0xc/0x3fa [mlxsw_spectrum]
[13578.673207]  __x64_sys_delete_module+0x13b/0x1e0
[13578.677888]  ? exit_to_usermode_loop+0x78/0x80
[13578.682374]  do_syscall_64+0x39/0xe0
[13578.685976]  entry_SYSCALL_64_after_hwframe+0x44/0xa9

Fix by putting the port_vlan when mlxsw_sp_port_vlan_bridge_join()
determines it's a flag-only change.

Fixes: b3529af6bb ("spectrum: Reference count VLAN entries")
Signed-off-by: Petr Machata <petrm@mellanox.com>
Acked-by: Jiri Pirko <jiri@mellanox.com>
Signed-off-by: Ido Schimmel <idosch@mellanox.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2018-06-15 09:11:16 -07:00
Ido Schimmel
ce45bded64 mlxsw: spectrum_router: Align with new route replace logic
Commit f34436a430 ("net/ipv6: Simplify route replace and appending
into multipath route") changed the IPv6 route replace logic so that the
first matching route (i.e., same metric) is replaced.

Have mlxsw replace the first matching route as well.

Fixes: f34436a430 ("net/ipv6: Simplify route replace and appending into multipath route")
Signed-off-by: Ido Schimmel <idosch@mellanox.com>
Acked-by: Jiri Pirko <jiri@mellanox.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2018-06-15 09:11:16 -07:00
Ido Schimmel
53b562df8c mlxsw: spectrum_router: Allow appending to dev-only routes
Commit f34436a430 ("net/ipv6: Simplify route replace and appending
into multipath route") changed the IPv6 route append logic so that
dev-only routes can be appended and not only gatewayed routes.

Align mlxsw with the new behaviour.

Fixes: f34436a430 ("net/ipv6: Simplify route replace and appending into multipath route")
Signed-off-by: Ido Schimmel <idosch@mellanox.com>
Acked-by: Jiri Pirko <jiri@mellanox.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2018-06-15 09:11:16 -07:00
Ido Schimmel
6eba08c362 ipv6: Only emit append events for appended routes
Current code will emit an append event in the FIB notification chain for
any route added with NLM_F_APPEND set, even if the route was not
appended to any existing route.

This is inconsistent with IPv4 where such an event is only emitted when
the new route is appended after an existing one.

Align IPv6 behavior with IPv4, thereby allowing listeners to more easily
handle these events.

Fixes: f34436a430 ("net/ipv6: Simplify route replace and appending into multipath route")
Signed-off-by: Ido Schimmel <idosch@mellanox.com>
Acked-by: Jiri Pirko <jiri@mellanox.com>
Acked-by: David Ahern <dsahern@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2018-06-15 09:11:16 -07:00
David S. Miller
41f9ba67f0 A handful of fixes:
* missing RCU grace period enforcement led to drivers freeing
    data structures before; fix from Dedy Lansky.
  * hwsim module init error paths were messed up; fixed it myself
    after a report from Colin King (who had sent a partial patch)
  * kernel-doc tag errors; fix from Luca Coelho
  * initialize the on-stack sinfo data structure when getting
    station information; fix from Sven Eckelmann
  * TXQ state dumping is now done from init, and when TXQs aren't
    initialized yet at that point, bad things happen, move the
    initialization; fix from Toke Høiland-Jørgensen.
 -----BEGIN PGP SIGNATURE-----
 
 iQIzBAABCgAdFiEEH1e1rEeCd0AIMq6MB8qZga/fl8QFAlsjswEACgkQB8qZga/f
 l8T7pg/8CkKKwJRR/0ZIrYOyku/yEuZHpZ071/9gFhUna86zEymC/NDDuu27frny
 G4TYJuQl/x5fyTLMteFkLd4oqiBP43X5Mh/UZtTG5jZVfU2W5PQSALSHn8SEQID6
 u2hQBY1vM82CQbgUH6UjlIps40Y92urP5OG6LhT9F/9DijPYgrkxoNote+4x5wgM
 gdL3yvXrmsExdgRFjuHTUXX8pT2J01UyxJAmuF0k5jMQzj6JGnwrLiSjUe4/a1qn
 qJC72GYAezXVjv8noIW+B+e5jwABj4AbL9lJbU8lxHymTykTVqLlJbtMWygFoF2Y
 rw8Gc2+eqafDnHzlgO0GXls2X89cbpmxBd3rdxq6J16oiAyNDmILw+w5Ap85bzck
 1lQ3OvzOi25+qTndHBuV4wK066UbYJVCybgN25RRbM0q+soTHRZrpk8wFC27fGW8
 Qt1BmyLBMvTDBkjBQ983QxLOJ8o0iNMuyKPxnULmveBRuhGfrDVOf8w7ueDSGJ61
 vlTBA3gUBCHrtl7L67Tr6iun4y8n8YWhOz6VljaN6L5FFg5fVX15d9me6hXmAtar
 ETbQFTPNWpFxYRElaIe+RFdtLkBFbE9rGLUZ1gQZ+WhH5YT+hDSqLm9WOJ61PbTv
 VmNKrelwjdXL06Ei6O6ptRO7hoy+N0Z2khqAOpvNwaE30NojGqQ=
 =siAL
 -----END PGP SIGNATURE-----

Merge tag 'mac80211-for-davem-2018-06-15' of git://git.kernel.org/pub/scm/linux/kernel/git/jberg/mac80211

Johannes Berg says:

====================
A handful of fixes:
 * missing RCU grace period enforcement led to drivers freeing
   data structures before; fix from Dedy Lansky.
 * hwsim module init error paths were messed up; fixed it myself
   after a report from Colin King (who had sent a partial patch)
 * kernel-doc tag errors; fix from Luca Coelho
 * initialize the on-stack sinfo data structure when getting
   station information; fix from Sven Eckelmann
 * TXQ state dumping is now done from init, and when TXQs aren't
   initialized yet at that point, bad things happen, move the
   initialization; fix from Toke Høiland-Jørgensen.
====================

Signed-off-by: David S. Miller <davem@davemloft.net>
2018-06-15 09:08:26 -07:00
Elad Nachman
ab188e8f4a stmmac: added support for 802.1ad vlan stripping
stmmac reception handler calls stmmac_rx_vlan() to strip the vlan before
calling napi_gro_receive().

The function assumes VLAN tagged frames are always tagged with
802.1Q protocol, and assigns ETH_P_8021Q to the skb by hard-coding
the parameter on call to __vlan_hwaccel_put_tag() .

This causes packets not to be passed to the VLAN slave if it was created
with 802.1AD protocol
(ip link add link eth0 eth0.100 type vlan proto 802.1ad id 100).

This fix passes the protocol from the VLAN header into
__vlan_hwaccel_put_tag() instead of using the hard-coded value of
ETH_P_8021Q.

NETIF_F_HW_VLAN_STAG_RX check was added and the strip action is now
dependent on the correct combination of features and the detected vlan tag.

NETIF_F_HW_VLAN_STAG_RX feature was added to be in line with the driver
actual abilities.

Signed-off-by: Elad Nachman <eladn@gilat.com>
Reviewed-by: Toshiaki Makita <makita.toshiaki@lab.ntt.co.jp>
Signed-off-by: David S. Miller <davem@davemloft.net>
2018-06-15 09:04:38 -07:00
Mauro Carvalho Chehab
ecf3867934 arch/*: Kconfig: fix documentation for NMI watchdog
Changeset 9919cba7ff ("watchdog: Update documentation") updated
the documentation, removing the old nmi_watchdog.txt and adding
a file with a new content.

Update Kconfig files accordingly.

Fixes: 9919cba7ff ("watchdog: Update documentation")

Signed-off-by: Mauro Carvalho Chehab <mchehab+samsung@kernel.org>
Acked-by: Jonathan Corbet <corbet@lwn.net>
2018-06-15 12:48:59 -03:00
Mauro Carvalho Chehab
2fab30199a docs: crypto_engine.rst: Fix two parse warnings
./Documentation/crypto/crypto_engine.rst:13: WARNING: Unexpected indentation.
./Documentation/crypto/crypto_engine.rst:15: WARNING: Block quote ends without a blank line; unexpected unindent.

Signed-off-by: Mauro Carvalho Chehab <mchehab+samsung@kernel.org>
Acked-by: Jonathan Corbet <corbet@lwn.net>
2018-06-15 12:48:59 -03:00
Mauro Carvalho Chehab
b701745097 docs: can.rst: fix a footnote reference
As stated at:
	http://www.sphinx-doc.org/en/master/usage/restructuredtext/basics.html#footnotes

A footnote should contain either a number, a reference or
an auto number, e. g.:
        [1], [#f1] or [#].

While using [*] accidentaly works for html, it fails for other
document outputs. In particular, it causes an error with LaTeX
output, causing all books after networking to not be built.

So, replace it by a valid syntax.

Acked-by: Oliver Hartkopp <socketcan@hartkopp.net>
Signed-off-by: Mauro Carvalho Chehab <mchehab+samsung@kernel.org>
Acked-by: Jonathan Corbet <corbet@lwn.net>
2018-06-15 12:48:59 -03:00
David Howells
47ea0f2ebf afs: Optimise callback breaking by not repeating volume lookup
At the moment, afs_break_callbacks calls afs_break_one_callback() for each
separate FID it was given, and the latter looks up the volume individually
for each one.

However, this is inefficient if two or more FIDs have the same vid as we
could reuse the volume.  This is complicated by cell aliasing whereby we
may have multiple cells sharing a volume and can therefore have multiple
callback interests for any particular volume ID.

At the moment afs_break_one_callback() scans the entire list of volumes
we're getting from a server and breaks the appropriate callback in every
matching volume, regardless of cell.  This scan is done for every FID.

Optimise callback breaking by the following means:

 (1) Sort the FID list by vid so that all FIDs belonging to the same volume
     are clumped together.

     This is done through the use of an indirection table as we cannot do
     an insertion sort on the afs_callback_break array as we decode FIDs
     into it as we subsequently also have to decode callback info into it
     that corresponds by array index only.

     We also don't really want to bubblesort afterwards if we can avoid it.

 (2) Sort the server->cb_interests array by vid so that all the matching
     volumes are grouped together.  This permits the scan to stop after
     finding a record that has a higher vid.

 (3) When breaking FIDs, we try to keep server->cb_break_lock as long as
     possible, caching the start point in the array for that volume group
     as long as possible.

     It might make sense to add another layer in that list and have a
     refcounted volume ID anchor that has the matching interests attached
     to it rather than being in the list.  This would allow the lock to be
     dropped without losing the cursor.

Signed-off-by: David Howells <dhowells@redhat.com>
2018-06-15 15:27:09 +01:00
David Howells
0da0b7fd73 afs: Display manually added cells in dynamic root mount
Alter the dynroot mount so that cells created by manipulation of
/proc/fs/afs/cells and /proc/fs/afs/rootcell and by specification of a root
cell as a module parameter will cause directories for those cells to be
created in the dynamic root superblock for the network namespace[*].

To this end:

 (1) Only one dynamic root superblock is now created per network namespace
     and this is shared between all attempts to mount it.  This makes it
     easier to find the superblock to modify.

 (2) When a dynamic root superblock is created, the list of cells is walked
     and directories created for each cell already defined.

 (3) When a new cell is added, if a dynamic root superblock exists, a
     directory is created for it.

 (4) When a cell is destroyed, the directory is removed.

 (5) These directories are created by calling lookup_one_len() on the root
     dir which automatically creates them if they don't exist.

[*] Inasmuch as network namespaces are currently supported here.

Signed-off-by: David Howells <dhowells@redhat.com>
2018-06-15 15:27:09 +01:00
David Howells
c88d5a7fff afs: Enable IPv6 DNS lookups
Remove the restriction on DNS lookup upcalls that prevents ipv6 addresses
from being looked up.

Signed-off-by: David Howells <dhowells@redhat.com>
2018-06-15 15:27:09 +01:00
Anatoliy Glagolev
d6c73964f1 bsg: fix race of bsg_open and bsg_unregister
The existing implementation allows races between bsg_unregister and
bsg_open paths. bsg_unregister and request_queue cleanup and deletion
may start and complete right after bsg_get_device (in bsg_open path)
retrieves bsg_class_device and releases the mutex. Then bsg_open path
touches freed memory of bsg_class_device and request_queue.

One possible fix is to hold the mutex all the way through bsg_get_device
instead of releasing it after bsg_class_device retrieval.

Reviewed-by: Christoph Hellwig <hch@lst.de>
Signed-Off-By: Anatoliy Glagolev <glagolig@gmail.com>
Signed-off-by: Jens Axboe <axboe@kernel.dk>
2018-06-15 08:15:37 -06:00
Christoph Hellwig
be7f99c536 block: remov blk_queue_invalidate_tags
This function is entirely unused, so remove it and the tag_queue_busy
member of struct request_queue.

Signed-off-by: Christoph Hellwig <hch@lst.de>
Signed-off-by: Jens Axboe <axboe@kernel.dk>
2018-06-15 08:13:35 -06:00
Jens Axboe
95c7c09f4c Merge branch 'nvme-4.18' of git://git.infradead.org/nvme into for-linus
Pull NVMe fixes from Christoph:

"Fix various little regressions introduced in this merge window, plus
 a rework of the fibre channel connect and reconnect path to share the
 code instead of having separate sets of bugs. Last but not least a
 trivial trace point addition from Hannes."

* 'nvme-4.18' of git://git.infradead.org/nvme:
  nvme-fabrics: fix and refine state checks in __nvmf_check_ready
  nvme-fabrics: handle the admin-only case properly in nvmf_check_ready
  nvme-fabrics: refactor queue ready check
  blk-mq: remove blk_mq_tagset_iter
  nvme: remove nvme_reinit_tagset
  nvme-fc: fix nulling of queue data on reconnect
  nvme-fc: remove reinit_request routine
  nvme-fc: change controllers first connect to use reconnect path
  nvme: don't rely on the changed namespace list log
  nvmet: free smart-log buffer after use
  nvme-rdma: fix error flow during mapping request data
  nvme: add bio remapping tracepoint
  nvme: fix NULL pointer dereference in nvme_init_subsystem
2018-06-15 08:11:05 -06:00
Dedy Lansky
bf2b61a683 cfg80211: fix rcu in cfg80211_unregister_wdev
Callers of cfg80211_unregister_wdev can free the wdev object
immediately after this function returns. This may crash the kernel
because this wdev object is still in use by other threads.
Add synchronize_rcu() after list_del_rcu to make sure wdev object can
be safely freed.

Signed-off-by: Dedy Lansky <dlansky@codeaurora.org>
Signed-off-by: Johannes Berg <johannes@sipsolutions.net>
2018-06-15 13:05:14 +02:00
Toke Høiland-Jørgensen
dc8b274f09 mac80211: Move up init of TXQs
On init, ieee80211_if_add() dumps the interface. Since that now includes a
dump of the TXQ state, we need to initialise that before the dump happens.
So move up the TXQ initialisation to to before the call to
ieee80211_if_add().

Fixes: 52539ca89f ("cfg80211: Expose TXQ stats and parameters to userspace")
Reported-by: Niklas Cassel <niklas.cassel@linaro.org>
Signed-off-by: Toke Høiland-Jørgensen <toke@toke.dk>
Tested-by: Niklas Cassel <niklas.cassel@linaro.org>
Signed-off-by: Johannes Berg <johannes@sipsolutions.net>
2018-06-15 13:02:42 +02:00
Johannes Berg
3f61b7a30a mac80211_hwsim: fix module init error paths
We didn't free the workqueue on any errors, nor did we
correctly check for rhashtable allocation errors, nor
did we free the hashtable on error.

Reported-by: Colin King <colin.king@canonical.com>
Reported-by: Dan Carpenter <dan.carpenter@oracle.com>
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Signed-off-by: Johannes Berg <johannes@sipsolutions.net>
2018-06-15 13:02:02 +02:00
Sven Eckelmann
3c12d04868 cfg80211: initialize sinfo in cfg80211_get_station
Most of the implementations behind cfg80211_get_station will not initialize
sinfo to zero before manipulating it. For example, the member "filled",
which indicates the filled in parts of this struct, is often only modified
by enabling certain bits in the bitfield while keeping the remaining bits
in their original state. A caller without a preinitialized sinfo.filled can
then no longer decide which parts of sinfo were filled in by
cfg80211_get_station (or actually the underlying implementations).

cfg80211_get_station must therefore take care that sinfo is initialized to
zero. Otherwise, the caller may tries to read information which was not
filled in and which must therefore also be considered uninitialized. In
batadv_v_elp_get_throughput's case, an invalid "random" expected throughput
may be stored for this neighbor and thus the B.A.T.M.A.N V algorithm may
switch to non-optimal neighbors for certain destinations.

Fixes: 7406353d43 ("cfg80211: implement cfg80211_get_station cfg80211 API")
Reported-by: Thomas Lauer <holminateur@gmail.com>
Reported-by: Marcel Schmidt <ff.z-casparistrasse@mailbox.org>
Cc: b.a.t.m.a.n@lists.open-mesh.org
Signed-off-by: Sven Eckelmann <sven@narfation.org>
Signed-off-by: Johannes Berg <johannes@sipsolutions.net>
2018-06-15 13:01:47 +02:00
Luca Coelho
badbc27df3 nl80211: fix some kernel doc tag mistakes
There is a bunch of tags marking constants with &, which means struct
or enum name.  Replace them with %, which is the correct tag for
constants.

Signed-off-by: Luca Coelho <luciano.coelho@intel.com>
Signed-off-by: Johannes Berg <johannes@sipsolutions.net>
2018-06-15 13:01:31 +02:00
Christoph Hellwig
35897b920c nvme-fabrics: fix and refine state checks in __nvmf_check_ready
- make sure we only allow internally generates commands in any non-live
   state
 - only allow connect commands on non-live queues when actually in the
   new or connecting states
 - treat all other non-live, non-dead states the same as a default
   cach-all

This fixes a regression where we could not shutdown a controller
orderly as we didn't allow the internal generated Property Set
command, and also ensures we don't accidentally let a Connect command
through in the wrong state.

Signed-off-by: Christoph Hellwig <hch@lst.de>
Reviewed-by: James Smart <james.smart@broadcom.com>
2018-06-15 11:21:00 +02:00
Christoph Hellwig
278ab3799a nvme-fabrics: handle the admin-only case properly in nvmf_check_ready
In the ADMIN_ONLY state we don't have any I/O queues, but we should accept
all admin commands without further checks.

Signed-off-by: Christoph Hellwig <hch@lst.de>
Reviewed-by: Johannes Thumshirn <jthumshirn@suse.de>
Reviewed-by: James Smart <james.smart@broadcom.com>
2018-06-15 11:21:00 +02:00
Christoph Hellwig
3bc32bb118 nvme-fabrics: refactor queue ready check
Move the is_connected check to the fibre channel transport, as it has no
meaning for other transports.  To facilitate this split out a new
nvmf_fail_nonready_command helper that is called by the transport when
it is asked to handle a command on a queue that is not ready.

Also avoid a function call for the queue live fast path by inlining
the check.

Signed-off-by: Christoph Hellwig <hch@lst.de>
Reviewed-by: James Smart <james.smart@broadcom.com>
2018-06-15 11:21:00 +02:00
Linus Torvalds
4c5e8fc62d linux-kselftest-4.18-rc1-2
This second Kselftest update for Linux 4.18-rc1:
 
 - fixes a signedness bug in cgroups test
 - adds ppc support for kprobe args tests
 -----BEGIN PGP SIGNATURE-----
 
 iQIzBAABCgAdFiEEPZKym/RZuOCGeA/kCwJExA0NQxwFAlshTxYACgkQCwJExA0N
 Qxy4ZA//WUeH4DqnpZmFKQ7fYAzyuKGHgilRXZ3kDf7jW+VPzYtxn5/4xIJWzEKZ
 76JfnZkL/zd+JgAz86UKLyUNSPEgS0W7wHW+MQgITMTdtjqaks7EW9jLpvsWBf0m
 K5Wmzre7BezvpOCO4z91u7N4rsmmfzAgaGmVl2jUleXEkCBtaxQNNgfSkXzkhyua
 Q2+WxVqvTcWfPTGSYtxIDNM5OiLAJ/mB+FureVuKTbFGc0aWYNIudldohNBejiLt
 sGKwriaD8RMNKQCdKHZxRZoEKZGe3hpKsfxReU+KkUAtzIbmisfwiO5ohjncxp0t
 OE42VMQixe2DZO3PfN58DNJeqvzPgGbILRqjRXLRL6jAS23jI5gYYicxyb0Ex8zm
 +c7KEEzG4L7yAM4Z8idkKykWritjQTn02Rfwri08OvT84NtESmCadQpXsv3inIOo
 6N2Ypm0+Hpe2sPocrQVQQTFO6h6xbS+pDPRR3FkZbLlcjWIAFHC9mqmP2XdvVJdq
 D1vuDMfL7bHqCBQoqWcSUhPmAxiBtzEDK7TCP7txNjUguB/MGBhEPf0gailuPFMK
 pJdsOY8ynnezrcA5mklKTVIAZd6hbMkdBftJRKigHRZBtZ6em+oyQcoaHhMuxUdr
 LjyCDlN4HduHqxzRAx3ytbiVTcT4k12yC6+sv23YHsYZxRfpKqg=
 =5i77
 -----END PGP SIGNATURE-----

Merge tag 'linux-kselftest-4.18-rc1-2' of git://git.kernel.org/pub/scm/linux/kernel/git/shuah/linux-kselftest

Pull more Kselftest updates from Shuah Khan:

 - fix a signedness bug in cgroups test

 - add ppc support for kprobe args tests

* tag 'linux-kselftest-4.18-rc1-2' of git://git.kernel.org/pub/scm/linux/kernel/git/shuah/linux-kselftest:
  kselftest/cgroup: fix a signedness bug
  selftests/ftrace: Add ppc support for kprobe args tests
2018-06-15 17:26:29 +09:00
Linus Torvalds
2f6e24d315 sound fixes for 4.18-rc1
Here is a collection of small fixes on top of the previous update.
 All small and obvious fixes.  Mostly for usual suspects, USB-audio and
 HD-audio, but a few trivial error handling fixes for misc drivers as
 well.
 -----BEGIN PGP SIGNATURE-----
 
 iQJCBAABCAAsFiEEIXTw5fNLNI7mMiVaLtJE4w1nLE8FAlsizZwOHHRpd2FpQHN1
 c2UuZGUACgkQLtJE4w1nLE/eOQ/9Gmpmt5HtrfesubzjUgkNxAJ9rEIVI8YaNnzv
 okk8X9q3BWfW6s/QThMQoTglB+wdvxl96SvhAqsyZcfcdE9rdMm5A0N5P+uz+EWV
 VmJf1bslKGn/EcPPIt4rSAF/YtR7UXHOQ59ZngYVtUDQWXcE48sTPOn84OR0acSI
 z/tx5RXUCDmsC+uFn4okUNpnDBttK+G4+2beLb3NJtAqVsT/x0pJOcWzmFmh3UZW
 7pzCQ6rvJpN8oK8Q5rI8282OG3MU0qTFP7o25ncimQr2kSSnUmdxUwIfXLUa4UCv
 y+ZSYpBhGBhm8JV154OiXpdbolUDFEGBlUjHgFKB9qdiBGVy8bndAIrEHVv4Hql+
 cTC5xR3GQ2clJYUSPDAORgXG3f/lnD9i4rQ8eRXqyz+8XkiTGfQ27u6eis2nccy3
 Wf3Pa7j7knnlfBIw4Fnw7OpcyXUyC+KZ+IQFEmERAIfmLrmQh10oO8o91+hivMFB
 e/1MCg+pvk1QGR/iT/WbUeOp0ifg3pv2W16vPv/KlrOlimxEbsYbegCzt19OZ4D8
 XY+d8Wwf64awwpynoYXkPUMt6T1hFvJpucdlKOkj52DtnDenio4TNf0AyKDAZSHm
 9B7NSikEgsxLO8NtPjSVKR4LB3NOhxJVP1OEAjOHTK02jy4pq+HjapYfVy8x9NZn
 9mslHp0=
 =XDCD
 -----END PGP SIGNATURE-----

Merge tag 'sound-fix-4.18-rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/tiwai/sound

Pull sound fixes from Takashi Iwai:
 "Here is a collection of small fixes on top of the previous update.

  All small and obvious fixes. Mostly for usual suspects, USB-audio and
  HD-audio, but a few trivial error handling fixes for misc drivers as
  well"

* tag 'sound-fix-4.18-rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/tiwai/sound:
  ALSA: usb-audio: Always create the interrupt pipe for the mixer
  ALSA: usb-audio: Add insertion control for UAC3 BADD
  ALSA: usb-audio: Change in connectors control creation interface
  ALSA: usb-audio: Add bi-directional terminal types
  ALSA: lx6464es: add error handling for pci_ioremap_bar
  ALSA: sonicvibes: add error handling for snd_ctl_add
  ALSA: usb-audio: Remove explicitly listed Mytek devices
  ALSA: usb-audio: Generic DSD detection for XMOS-based implementations
  ALSA: usb-audio: Add native DSD support for Mytek DACs
  ALSA: hda/realtek - Add shutup hint
  ALSA: usb-audio: Disable the quirk for Nura headset
  ALSA: hda: add dock and led support for HP ProBook 640 G4
  ALSA: hda: add dock and led support for HP EliteBook 830 G5
  ALSA: emu10k1: add error handling for snd_ctl_add
  ALSA: fm801: add error handling for snd_ctl_add
2018-06-15 17:24:40 +09:00
Linus Torvalds
becfc5e97c amd fixes for 4.18-rc1
-----BEGIN PGP SIGNATURE-----
 
 iQIcBAABAgAGBQJbI0DcAAoJEAx081l5xIa+lJUP/2jY5MmTArMTJb7EqdBL4EJA
 6aYAfLyoQZFKgkGE+qq6DsKPGRo82VeOorVjY3SZ3DhFMNUylu79zDL/2Qbtejrw
 2K2Gd+JtC9I2uZIYwwKTVRk7Z3w/Y2stf9Sd8AA1pY4Ak3RpEKxav8NubmrET8Mu
 7y7BPekHyn5kfTA8x6R71sR3tNxWSX9YT6kEsWh2I9wykyVs+za7qRfuQyO/wm0Z
 AhqsZ/7cbmJQtGcVEU9hgSRcbmKDD7E/w6dczGZXYOXkVVmAOHM6As3D3SH2EIga
 fZWhLOM2ri6o9UZ1sMqa2gKW0DvSMiMdkpAK+WMgke7uVGwfk/PVaHXczM7oZBIa
 be/wE7Ilf5BgvfUezq1hs1LXMC769urNKzE85b3sDTYlFvGYjiPN1IXSqMazTdAI
 yrQA2sE1mOaU8mgoTfDmWJtUau1yRF6Nn6HS0A+vHvgUM/UeoO3XtdMwszfMOgS9
 fucnB6rNAK1HRfv2DZ29+dC2zUEiRbITPcKEw1PHnDlRW0EnK9vMrPEABbIkk+nf
 9cBNgYSa1SO4UmZdkNxRjeNq3RlyoiQf8XQ9UQKnx4XTyzwFKOTWclJ1gVfL0JSE
 P2so8hSj0rWQwVdy0UA+DhMmvleYu0tKXeRnpuu02H9nmA1h5TH4YyDxQhH9H4w1
 6xxek0+cM6ISMDCzOjRZ
 =YBRl
 -----END PGP SIGNATURE-----

Merge tag 'drm-next-2018-06-15' of git://anongit.freedesktop.org/drm/drm

Pull amd drm fixes from Dave Airlie:
 "Just a single set of AMD fixes for stuff in -next for -rc1"

* tag 'drm-next-2018-06-15' of git://anongit.freedesktop.org/drm/drm: (47 commits)
  drm/amd/powerplay: Set higher SCLK&MCLK frequency than dpm7 in OD (v2)
  drm/amd/powerplay: remove uncessary extra gfxoff control call
  drm/amdgpu: fix parsing indirect register list v2
  drm/amd/include: Update df 3.6 mask and shift definition
  drm/amd/pp: Fix OD feature enable failed on Vega10 workstation cards
  drm/amd/display: Fix stale buffer object (bo) use
  drm/amd/pp: initialize result to before or'ing in data
  drm/amd/powerplay: fix wrong clock adjust sequence
  drm/amdgpu: Grab/put runtime PM references in atomic_commit_tail()
  drm/amd/powerplay: fix missed hwmgr check warning before call gfx_off_control handler
  drm/amdgpu: fix CG enabling hang with gfxoff enabled
  drm/amdgpu: fix clear_all and replace handling in the VM (v2)
  drm/amdgpu: add checking for sos version
  drm/amdgpu: fix the missed vcn fw version report
  Revert "drm/amdgpu: Add an ATPX quirk for hybrid laptop"
  drm/amdgpu/df: fix potential array out-of-bounds read
  drm/amdgpu: Fix NULL pointer when load kfd driver with PP block is disabled
  drm/gfx9: Update gc goldensetting for vega20.
  drm/amd/pp: Allow underclocking when od table is empty in vbios
  drm/amdgpu/display: check if ppfuncs exists before using it
  ...
2018-06-15 17:20:53 +09:00
David Howells
0aac4bce4b afs: Show all of a server's addresses in /proc/fs/afs/servers
Show all of a server's addresses in /proc/fs/afs/servers, placing the
second plus addresses on padded lines of their own.  The current address is
marked with a star.

Signed-off-by: David Howells <dhowells@redhat.com>
2018-06-15 00:52:59 -04:00
David Howells
b6cfbecafb afs: Handle CONFIG_PROC_FS=n
The AFS filesystem depends at the moment on /proc for configuration and
also presents information that way - however, this causes a compilation
failure if procfs is disabled.

Fix it so that the procfs bits aren't compiled in if procfs is disabled.

This means that you can't configure the AFS filesystem directly, but it is
still usable provided that an up-to-date keyutils is installed to look up
cells by SRV or AFSDB DNS records.

Reported-by: Al Viro <viro@ZenIV.linux.org.uk>
Signed-off-by: David Howells <dhowells@redhat.com>
2018-06-15 00:52:55 -04:00
David Howells
24074a35c5 proc: Make inline name size calculation automatic
Make calculation of the size of the inline name in struct proc_dir_entry
automatic, rather than having to manually encode the numbers and failing to
allow for lockdep.

Require a minimum inline name size of 33+1 to allow for names that look
like two hex numbers with a dash between.

Reported-by: Al Viro <viro@ZenIV.linux.org.uk>
Signed-off-by: David Howells <dhowells@redhat.com>
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
2018-06-15 00:48:57 -04:00
Al Viro
430ff79170 orangefs: simplify compat ioctl handling
no need to mess with copy_in_user(), etc...

Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
2018-06-15 00:23:55 -04:00
Al Viro
5ed0127fc3 signalfd: lift sigmask copyin and size checks to callers of do_signalfd4()
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
2018-06-15 00:23:50 -04:00
Haiyang Zhang
06bdf2803c hv_netvsc: Fix the variable sizes in ipsecv2 and rsc offload
These fields in struct ndis_ipsecv2_offload and struct ndis_rsc_offload
are one byte according to the specs. This patch defines them with the
right size. These structs are not in use right now, but will be used soon.

Signed-off-by: Haiyang Zhang <haiyangz@microsoft.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2018-06-14 20:15:44 -07:00
Santosh Shilimkar
f1693c63ab rds: avoid unenecessary cong_update in loop transport
Loop transport which is self loopback, remote port congestion
update isn't relevant. Infact the xmit path already ignores it.
Receive path needs to do the same.

Reported-by: syzbot+4c20b3866171ce8441d2@syzkaller.appspotmail.com
Reviewed-by: Sowmini Varadhan <sowmini.varadhan@oracle.com>
Signed-off-by: Santosh Shilimkar <santosh.shilimkar@oracle.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2018-06-14 19:01:49 -07:00
Dave Airlie
daf0678c20 Merge branch 'drm-next-4.18' of git://people.freedesktop.org/~agd5f/linux into drm-next
Fixes for 4.18. Highlights:
- Fixes for gfxoff on Raven
- Remove an ATPX quirk now that the root cause is fixed
- Runtime PM fixes
- Vega20 register header update
- Wattman fixes
- Misc bug fixes

Signed-off-by: Dave Airlie <airlied@redhat.com>
Link: https://patchwork.freedesktop.org/patch/msgid/20180614141428.2909-1-alexander.deucher@amd.com
2018-06-15 11:32:29 +10:00
David S. Miller
7f6afc3384 Merge branch 'l2tp-fixes'
Guillaume Nault says:

====================
l2tp: pppol2tp_connect() fixes

This series fixes a few remaining issues with pppol2tp_connect().

It doesn't try to prevent invalid configurations that have no effect on
kernel's reliability. That would be work for a future patch set.

Patch 2 is the most important as it avoids an invalid pointer
dereference crashing the kernel. It depends on patch 1 for correctly
identifying L2TP session types.

Patches 3 and 4 avoid creating stale tunnels and sessions.
====================

Signed-off-by: David S. Miller <davem@davemloft.net>
2018-06-14 17:10:19 -07:00
Guillaume Nault
bda06be215 l2tp: clean up stale tunnel or session in pppol2tp_connect's error path
pppol2tp_connect() may create a tunnel or a session. Remove them in
case of error.

Fixes: fd558d186d ("l2tp: Split pppol2tp patch into separate l2tp and ppp parts")
Signed-off-by: Guillaume Nault <g.nault@alphalink.fr>
Signed-off-by: David S. Miller <davem@davemloft.net>
2018-06-14 17:10:19 -07:00
Guillaume Nault
3e1bc8bf97 l2tp: prevent pppol2tp_connect() from creating kernel sockets
If 'fd' is negative, l2tp_tunnel_create() creates a tunnel socket using
the configuration passed in 'tcfg'. Currently, pppol2tp_connect() sets
the relevant fields to zero, tricking l2tp_tunnel_create() into setting
up an unusable kernel socket.

We can't set 'tcfg' with the required fields because there's no way to
get them from the current connect() parameters. So let's restrict
kernel sockets creation to the netlink API, which is the original use
case.

Fixes: 789a4a2c61 ("l2tp: Add support for static unmanaged L2TPv3 tunnels")
Signed-off-by: Guillaume Nault <g.nault@alphalink.fr>
Signed-off-by: David S. Miller <davem@davemloft.net>
2018-06-14 17:10:19 -07:00
Guillaume Nault
7ac6ab1f8a l2tp: only accept PPP sessions in pppol2tp_connect()
l2tp_session_priv() returns a struct pppol2tp_session pointer only for
PPPoL2TP sessions. In particular, if the session is an L2TP_PWTYPE_ETH
pseudo-wire, l2tp_session_priv() returns a pointer to an l2tp_eth_sess
structure, which is much smaller than struct pppol2tp_session. This
leads to invalid memory dereference when trying to lock ps->sk_lock.

Fixes: d9e31d17ce ("l2tp: Add L2TP ethernet pseudowire support")
Signed-off-by: Guillaume Nault <g.nault@alphalink.fr>
Signed-off-by: David S. Miller <davem@davemloft.net>
2018-06-14 17:10:19 -07:00
Guillaume Nault
90904ff5f9 l2tp: fix pseudo-wire type for sessions created by pppol2tp_connect()
Define cfg.pw_type so that the new session is created with its .pwtype
field properly set (L2TP_PWTYPE_PPP).

Not setting the pseudo-wire type had several annoying effects:

  * Invalid value returned in the L2TP_ATTR_PW_TYPE attribute when
    dumping sessions with the netlink API.

  * Impossibility to delete the session using the netlink API (because
    l2tp_nl_cmd_session_delete() gets the deletion callback function
    from an array indexed by the session's pseudo-wire type).

Also, there are several cases where we should check a session's
pseudo-wire type. For example, pppol2tp_connect() should refuse to
connect a session that is not PPPoL2TP, but that requires the session's
.pwtype field to be properly set.

Fixes: f7faffa3ff ("l2tp: Add L2TPv3 protocol support")
Signed-off-by: Guillaume Nault <g.nault@alphalink.fr>
Signed-off-by: David S. Miller <davem@davemloft.net>
2018-06-14 17:10:19 -07:00
Ben Noordhuis
11c5ad0ec4 eventpoll: switch to ->poll_mask
Signed-off-by: Ben Noordhuis <info@bnoordhuis.nl>
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
2018-06-14 20:09:28 -04:00
Christoph Hellwig
2739b807b0 aio: only return events requested in poll_mask() for IOCB_CMD_POLL
The ->poll_mask() operation has a mask of events that the caller
is interested in, but not all implementations might take it into
account.  Mask the return value to only the requested events,
similar to what the poll and epoll code does.

Reported-by: Avi Kivity <avi@scylladb.com>
Signed-off-by: Christoph Hellwig <hch@lst.de>
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
2018-06-14 20:08:14 -04:00
David S. Miller
aeddb6d5ea Merge branch 'emaclite-fixes'
Radhey Shyam Pandey says:

====================
emaclite bug fixes and code cleanup

This patch series fixes bug in emaclite remove and mdio_setup routines.
It does minor code cleanup.
====================

Signed-off-by: David S. Miller <davem@davemloft.net>
2018-06-14 17:08:04 -07:00
Radhey Shyam Pandey
560c5bddba net: emaclite: Remove xemaclite_mdio_setup return check
Errors are already reported in xemaclite_mdio_setup so avoid
reporting it again.

Signed-off-by: Radhey Shyam Pandey <radhey.shyam.pandey@xilinx.com>
Signed-off-by: Michal Simek <michal.simek@xilinx.com>
Reviewed-by: Andrew Lunn <andrew@lunn.ch>
Signed-off-by: David S. Miller <davem@davemloft.net>
2018-06-14 17:08:03 -07:00
Radhey Shyam Pandey
bd45cbf545 net: emaclite: Remove unused 'has_mdio' flag.
Remove unused 'has_mdio' flag.

Signed-off-by: Radhey Shyam Pandey <radhey.shyam.pandey@xilinx.com>
Signed-off-by: Michal Simek <michal.simek@xilinx.com>
Reviewed-by: Andrew Lunn <andrew@lunn.ch>
Signed-off-by: David S. Miller <davem@davemloft.net>
2018-06-14 17:08:03 -07:00
Radhey Shyam Pandey
27cad00840 net: emaclite: Fix MDIO bus unregister bug
Since 'has_mdio' flag is not used,sequence insmod->rmmod-> insmod
leads to failure as MDIO unregister doesn't happen in .remove().
Fix it by checking MII bus pointer instead.

Signed-off-by: Radhey Shyam Pandey <radhey.shyam.pandey@xilinx.com>
Signed-off-by: Michal Simek <michal.simek@xilinx.com>
Reviewed-by: Andrew Lunn <andrew@lunn.ch>
Signed-off-by: David S. Miller <davem@davemloft.net>
2018-06-14 17:08:03 -07:00