1. 19 Jan, 2018 7 commits
    • Linus Torvalds's avatar
      Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net · 726ba84b
      Linus Torvalds authored
      Pull networking fixes from David Miller:
      
       1) Fix BPF divides by zero, from Eric Dumazet and Alexei Starovoitov.
      
       2) Reject stores into bpf context via st and xadd, from Daniel
          Borkmann.
      
       3) Fix a memory leak in TUN, from Cong Wang.
      
       4) Disable RX aggregation on a specific troublesome configuration of
          r8152 in a Dell TB16b dock.
      
       5) Fix sw_ctx leak in tls, from Sabrina Dubroca.
      
       6) Fix program replacement in cls_bpf, from Daniel Borkmann.
      
       7) Fix uninitialized station_info structures in cfg80211, from Johannes
          Berg.
      
       8) Fix miscalculation of transport header offset field in flow
          dissector, from Eric Dumazet.
      
       9) Fix LPM tree leak on failure in mlxsw driver, from Ido Schimmel.
      
      * git://git.kernel.org/pub/scm/linux/kernel/git/davem/net: (29 commits)
        ibmvnic: Fix IPv6 packet descriptors
        ibmvnic: Fix IP offload control buffer
        ipv6: don't let tb6_root node share routes with other node
        ip6_gre: init dev->mtu and dev->hard_header_len correctly
        mlxsw: spectrum_router: Free LPM tree upon failure
        flow_dissector: properly cap thoff field
        fm10k: mark PM functions as __maybe_unused
        cfg80211: fix station info handling bugs
        netlink: reset extack earlier in netlink_rcv_skb
        can: af_can: canfd_rcv(): replace WARN_ONCE by pr_warn_once
        can: af_can: can_rcv(): replace WARN_ONCE by pr_warn_once
        bpf: mark dst unknown on inconsistent {s, u}bounds adjustments
        bpf: fix cls_bpf on filter replace
        Net: ethernet: ti: netcp: Fix inbound ping crash if MTU size is greater than 1500
        tls: reset crypto_info when do_tls_setsockopt_tx fails
        tls: return -EBUSY if crypto_info is already set
        tls: fix sw_ctx leak
        net/tls: Only attach to sockets in ESTABLISHED state
        net: fs_enet: do not call phy_stop() in interrupts
        r8152: disable RX aggregation on Dell TB16 dock
        ...
      726ba84b
    • Thomas Falcon's avatar
      ibmvnic: Fix IPv6 packet descriptors · a0dca10f
      Thomas Falcon authored
      
      
      Packet descriptor generation for IPv6 is broken.
      Properly set L3 and L4 protocol flags for IPv6 descriptors.
      Signed-off-by: default avatarThomas Falcon <tlfalcon@linux.vnet.ibm.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      a0dca10f
    • Thomas Falcon's avatar
      ibmvnic: Fix IP offload control buffer · f6897943
      Thomas Falcon authored
      
      
      Set some missing fields in the IP control offload buffer. This buffer is
      used to enable checksum and TCP segmentation offload in the VNIC server.
      The buffer length field and the checksum offloading bits were not set
      properly, so fix that here.
      Signed-off-by: default avatarThomas Falcon <tlfalcon@linux.vnet.ibm.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      f6897943
    • David S. Miller's avatar
      Merge tag 'linux-can-fixes-for-4.15-20180118' of... · 69c4a65e
      David S. Miller authored
      Merge tag 'linux-can-fixes-for-4.15-20180118' of ssh://gitolite.kernel.org/pub/scm/linux/kernel/git/mkl/linux-can
      
      
      
      Marc Kleine-Budde says:
      
      ====================
      pull-request: can 2018-01-18
      
      ====================
      this is a pull reqeust of two patches for net/master:
      
      The syzkaller project triggered two WARN_ONCE() in the af_can code from
      userspace and we decided to replace it by a pr_warn_once().
      ====================
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      69c4a65e
    • Wei Wang's avatar
      ipv6: don't let tb6_root node share routes with other node · 591ff9ea
      Wei Wang authored
      After commit 4512c43e, if we add a route to the subtree of tb6_root
      which does not have any route attached to it yet, the current code will
      let tb6_root and the node in the subtree share the same route.
      This could cause problem cause tb6_root has RTN_INFO flag marked and the
      tree repair and clean up code will not work properly.
      This commit makes sure tb6_root->leaf points back to null_entry instead
      of sharing route with other node.
      
      It fixes the following syzkaller reported issue:
      BUG: KASAN: use-after-free in ipv6_prefix_equal include/net/ipv6.h:540 [inline]
      BUG: KASAN: use-after-free in fib6_add_1+0x165f/0x1790 net/ipv6/ip6_fib.c:618
      Read of size 8 at addr ffff8801bc043498 by task syz-executor5/19819
      
      CPU: 1 PID: 19819 Comm: syz-executor5 Not tainted 4.15.0-rc7+ #186
      Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
      Call Trace:
       __dump_stack lib/dump_stack.c:17 [inline]
       dump_stack+0x194/0x257 lib/dump_stack.c:53
       print_address_description+0x73/0x250 mm/kasan/report.c:252
       kasan_report_error mm/kasan/report.c:351 [inline]
       kasan_report+0x25b/0x340 mm/kasan/report.c:409
       __asan_report_load8_noabort+0x14/0x20 mm/kasan/report.c:430
       ipv6_prefix_equal include/net/ipv6.h:540 [inline]
       fib6_add_1+0x165f/0x1790 net/ipv6/ip6_fib.c:618
       fib6_add+0x5fa/0x1540 net/ipv6/ip6_fib.c:1214
       __ip6_ins_rt+0x6c/0x90 net/ipv6/route.c:1003
       ip6_route_add+0x141/0x190 net/ipv6/route.c:2790
       ipv6_route_ioctl+0x4db/0x6b0 net/ipv6/route.c:3299
       inet6_ioctl+0xef/0x1e0 net/ipv6/af_inet6.c:520
       sock_do_ioctl+0x65/0xb0 net/socket.c:958
       sock_ioctl+0x2c2/0x440 net/socket.c:1055
       vfs_ioctl fs/ioctl.c:46 [inline]
       do_vfs_ioctl+0x1b1/0x1520 fs/ioctl.c:686
       SYSC_ioctl fs/ioctl.c:701 [inline]
       SyS_ioctl+0x8f/0xc0 fs/ioctl.c:692
       entry_SYSCALL_64_fastpath+0x23/0x9a
      RIP: 0033:0x452ac9
      RSP: 002b:00007fd42b321c58 EFLAGS: 00000212 ORIG_RAX: 0000000000000010
      RAX: ffffffffffffffda RBX: 000000000071bea0 RCX: 0000000000452ac9
      RDX: 0000000020fd7000 RSI: 000000000000890b RDI: 0000000000000013
      RBP: 000000000000049e R08: 0000000000000000 R09: 0000000000000000
      R10: 0000000000000000 R11: 0000000000000212 R12: 00000000006f4f70
      R13: 00000000ffffffff R14: 00007fd42b3226d4 R15: 0000000000000000
      
      Fixes: 4512c43e
      
       ("ipv6: remove null_entry before adding default route")
      Signed-off-by: default avatarWei Wang <weiwan@google.com>
      Acked-by: default avatarEric Dumazet <edumazet@google.com>
      Acked-by: default avatarMartin KaFai Lau <kafai@fb.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      591ff9ea
    • Alexey Kodanev's avatar
      ip6_gre: init dev->mtu and dev->hard_header_len correctly · 128bb975
      Alexey Kodanev authored
      Commit b05229f4 ("gre6: Cleanup GREv6 transmit path,
      call common GRE functions") moved dev->mtu initialization
      from ip6gre_tunnel_setup() to ip6gre_tunnel_init(), as a
      result, the previously set values, before ndo_init(), are
      reset in the following cases:
      
      * rtnl_create_link() can update dev->mtu from IFLA_MTU
        parameter.
      
      * ip6gre_tnl_link_config() is invoked before ndo_init() in
        netlink and ioctl setup, so ndo_init() can reset MTU
        adjustments with the lower device MTU as well, dev->mtu
        and dev->hard_header_len.
      
        Not applicable for ip6gretap because it has one more call
        to ip6gre_tnl_link_config(tunnel, 1) in ip6gre_tap_init().
      
      Fix the first case by updating dev->mtu with 'tb[IFLA_MTU]'
      parameter if a user sets it manually on a device creation,
      and fix the second one by moving ip6gre_tnl_link_config()
      call after register_netdevice().
      
      Fixes: b05229f4 ("gre6: Cleanup GREv6 transmit path, call common GRE functions")
      Fixes: db2ec95d
      
       ("ip6_gre: Fix MTU setting")
      Signed-off-by: default avatarAlexey Kodanev <alexey.kodanev@oracle.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      128bb975
    • Ido Schimmel's avatar
      mlxsw: spectrum_router: Free LPM tree upon failure · ed604c5d
      Ido Schimmel authored
      When a new LPM tree is created, we try to replace the trees in the
      existing virtual routers with it. If we fail, the tree needs to be
      freed.
      
      Currently, this does not happen in the unlikely case where we fail to
      bind the tree to the first virtual router, since its reference count
      never transitions from 1 to 0.
      
      Fix that by taking a reference before binding the tree.
      
      Fixes: fc922bb0
      
       ("mlxsw: spectrum_router: Use one LPM tree for all virtual routers")
      Signed-off-by: default avatarIdo Schimmel <idosch@mellanox.com>
      Signed-off-by: default avatarJiri Pirko <jiri@mellanox.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      ed604c5d
  2. 18 Jan, 2018 13 commits
    • Eric Dumazet's avatar
      flow_dissector: properly cap thoff field · d0c081b4
      Eric Dumazet authored
      syzbot reported yet another crash [1] that is caused by
      insufficient validation of DODGY packets.
      
      Two bugs are happening here to trigger the crash.
      
      1) Flow dissection leaves with incorrect thoff field.
      
      2) skb_probe_transport_header() sets transport header to this invalid
      thoff, even if pointing after skb valid data.
      
      3) qdisc_pkt_len_init() reads out-of-bound data because it
      trusts tcp_hdrlen(skb)
      
      Possible fixes :
      
      - Full flow dissector validation before injecting bad DODGY packets in
      the stack.
       This approach was attempted here : https://patchwork.ozlabs.org/patch/
      861874/
      
      - Have more robust functions in the core.
        This might be needed anyway for stable versions.
      
      This patch fixes the flow dissection issue.
      
      [1]
      CPU: 1 PID: 3144 Comm: syzkaller271204 Not tainted 4.15.0-rc4-mm1+ #49
      Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
      Call Trace:
       __dump_stack lib/dump_stack.c:17 [inline]
       dump_stack+0x194/0x257 lib/dump_stack.c:53
       print_address_description+0x73/0x250 mm/kasan/report.c:256
       kasan_report_error mm/kasan/report.c:355 [inline]
       kasan_report+0x23b/0x360 mm/kasan/report.c:413
       __asan_report_load2_noabort+0x14/0x20 mm/kasan/report.c:432
       __tcp_hdrlen include/linux/tcp.h:35 [inline]
       tcp_hdrlen include/linux/tcp.h:40 [inline]
       qdisc_pkt_len_init net/core/dev.c:3160 [inline]
       __dev_queue_xmit+0x20d3/0x2200 net/core/dev.c:3465
       dev_queue_xmit+0x17/0x20 net/core/dev.c:3554
       packet_snd net/packet/af_packet.c:2943 [inline]
       packet_sendmsg+0x3ad5/0x60a0 net/packet/af_packet.c:2968
       sock_sendmsg_nosec net/socket.c:628 [inline]
       sock_sendmsg+0xca/0x110 net/socket.c:638
       sock_write_iter+0x31a/0x5d0 net/socket.c:907
       call_write_iter include/linux/fs.h:1776 [inline]
       new_sync_write fs/read_write.c:469 [inline]
       __vfs_write+0x684/0x970 fs/read_write.c:482
       vfs_write+0x189/0x510 fs/read_write.c:544
       SYSC_write fs/read_write.c:589 [inline]
       SyS_write+0xef/0x220 fs/read_write.c:581
       entry_SYSCALL_64_fastpath+0x1f/0x96
      
      Fixes: 34fad54c ("net: __skb_flow_dissect() must cap its return value")
      Fixes: a6e544b0
      
       ("flow_dissector: Jump to exit code in __skb_flow_dissect")
      Signed-off-by: default avatarEric Dumazet <edumazet@google.com>
      Cc: Willem de Bruijn <willemb@google.com>
      Reported-by: default avatarsyzbot <syzkaller@googlegroups.com>
      Acked-by: default avatarJason Wang <jasowang@redhat.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      d0c081b4
    • David S. Miller's avatar
      Merge tag 'wireless-drivers-for-davem-2018-01-17' of... · 9d383fbb
      David S. Miller authored
      Merge tag 'wireless-drivers-for-davem-2018-01-17' of git://git.kernel.org/pub/scm/linux/kernel/git/kvalo/wireless-drivers
      
      
      
      Kalle Valo says:
      
      ====================
      wireless-drivers fixes for 4.15
      
      One last set of fixes for regression submitted during the last few days.
      
      bcma & ssb
      
      * fix older build problems which (apparently) recently became more
        frequent in certain MIPS configurations
      
      brcmfmac
      
      * continue driver initialisation even if CLM blob (firmware) file is
        not found
      ====================
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      9d383fbb
    • Arnd Bergmann's avatar
      fm10k: mark PM functions as __maybe_unused · b200bfd6
      Arnd Bergmann authored
      A cleanup of the PM code left an incorrect #ifdef in place, leading
      to a harmless build warning:
      
      drivers/net/ethernet/intel/fm10k/fm10k_pci.c:2502:12: error: 'fm10k_suspend' defined but not used [-Werror=unused-function]
      drivers/net/ethernet/intel/fm10k/fm10k_pci.c:2475:12: error: 'fm10k_resume' defined but not used [-Werror=unused-function]
      
      It's easier to use __maybe_unused attributes here, since you
      can't pick the wrong one.
      
      Fixes: 8249c47c
      
       ("fm10k: use generic PM hooks instead of legacy PCIe power hooks")
      Signed-off-by: default avatarArnd Bergmann <arnd@arndb.de>
      Acked-by: default avatarJacob Keller <jacob.e.keller@intel.com>
      Tested-by: default avatarKrishneil Singh <krishneil.k.singh@intel.com>
      Signed-off-by: default avatarJeff Kirsher <jeffrey.t.kirsher@intel.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      b200bfd6
    • Johannes Berg's avatar
      cfg80211: fix station info handling bugs · 5762d7d3
      Johannes Berg authored
      Fix two places where the structure isn't initialized to zero,
      and thus can't be filled properly by the driver.
      
      Fixes: 4a4b8169 ("cfg80211: Accept multiple RSSI thresholds for CQM")
      Fixes: 9930380f
      
       ("cfg80211: implement IWRATE")
      Signed-off-by: default avatarJohannes Berg <johannes.berg@intel.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      5762d7d3
    • Xin Long's avatar
      netlink: reset extack earlier in netlink_rcv_skb · cd443f1e
      Xin Long authored
      Move up the extack reset/initialization in netlink_rcv_skb, so that
      those 'goto ack' will not skip it. Otherwise, later on netlink_ack
      may use the uninitialized extack and cause kernel crash.
      
      Fixes: cbbdf843
      
       ("netlink: extack needs to be reset each time through loop")
      Reported-by: syzbot+03bee3680a37466775e7@syzkaller.appspotmail.com
      Signed-off-by: default avatarXin Long <lucien.xin@gmail.com>
      Acked-by: default avatarDavid Ahern <dsahern@gmail.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      cd443f1e
    • Linus Torvalds's avatar
      Merge branch 'fixes' of git://git.armlinux.org.uk/~rmk/linux-arm · dda3e152
      Linus Torvalds authored
      Pull ARM fixes from Russell King:
       "These are the ARM BPF fixes as discussed earlier this week"
      
      * 'fixes' of git://git.armlinux.org.uk/~rmk/linux-arm:
        ARM: net: bpf: clarify tail_call index
        ARM: net: bpf: fix LDX instructions
        ARM: net: bpf: fix register saving
        ARM: net: bpf: correct stack layout documentation
        ARM: net: bpf: move stack documentation
        ARM: net: bpf: fix stack alignment
        ARM: net: bpf: fix tail call jumps
        ARM: net: bpf: avoid 'bx' instruction on non-Thumb capable CPUs
      dda3e152
    • Linus Torvalds's avatar
      Merge branch 'for-linus' of git://git.kernel.dk/linux-block · cdbe3bf4
      Linus Torvalds authored
      Pull two NVMe fixes from Jens Axboe:
       "Two important fixes for the sgl support for nvme that is new in this
        release"
      
      * 'for-linus' of git://git.kernel.dk/linux-block:
        nvme-pci: take sglist coalescing in dma_map_sg into account
        nvme-pci: check segement valid for SGL use
      cdbe3bf4
    • Linus Torvalds's avatar
      Merge tag 'mmc-v4.15-rc2-3' of git://git.kernel.org/pub/scm/linux/kernel/git/ulfh/mmc · 79683f80
      Linus Torvalds authored
      Pull MMC fix from Ulf Hansson:
       "sdhci-esdhc-imx: Fixup clock to make i.MX53 Loco (IMX53QSB) boot
        again"
      
      * tag 'mmc-v4.15-rc2-3' of git://git.kernel.org/pub/scm/linux/kernel/git/ulfh/mmc:
        mmc: sdhci-esdhc-imx: Fix i.MX53 eSDHCv3 clock
      79683f80
    • Linus Torvalds's avatar
      Merge tag 'gpio-v4.15-5' of git://git.kernel.org/pub/scm/linux/kernel/git/linusw/linux-gpio · 02308031
      Linus Torvalds authored
      Pull GPIO fix from Linus Walleij:
       "This is the (hopefully) last GPIO fix for v4.15, fixing the bit
        fiddling in the MMIO GPIO driver.
      
        Again the especially endowed screwer-upper who has been open coding
        bit fiddling is yours truly"
      
      * tag 'gpio-v4.15-5' of git://git.kernel.org/pub/scm/linux/kernel/git/linusw/linux-gpio:
        gpio: mmio: Also read bits that are zero
      02308031
    • David S. Miller's avatar
      Merge git://git.kernel.org/pub/scm/linux/kernel/git/bpf/bpf · 7155f8f3
      David S. Miller authored
      
      
      Daniel Borkmann says:
      
      ====================
      pull-request: bpf 2018-01-18
      
      The following pull-request contains BPF updates for your *net* tree.
      
      The main changes are:
      
      1) Fix a divide by zero due to wrong if (src_reg == 0) check in
         64-bit mode. Properly handle this in interpreter and mask it
         also generically in verifier to guard against similar checks
         in JITs, from Eric and Alexei.
      
      2) Fix a bug in arm64 JIT when tail calls are involved and progs
         have different stack sizes, from Daniel.
      
      3) Reject stores into BPF context that are not expected BPF_STX |
         BPF_MEM variant, from Daniel.
      
      4) Mark dst reg as unknown on {s,u}bounds adjustments when the
         src reg has derived bounds from dead branches, from Daniel.
      ====================
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      7155f8f3
    • Marc Kleine-Budde's avatar
      can: af_can: canfd_rcv(): replace WARN_ONCE by pr_warn_once · d4689846
      Marc Kleine-Budde authored
      
      
      If an invalid CANFD frame is received, from a driver or from a tun
      interface, a Kernel warning is generated.
      
      This patch replaces the WARN_ONCE by a simple pr_warn_once, so that a
      kernel, bootet with panic_on_warn, does not panic. A printk seems to be
      more appropriate here.
      
      Reported-by: syzbot+e3b775f40babeff6e68b@syzkaller.appspotmail.com
      Suggested-by: default avatarDmitry Vyukov <dvyukov@google.com>
      Acked-by: default avatarOliver Hartkopp <socketcan@hartkopp.net>
      Cc: linux-stable <stable@vger.kernel.org>
      Signed-off-by: default avatarMarc Kleine-Budde <mkl@pengutronix.de>
      d4689846
    • Marc Kleine-Budde's avatar
      can: af_can: can_rcv(): replace WARN_ONCE by pr_warn_once · 8cb68751
      Marc Kleine-Budde authored
      
      
      If an invalid CAN frame is received, from a driver or from a tun
      interface, a Kernel warning is generated.
      
      This patch replaces the WARN_ONCE by a simple pr_warn_once, so that a
      kernel, bootet with panic_on_warn, does not panic. A printk seems to be
      more appropriate here.
      
      Reported-by: syzbot+4386709c0c1284dca827@syzkaller.appspotmail.com
      Suggested-by: default avatarDmitry Vyukov <dvyukov@google.com>
      Acked-by: default avatarOliver Hartkopp <socketcan@hartkopp.net>
      Cc: linux-stable <stable@vger.kernel.org>
      Signed-off-by: default avatarMarc Kleine-Budde <mkl@pengutronix.de>
      8cb68751
    • Daniel Borkmann's avatar
      bpf: mark dst unknown on inconsistent {s, u}bounds adjustments · 6f16101e
      Daniel Borkmann authored
      
      
      syzkaller generated a BPF proglet and triggered a warning with
      the following:
      
        0: (b7) r0 = 0
        1: (d5) if r0 s<= 0x0 goto pc+0
         R0=inv0 R1=ctx(id=0,off=0,imm=0) R10=fp0
        2: (1f) r0 -= r1
         R0=inv0 R1=ctx(id=0,off=0,imm=0) R10=fp0
        verifier internal error: known but bad sbounds
      
      What happens is that in the first insn, r0's min/max value
      are both 0 due to the immediate assignment, later in the jsle
      test the bounds are updated for the min value in the false
      path, meaning, they yield smin_val = 1, smax_val = 0, and when
      ctx pointer is subtracted from r0, verifier bails out with the
      internal error and throwing a WARN since smin_val != smax_val
      for the known constant.
      
      For min_val > max_val scenario it means that reg_set_min_max()
      and reg_set_min_max_inv() (which both refine existing bounds)
      demonstrated that such branch cannot be taken at runtime.
      
      In above scenario for the case where it will be taken, the
      existing [0, 0] bounds are kept intact. Meaning, the rejection
      is not due to a verifier internal error, and therefore the
      WARN() is not necessary either.
      
      We could just reject such cases in adjust_{ptr,scalar}_min_max_vals()
      when either known scalars have smin_val != smax_val or
      umin_val != umax_val or any scalar reg with bounds
      smin_val > smax_val or umin_val > umax_val. However, there
      may be a small risk of breakage of buggy programs, so handle
      this more gracefully and in adjust_{ptr,scalar}_min_max_vals()
      just taint the dst reg as unknown scalar when we see ops with
      such kind of src reg.
      
      Reported-by: syzbot+6d362cadd45dc0a12ba4@syzkaller.appspotmail.com
      Signed-off-by: default avatarDaniel Borkmann <daniel@iogearbox.net>
      Signed-off-by: default avatarAlexei Starovoitov <ast@kernel.org>
      6f16101e
  3. 17 Jan, 2018 20 commits
    • Daniel Borkmann's avatar
      bpf: fix cls_bpf on filter replace · ad9294db
      Daniel Borkmann authored
      Running the following sequence is currently broken:
      
        # tc qdisc add dev foo clsact
        # tc filter replace dev foo ingress prio 1 handle 1 bpf da obj bar.o
        # tc filter replace dev foo ingress prio 1 handle 1 bpf da obj bar.o
        RTNETLINK answers: Invalid argument
      
      The normal expectation on kernel side is that the second command
      succeeds replacing the existing program. However, what happens is
      in cls_bpf_change(), we bail out with err in the second run in
      cls_bpf_offload(). The EINVAL comes directly in cls_bpf_offload()
      when comparing prog vs oldprog's gen_flags. In case of above
      replace the new prog's gen_flags are 0, but the old ones are 8,
      which means TCA_CLS_FLAGS_NOT_IN_HW is set (e.g. drivers not having
      cls_bpf offload).
      
      Fix 102740bd ("cls_bpf: fix offload assumptions after callback
      conversion") in the following way: gen_flags from user space passed
      down via netlink cannot include status flags like TCA_CLS_FLAGS_IN_HW
      or TCA_CLS_FLAGS_NOT_IN_HW as opposed to oldprog that we previously
      loaded. Therefore, it doesn't make any sense to include them in the
      gen_flags comparison with the new prog before we even attempt to
      offload. Thus, lets fix this before 4.15 goes out.
      
      Fixes: 102740bd
      
       ("cls_bpf: fix offload assumptions after callback conversion")
      Signed-off-by: default avatarDaniel Borkmann <daniel@iogearbox.net>
      Acked-by: default avatarJakub Kicinski <jakub.kicinski@netronome.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      ad9294db
    • Rex Chang's avatar
      Net: ethernet: ti: netcp: Fix inbound ping crash if MTU size is greater than 1500 · 5a717843
      Rex Chang authored
      
      
      In the receive queue for 4096 bytes fragments, the page address
      set in the SW data0 field of the descriptor is not the one we got
      when doing the reassembly in receive. The page structure was retrieved
      from the wrong descriptor into SW data0 which is then causing a
      page fault when UDP checksum is accessing data above 1500.
      Signed-off-by: default avatarRex Chang <rchang@ti.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      5a717843
    • Sabrina Dubroca's avatar
      tls: reset crypto_info when do_tls_setsockopt_tx fails · 6db959c8
      Sabrina Dubroca authored
      The current code copies directly from userspace to ctx->crypto_send, but
      doesn't always reinitialize it to 0 on failure. This causes any
      subsequent attempt to use this setsockopt to fail because of the
      TLS_CRYPTO_INFO_READY check, eventhough crypto_info is not actually
      ready.
      
      This should result in a correctly set up socket after the 3rd call, but
      currently it does not:
      
          size_t s = sizeof(struct tls12_crypto_info_aes_gcm_128);
          struct tls12_crypto_info_aes_gcm_128 crypto_good = {
              .info.version = TLS_1_2_VERSION,
              .info.cipher_type = TLS_CIPHER_AES_GCM_128,
          };
      
          struct tls12_crypto_info_aes_gcm_128 crypto_bad_type = crypto_good;
          crypto_bad_type.info.cipher_type = 42;
      
          setsockopt(sock, SOL_TLS, TLS_TX, &crypto_bad_type, s);
          setsockopt(sock, SOL_TLS, TLS_TX, &crypto_good, s - 1);
          setsockopt(sock, SOL_TLS, TLS_TX, &crypto_good, s);
      
      Fixes: 3c4d7559
      
       ("tls: kernel TLS support")
      Signed-off-by: default avatarSabrina Dubroca <sd@queasysnail.net>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      6db959c8
    • Sabrina Dubroca's avatar
      tls: return -EBUSY if crypto_info is already set · 877d17c7
      Sabrina Dubroca authored
      do_tls_setsockopt_tx returns 0 without doing anything when crypto_info
      is already set. Silent failure is confusing for users.
      
      Fixes: 3c4d7559
      
       ("tls: kernel TLS support")
      Signed-off-by: default avatarSabrina Dubroca <sd@queasysnail.net>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      877d17c7
    • Sabrina Dubroca's avatar
      tls: fix sw_ctx leak · cf6d43ef
      Sabrina Dubroca authored
      During setsockopt(SOL_TCP, TLS_TX), if initialization of the software
      context fails in tls_set_sw_offload(), we leak sw_ctx. We also don't
      reassign ctx->priv_ctx to NULL, so we can't even do another attempt to
      set it up on the same socket, as it will fail with -EEXIST.
      
      Fixes: 3c4d7559
      
       ('tls: kernel TLS support')
      Signed-off-by: default avatarSabrina Dubroca <sd@queasysnail.net>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      cf6d43ef
    • David S. Miller's avatar
      Merge tag 'linux-can-fixes-for-4.15-20180116' of... · 6ab6dd9e
      David S. Miller authored
      Merge tag 'linux-can-fixes-for-4.15-20180116' of ssh://gitolite.kernel.org/pub/scm/linux/kernel/git/mkl/linux-can
      
      
      
      Marc Kleine-Budde says:
      
      ====================
      pull-request: can 2018-01-16
      
      this is a pull reqeust of a single patch for net/master:
      
      This patch by Stephane Grosjean fixes a potential bug in the packet
      fragmentation in the peak USB driver.
      ====================
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      6ab6dd9e
    • Christoph Hellwig's avatar
      nvme-pci: take sglist coalescing in dma_map_sg into account · b0f2853b
      Christoph Hellwig authored
      
      
      Some iommu implementations can merge physically and/or virtually
      contiguous segments inside sg_map_dma.  The NVMe SGL support does not take
      this into account and will warn because of falling off a loop.  Pass the
      number of mapped segments to nvme_pci_setup_sgls so that the SGL setup
      can take the number of mapped segments into account.
      Reported-by: default avatarFangjian (Turing) <f.fangjian@huawei.com>
      Fixes: a7a7cbe3
      
       ("nvme-pci: add SGL support")
      Signed-off-by: default avatarChristoph Hellwig <hch@lst.de>
      Reviewed-by: default avatarKeith Busch <keith.busch@intel.com>
      Reviewed-by: default avatarSagi Grimberg <sagi@rimberg.me>
      Signed-off-by: default avatarJens Axboe <axboe@kernel.dk>
      b0f2853b
    • Keith Busch's avatar
      nvme-pci: check segement valid for SGL use · 20469a37
      Keith Busch authored
      The driver needs to verify there is a payload with a command before
      seeing if it should use SGLs to map it.
      
      Fixes: 955b1b5a
      
       ("nvme-pci: move use_sgl initialization to nvme_init_iod()")
      Reported-by: default avatarPaul Menzel <pmenzel+linux-nvme@molgen.mpg.de>
      Reviewed-by: default avatarPaul Menzel <pmenzel+linux-nvme@molgen.mpg.de>
      Signed-off-by: default avatarKeith Busch <keith.busch@intel.com>
      Signed-off-by: default avatarChristoph Hellwig <hch@lst.de>
      Signed-off-by: default avatarJens Axboe <axboe@kernel.dk>
      20469a37
    • Ilya Lesokhin's avatar
      net/tls: Only attach to sockets in ESTABLISHED state · d91c3e17
      Ilya Lesokhin authored
      Calling accept on a TCP socket with a TLS ulp attached results
      in two sockets that share the same ulp context.
      The ulp context is freed while a socket is destroyed, so
      after one of the sockets is released, the second second will
      trigger a use after free when it tries to access the ulp context
      attached to it.
      We restrict the TLS ulp to sockets in ESTABLISHED state
      to prevent the scenario above.
      
      Fixes: 3c4d7559
      
       ("tls: kernel TLS support")
      Reported-by: syzbot+904e7cd6c5c741609228@syzkaller.appspotmail.com
      Signed-off-by: default avatarIlya Lesokhin <ilyal@mellanox.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      d91c3e17
    • Christophe Leroy's avatar
      net: fs_enet: do not call phy_stop() in interrupts · f8b39039
      Christophe Leroy authored
      In case of TX timeout, fs_timeout() calls phy_stop(), which
      triggers the following BUG_ON() as we are in interrupt.
      
      [92708.199889] kernel BUG at drivers/net/phy/mdio_bus.c:482!
      [92708.204985] Oops: Exception in kernel mode, sig: 5 [#1]
      [92708.210119] PREEMPT
      [92708.212107] CMPC885
      [92708.214216] CPU: 0 PID: 3 Comm: ksoftirqd/0 Tainted: G        W       4.9.61 #39
      [92708.223227] task: c60f0a40 task.stack: c6104000
      [92708.227697] NIP: c02a84bc LR: c02a947c CTR: c02a93d8
      [92708.232614] REGS: c6105c70 TRAP: 0700   Tainted: G        W        (4.9.61)
      [92708.241193] MSR: 00021032 <ME,IR,DR,RI>[92708.244818]   CR: 24000822  XER: 20000000
      [92708.248767]
      GPR00: c02a947c c6105d20 c60f0a40 c62b4c00 00000005 0000001f c069aad8 0001a688
      GPR08: 00000007 00000100 c02a93d8 00000000 000005fc 00000000 c6213240 c06338e4
      GPR16: 00000001 c06330d4 c0633094 00000000 c0680000 c6104000 c6104000 00000000
      GPR24: 00000200 00000000 ffffffff 00000004 00000078 00009032 00000000 c62b4c00
      NIP [c02a84bc] mdiobus_read+0x20/0x74
      [92708.281517] LR [c02a947c] kszphy_config_intr+0xa4/0xc4
      [92708.286547] Call Trace:
      [92708.288980] [c6105d20] [c6104000] 0xc6104000 (unreliable)
      [92708.294339] [c6105d40] [c02a947c] kszphy_config_intr+0xa4/0xc4
      [92708.300098] [c6105d50] [c02a5330] phy_stop+0x60/0x9c
      [92708.305007] [c6105d60] [c02c84d0] fs_timeout+0xdc/0x110
      [92708.310197] [c6105d80] [c035cd48] dev_watchdog+0x268/0x2a0
      [92708.315593] [c6105db0] [c0060288] call_timer_fn+0x34/0x17c
      [92708.321014] [c6105dd0] [c00605f0] run_timer_softirq+0x21c/0x2e4
      [92708.326887] [c6105e50] [c001e19c] __do_softirq+0xf4/0x2f4
      [92708.332207] [c6105eb0] [c001e3c8] run_ksoftirqd+0x2c/0x40
      [92708.337560] [c6105ec0] [c003b420] smpboot_thread_fn+0x1f0/0x258
      [92708.343405] [c6105ef0] [c003745c] kthread+0xbc/0xd0
      [92708.348217] [c6105f40] [c000c400] ret_from_kernel_thread+0x5c/0x64
      [92708.354275] Instruction dump:
      [92708.357207] 7c0803a6 bbc10018 38210020 4e800020 7c0802a6 9421ffe0 54290024 bfc10018
      [92708.364865] 90010024 7c7f1b78 81290008 552902ee <0f090000> 3bc3002c 7fc3f378 90810008
      [92708.372711] ---[ end trace 42b05441616fafd7 ]---
      
      This patch moves fs_timeout() actions into an async worker.
      
      Fixes: commit 48257c4f
      
       ("Add fs_enet ethernet network driver, for several embedded platforms")
      Signed-off-by: default avatarChristophe Leroy <christophe.leroy@c-s.fr>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      f8b39039
    • Kai-Heng Feng's avatar
      r8152: disable RX aggregation on Dell TB16 dock · 0b165514
      Kai-Heng Feng authored
      r8153 on Dell TB15/16 dock corrupts rx packets.
      
      This change is suggested by Realtek. They guess that the XHCI controller
      doesn't have enough buffer, and their guesswork is correct, once the RX
      aggregation gets disabled, the issue is gone.
      
      ASMedia is currently working on a real sulotion for this issue.
      
      Dell and ODM confirm the bcdDevice and iSerialNumber is unique for TB16.
      
      Note that TB15 has different bcdDevice and iSerialNumber, which are not
      unique values. If you still have TB15, please contact Dell to replace it
      with TB16.
      
      BugLink: https://bugs.launchpad.net/bugs/1729674
      
      
      Cc: Mario Limonciello <mario.limonciello@dell.com>
      Signed-off-by: default avatarKai-Heng Feng <kai.heng.feng@canonical.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      0b165514
    • Linus Torvalds's avatar
      Merge branch 'x86-urgent-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip · 1d966eb4
      Linus Torvalds authored
      Pull x86 fixes from Ingo Molnar:
       "Misc fixes:
      
         - A rather involved set of memory hardware encryption fixes to
           support the early loading of microcode files via the initrd. These
           are larger than what we normally take at such a late -rc stage, but
           there are two mitigating factors: 1) much of the changes are
           limited to the SME code itself 2) being able to early load
           microcode has increased importance in the post-Meltdown/Spectre
           era.
      
         - An IRQ vector allocator fix
      
         - An Intel RDT driver use-after-free fix
      
         - An APIC driver bug fix/revert to make certain older systems boot
           again
      
         - A pkeys ABI fix
      
         - TSC calibration fixes
      
         - A kdump fix"
      
      * 'x86-urgent-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip:
        x86/apic/vector: Fix off by one in error path
        x86/intel_rdt/cqm: Prevent use after free
        x86/mm: Encrypt the initrd earlier for BSP microcode update
        x86/mm: Prepare sme_encrypt_kernel() for PAGE aligned encryption
        x86/mm: Centralize PMD flags in sme_encrypt_kernel()
        x86/mm: Use a struct to reduce parameters for SME PGD mapping
        x86/mm: Clean up register saving in the __enc_copy() assembly code
        x86/idt: Mark IDT tables __initconst
        Revert "x86/apic: Remove init_bsp_APIC()"
        x86/mm/pkeys: Fix fill_sig_info_pkey
        x86/tsc: Print tsc_khz, when it differs from cpu_khz
        x86/tsc: Fix erroneous TSC rate on Skylake Xeon
        x86/tsc: Future-proof native_calibrate_tsc()
        kdump: Write the correct address of mem_section into vmcoreinfo
      1d966eb4
    • Linus Torvalds's avatar
      Merge branch 'sched-urgent-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip · 9a4ba2ab
      Linus Torvalds authored
      Pull scheduler fix from Ingo Molnar:
       "A delayacct statistics correctness fix"
      
      * 'sched-urgent-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip:
        delayacct: Account blkio completion on the correct task
      9a4ba2ab
    • Linus Torvalds's avatar
      Merge branch 'perf-urgent-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip · 7dfda84d
      Linus Torvalds authored
      Pull x86 perf fix from Ingo Molnar:
       "An Intel RAPL events fix"
      
      * 'perf-urgent-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip:
        perf/x86/rapl: Fix Haswell and Broadwell server RAPL event
      7dfda84d
    • Linus Torvalds's avatar
      Merge branch 'locking-urgent-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip · b8c22594
      Linus Torvalds authored
      Pull locking fixes from Ingo Molnar:
       "Two futex fixes: a input parameters robustness fix, and futex race
        fixes"
      
      * 'locking-urgent-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip:
        futex: Prevent overflow by strengthen input validation
        futex: Avoid violating the 10th rule of futex
      b8c22594
    • Cong Wang's avatar
      tun: fix a memory leak for tfile->tx_array · 4df0bfc7
      Cong Wang authored
      
      
      tfile->tun could be detached before we close the tun fd,
      via tun_detach_all(), so it should not be used to check for
      tfile->tx_array.
      
      As Jason suggested, we probably have to clean it up
      unconditionally both in __tun_deatch() and tun_detach_all(),
      but this requires to check if it is initialized or not.
      Currently skb_array_cleanup() doesn't have such a check,
      so I check it in the caller and introduce a helper function,
      it is a bit ugly but we can always improve it in net-next.
      Reported-by: default avatarDmitry Vyukov <dvyukov@google.com>
      Fixes: 1576d986
      
       ("tun: switch to use skb array for tx")
      Cc: Jason Wang <jasowang@redhat.com>
      Signed-off-by: default avatarCong Wang <xiyou.wangcong@gmail.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      4df0bfc7
    • Linus Torvalds's avatar
      Merge branch 'x86-pti-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip · 88dc7fca
      Linus Torvalds authored
      Pull x86 pti bits and fixes from Thomas Gleixner:
       "This last update contains:
      
         - An objtool fix to prevent a segfault with the gold linker by
           changing the invocation order. That's not just for gold, it's a
           general robustness improvement.
      
         - An improved error message for objtool which spares tearing hairs.
      
         - Make KASAN fail loudly if there is not enough memory instead of
           oopsing at some random place later
      
         - RSB fill on context switch to prevent RSB underflow and speculation
           through other units.
      
         - Make the retpoline/RSB functionality work reliably for both Intel
           and AMD
      
         - Add retpoline to the module version magic so mismatch can be
           detected
      
         - A small (non-fix) update for cpufeatures which prevents cpu feature
           clashing for the upcoming extra mitigation bits to ease
           backporting"
      
      * 'x86-pti-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip:
        module: Add retpoline tag to VERMAGIC
        x86/cpufeature: Move processor tracing out of scattered features
        objtool: Improve error message for bad file argument
        objtool: Fix seg fault with gold linker
        x86/retpoline: Add LFENCE to the retpoline/RSB filling RSB macros
        x86/retpoline: Fill RSB on context switch for affected CPUs
        x86/kasan: Panic if there is not enough memory to boot
      88dc7fca
    • Linus Torvalds's avatar
      Merge branch 'timers-urgent-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip · dd43f346
      Linus Torvalds authored
      Pull timer fix from Thomas Gleixner:
       "A one-liner fix which prevents deferrable timers becoming stale when
        the system does not switch into NOHZ mode"
      
      * 'timers-urgent-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip:
        timers: Unconditionally check deferrable base
      dd43f346
    • Russell King's avatar
      ARM: net: bpf: clarify tail_call index · 091f0248
      Russell King authored
      As per 90caccdd ("bpf: fix bpf_tail_call() x64 JIT"), the index used
      for array lookup is defined to be 32-bit wide. Update a misleading
      comment that suggests it is 64-bit wide.
      
      Fixes: 39c13c20
      
       ("arm: eBPF JIT compiler")
      Signed-off-by: default avatarRussell King <rmk+kernel@armlinux.org.uk>
      091f0248
    • Russell King's avatar
      ARM: net: bpf: fix LDX instructions · ec19e02b
      Russell King authored
      When the source and destination register are identical, our JIT does not
      generate correct code, which leads to kernel oopses.
      
      Fix this by (a) generating more efficient code, and (b) making use of
      the temporary earlier if we will overwrite the address register.
      
      Fixes: 39c13c20
      
       ("arm: eBPF JIT compiler")
      Signed-off-by: default avatarRussell King <rmk+kernel@armlinux.org.uk>
      ec19e02b