1. 10 Nov, 2018 15 commits
    • Florian Fainelli's avatar
      smsc75xx: Check for Wake-on-LAN modes · 66e43f42
      Florian Fainelli authored
      [ Upstream commit 9c734b2769a73eea2e9e9767c0e0bf839ff23679 ]
      
      The driver does not check for Wake-on-LAN modes specified by an user,
      but will conditionally set the device as wake-up enabled or not based on
      that, which could be a very confusing user experience.
      
      Fixes: 6c636503 ("smsc75xx: add wol magic packet support")
      Signed-off-by: default avatarFlorian Fainelli <f.fainelli@gmail.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      66e43f42
    • Florian Fainelli's avatar
      r8152: Check for supported Wake-on-LAN Modes · 2bb181d8
      Florian Fainelli authored
      [ Upstream commit f2750df1548bd8a2b060eb609fc43ca82811af4c ]
      
      The driver does not check for Wake-on-LAN modes specified by an user,
      but will conditionally set the device as wake-up enabled or not based on
      that, which could be a very confusing user experience.
      
      Fixes: 21ff2e89 ("r8152: support WOL")
      Signed-off-by: default avatarFlorian Fainelli <f.fainelli@gmail.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      2bb181d8
    • Florian Fainelli's avatar
      sr9800: Check for supported Wake-on-LAN modes · 24665cbd
      Florian Fainelli authored
      [ Upstream commit c5cb93e994ffb43b7b3b1ff10b9f928f54574a36 ]
      
      The driver currently silently accepts unsupported Wake-on-LAN modes
      (other than WAKE_PHY or WAKE_MAGIC) without reporting that to the user,
      which is confusing.
      
      Fixes: 19a38d8e ("USB2NET : SR9800 : One chip USB2.0 USB2NET SR9800 Device Driver Support")
      Signed-off-by: default avatarFlorian Fainelli <f.fainelli@gmail.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      24665cbd
    • Florian Fainelli's avatar
      lan78xx: Check for supported Wake-on-LAN modes · 04d846cd
      Florian Fainelli authored
      [ Upstream commit eb9ad088f96653a26b340f7c447c44cf023d5cdc ]
      
      The driver supports a fair amount of Wake-on-LAN modes, but is not
      checking that the user specified one that is supported.
      
      Fixes: 55d7de9d ("Microchip's LAN7800 family USB 2/3 to 10/100/1000 Ethernet device driver")
      Signed-off-by: default avatarFlorian Fainelli <f.fainelli@gmail.com>
      Reviewed-by: default avatarWoojung Huh <Woojung.Huh@Microchip.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      04d846cd
    • Florian Fainelli's avatar
      ax88179_178a: Check for supported Wake-on-LAN modes · f3d71a32
      Florian Fainelli authored
      [ Upstream commit 5ba6b4aa9a410c5e2c6417df52b5e2118ea9b467 ]
      
      The driver currently silently accepts unsupported Wake-on-LAN modes
      (other than WAKE_PHY or WAKE_MAGIC) without reporting that to the user,
      which is confusing.
      
      Fixes: e2ca90c2 ("ax88179_178a: ASIX AX88179_178A USB 3.0/2.0 to gigabit ethernet adapter driver")
      Signed-off-by: default avatarFlorian Fainelli <f.fainelli@gmail.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      f3d71a32
    • Florian Fainelli's avatar
      asix: Check for supported Wake-on-LAN modes · 644d1918
      Florian Fainelli authored
      [ Upstream commit c4ce446e33d7a0e978256ac6fea4c80e59d9de5f ]
      
      The driver currently silently accepts unsupported Wake-on-LAN modes
      (other than WAKE_PHY or WAKE_MAGIC) without reporting that to the user,
      which is confusing.
      
      Fixes: 2e55cc72 ("[PATCH] USB: usbnet (3/9) module for ASIX Ethernet adapters")
      Signed-off-by: default avatarFlorian Fainelli <f.fainelli@gmail.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      644d1918
    • Lubomir Rintel's avatar
      pxa168fb: prepare the clock · df2d090b
      Lubomir Rintel authored
      [ Upstream commit d85536cde91fcfed6fb8d983783bd2b92c843939 ]
      
      Add missing prepare/unprepare operations for fbi->clk,
      this fixes following kernel warning:
      
        ------------[ cut here ]------------
        WARNING: CPU: 0 PID: 1 at drivers/clk/clk.c:874 clk_core_enable+0x2c/0x1b0
        Enabling unprepared disp0_clk
        Modules linked in:
        CPU: 0 PID: 1 Comm: swapper Not tainted 4.18.0-rc8-00032-g02b43ddd4f21-dirty #25
        Hardware name: Marvell MMP2 (Device Tree Support)
        [<c010f7cc>] (unwind_backtrace) from [<c010cc6c>] (show_stack+0x10/0x14)
        [<c010cc6c>] (show_stack) from [<c011dab4>] (__warn+0xd8/0xf0)
        [<c011dab4>] (__warn) from [<c011db10>] (warn_slowpath_fmt+0x44/0x6c)
        [<c011db10>] (warn_slowpath_fmt) from [<c043898c>] (clk_core_enable+0x2c/0x1b0)
        [<c043898c>] (clk_core_enable) from [<c0439ec8>] (clk_core_enable_lock+0x18/0x2c)
        [<c0439ec8>] (clk_core_enable_lock) from [<c0436698>] (pxa168fb_probe+0x464/0x6ac)
        [<c0436698>] (pxa168fb_probe) from [<c04779a0>] (platform_drv_probe+0x48/0x94)
        [<c04779a0>] (platform_drv_probe) from [<c0475bec>] (driver_probe_device+0x328/0x470)
        [<c0475bec>] (driver_probe_device) from [<c0475de4>] (__driver_attach+0xb0/0x124)
        [<c0475de4>] (__driver_attach) from [<c0473c38>] (bus_for_each_dev+0x64/0xa0)
        [<c0473c38>] (bus_for_each_dev) from [<c0474ee0>] (bus_add_driver+0x1b8/0x230)
        [<c0474ee0>] (bus_add_driver) from [<c0476a20>] (driver_register+0xac/0xf0)
        [<c0476a20>] (driver_register) from [<c0102dd4>] (do_one_initcall+0xb8/0x1f0)
        [<c0102dd4>] (do_one_initcall) from [<c0b010a0>] (kernel_init_freeable+0x294/0x2e0)
        [<c0b010a0>] (kernel_init_freeable) from [<c07e9eb8>] (kernel_init+0x8/0x10c)
        [<c07e9eb8>] (kernel_init) from [<c01010e8>] (ret_from_fork+0x14/0x2c)
        Exception stack(0xd008bfb0 to 0xd008bff8)
        bfa0:                                     00000000 00000000 00000000 00000000
        bfc0: 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
        bfe0: 00000000 00000000 00000000 00000000 00000013 00000000
        ---[ end trace c0af40f9e2ed7cb4 ]---
      Signed-off-by: default avatarLubomir Rintel <lkundrak@v3.sk>
      [b.zolnierkie: enhance patch description a bit]
      Signed-off-by: default avatarBartlomiej Zolnierkiewicz <b.zolnierkie@samsung.com>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      df2d090b
    • Matias Karhumaa's avatar
      Bluetooth: SMP: fix crash in unpairing · b0c52fbf
      Matias Karhumaa authored
      [ Upstream commit cb28c306b93b71f2741ce1a5a66289db26715f4d ]
      
      In case unpair_device() was called through mgmt interface at the same time
      when pairing was in progress, Bluetooth kernel module crash was seen.
      
      [  600.351225] general protection fault: 0000 [#1] SMP PTI
      [  600.351235] CPU: 1 PID: 11096 Comm: btmgmt Tainted: G           OE     4.19.0-rc1+ #1
      [  600.351238] Hardware name: Dell Inc. Latitude E5440/08RCYC, BIOS A18 05/14/2017
      [  600.351272] RIP: 0010:smp_chan_destroy.isra.10+0xce/0x2c0 [bluetooth]
      [  600.351276] Code: c0 0f 84 b4 01 00 00 80 78 28 04 0f 84 53 01 00 00 4d 85 ed 0f 85 ab 00 00 00 48 8b 08 48 8b 50 08 be 10 00 00 00 48 89 51 08 <48> 89 0a 48 b9 00 02 00 00 00 00 ad de 48 89 48 08 48 8b 83 00 01
      [  600.351279] RSP: 0018:ffffa9be839b3b50 EFLAGS: 00010246
      [  600.351282] RAX: ffff9c999ac565a0 RBX: ffff9c9996e98c00 RCX: ffff9c999aa28b60
      [  600.351285] RDX: dead000000000200 RSI: 0000000000000010 RDI: ffff9c999e403500
      [  600.351287] RBP: ffffa9be839b3b70 R08: 0000000000000000 R09: ffffffff92a25c00
      [  600.351290] R10: ffffa9be839b3ae8 R11: 0000000000000001 R12: ffff9c995375b800
      [  600.351292] R13: 0000000000000000 R14: ffff9c99619a5000 R15: ffff9c9962a01c00
      [  600.351295] FS:  00007fb2be27c700(0000) GS:ffff9c999e880000(0000) knlGS:0000000000000000
      [  600.351298] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
      [  600.351300] CR2: 00007fb2bdadbad0 CR3: 000000041c328001 CR4: 00000000001606e0
      [  600.351302] Call Trace:
      [  600.351325]  smp_failure+0x4f/0x70 [bluetooth]
      [  600.351345]  smp_cancel_pairing+0x74/0x80 [bluetooth]
      [  600.351370]  unpair_device+0x1c1/0x330 [bluetooth]
      [  600.351399]  hci_sock_sendmsg+0x960/0x9f0 [bluetooth]
      [  600.351409]  ? apparmor_socket_sendmsg+0x1e/0x20
      [  600.351417]  sock_sendmsg+0x3e/0x50
      [  600.351422]  sock_write_iter+0x85/0xf0
      [  600.351429]  do_iter_readv_writev+0x12b/0x1b0
      [  600.351434]  do_iter_write+0x87/0x1a0
      [  600.351439]  vfs_writev+0x98/0x110
      [  600.351443]  ? ep_poll+0x16d/0x3d0
      [  600.351447]  ? ep_modify+0x73/0x170
      [  600.351451]  do_writev+0x61/0xf0
      [  600.351455]  ? do_writev+0x61/0xf0
      [  600.351460]  __x64_sys_writev+0x1c/0x20
      [  600.351465]  do_syscall_64+0x5a/0x110
      [  600.351471]  entry_SYSCALL_64_after_hwframe+0x44/0xa9
      [  600.351474] RIP: 0033:0x7fb2bdb62fe0
      [  600.351477] Code: 73 01 c3 48 8b 0d b8 6e 2c 00 f7 d8 64 89 01 48 83 c8 ff c3 66 0f 1f 44 00 00 83 3d 69 c7 2c 00 00 75 10 b8 14 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 31 c3 48 83 ec 08 e8 de 80 01 00 48 89 04 24
      [  600.351479] RSP: 002b:00007ffe062cb8f8 EFLAGS: 00000246 ORIG_RAX: 0000000000000014
      [  600.351484] RAX: ffffffffffffffda RBX: 000000000255b3d0 RCX: 00007fb2bdb62fe0
      [  600.351487] RDX: 0000000000000001 RSI: 00007ffe062cb920 RDI: 0000000000000004
      [  600.351490] RBP: 00007ffe062cb920 R08: 000000000255bd80 R09: 0000000000000000
      [  600.351494] R10: 0000000000000353 R11: 0000000000000246 R12: 0000000000000001
      [  600.351497] R13: 00007ffe062cbbe0 R14: 0000000000000000 R15: 0000000000000000
      [  600.351501] Modules linked in: algif_hash algif_skcipher af_alg cmac ipt_MASQUERADE nf_conntrack_netlink nfnetlink xfrm_user xfrm_algo iptable_nat nf_nat_ipv4 xt_addrtype iptable_filter ip_tables xt_conntrack x_tables nf_nat nf_conntrack nf_defrag_ipv6 nf_defrag_ipv4 libcrc32c br_netfilter bridge stp llc overlay arc4 nls_iso8859_1 dm_crypt intel_rapl x86_pkg_temp_thermal intel_powerclamp coretemp dell_laptop kvm_intel crct10dif_pclmul dell_smm_hwmon crc32_pclmul ghash_clmulni_intel pcbc aesni_intel aes_x86_64 crypto_simd cryptd glue_helper intel_cstate intel_rapl_perf uvcvideo videobuf2_vmalloc videobuf2_memops videobuf2_v4l2 videobuf2_common videodev media hid_multitouch input_leds joydev serio_raw dell_wmi snd_hda_codec_hdmi snd_hda_codec_realtek snd_hda_codec_generic dell_smbios dcdbas sparse_keymap
      [  600.351569]  snd_hda_intel btusb snd_hda_codec btrtl btbcm btintel snd_hda_core bluetooth(OE) snd_hwdep snd_pcm iwlmvm ecdh_generic wmi_bmof dell_wmi_descriptor snd_seq_midi mac80211 snd_seq_midi_event lpc_ich iwlwifi snd_rawmidi snd_seq snd_seq_device snd_timer cfg80211 snd soundcore mei_me mei dell_rbtn dell_smo8800 mac_hid parport_pc ppdev lp parport autofs4 hid_generic usbhid hid i915 nouveau kvmgt vfio_mdev mdev vfio_iommu_type1 vfio kvm irqbypass i2c_algo_bit ttm drm_kms_helper syscopyarea sysfillrect sysimgblt mxm_wmi psmouse ahci sdhci_pci cqhci libahci fb_sys_fops sdhci drm e1000e video wmi
      [  600.351637] ---[ end trace e49e9f1df09c94fb ]---
      [  600.351664] RIP: 0010:smp_chan_destroy.isra.10+0xce/0x2c0 [bluetooth]
      [  600.351666] Code: c0 0f 84 b4 01 00 00 80 78 28 04 0f 84 53 01 00 00 4d 85 ed 0f 85 ab 00 00 00 48 8b 08 48 8b 50 08 be 10 00 00 00 48 89 51 08 <48> 89 0a 48 b9 00 02 00 00 00 00 ad de 48 89 48 08 48 8b 83 00 01
      [  600.351669] RSP: 0018:ffffa9be839b3b50 EFLAGS: 00010246
      [  600.351672] RAX: ffff9c999ac565a0 RBX: ffff9c9996e98c00 RCX: ffff9c999aa28b60
      [  600.351674] RDX: dead000000000200 RSI: 0000000000000010 RDI: ffff9c999e403500
      [  600.351676] RBP: ffffa9be839b3b70 R08: 0000000000000000 R09: ffffffff92a25c00
      [  600.351679] R10: ffffa9be839b3ae8 R11: 0000000000000001 R12: ffff9c995375b800
      [  600.351681] R13: 0000000000000000 R14: ffff9c99619a5000 R15: ffff9c9962a01c00
      [  600.351684] FS:  00007fb2be27c700(0000) GS:ffff9c999e880000(0000) knlGS:0000000000000000
      [  600.351686] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
      [  600.351689] CR2: 00007fb2bdadbad0 CR3: 000000041c328001 CR4: 00000000001606e0
      
      Crash happened because list_del_rcu() was called twice for smp->ltk. This
      was possible if unpair_device was called right after ltk was generated
      but before keys were distributed.
      
      In this commit smp_cancel_pairing was refactored to cancel pairing if it
      is in progress and otherwise just removes keys. Once keys are removed from
      rcu list, pointers to smp context's keys are set to NULL to make sure
      removed list items are not accessed later.
      
      This commit also adjusts the functionality of mgmt unpair_device() little
      bit. Previously pairing was canceled only if pairing was in state that
      keys were already generated. With this commit unpair_device() cancels
      pairing already in earlier states.
      
      Bug was found by fuzzing kernel SMP implementation using Synopsys
      Defensics.
      Reported-by: default avatarPekka Oikarainen <pekka.oikarainen@synopsys.com>
      Signed-off-by: default avatarMatias Karhumaa <matias.karhumaa@gmail.com>
      Signed-off-by: default avatarJohan Hedberg <johan.hedberg@intel.com>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      b0c52fbf
    • Martin Willi's avatar
      mac80211_hwsim: do not omit multicast announce of first added radio · 6879c047
      Martin Willi authored
      [ Upstream commit 28ef8b49a338dc1844e86b7954cfffc7dfa2660a ]
      
      The allocation of hwsim radio identifiers uses a post-increment from 0,
      so the first radio has idx 0. This idx is explicitly excluded from
      multicast announcements ever since, but it is unclear why.
      
      Drop that idx check and announce the first radio as well. This makes
      userspace happy if it relies on these events.
      Signed-off-by: default avatarMartin Willi <martin@strongswan.org>
      Signed-off-by: default avatarJohannes Berg <johannes.berg@intel.com>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      6879c047
    • Sean Tranchetti's avatar
      xfrm: validate template mode · 5217bec5
      Sean Tranchetti authored
      [ Upstream commit 32bf94fb5c2ec4ec842152d0e5937cd4bb6738fa ]
      
      XFRM mode parameters passed as part of the user templates
      in the IP_XFRM_POLICY are never properly validated. Passing
      values other than valid XFRM modes can cause stack-out-of-bounds
      reads to occur later in the XFRM processing:
      
      [  140.535608] ================================================================
      [  140.543058] BUG: KASAN: stack-out-of-bounds in xfrm_state_find+0x17e4/0x1cc4
      [  140.550306] Read of size 4 at addr ffffffc0238a7a58 by task repro/5148
      [  140.557369]
      [  140.558927] Call trace:
      [  140.558936] dump_backtrace+0x0/0x388
      [  140.558940] show_stack+0x24/0x30
      [  140.558946] __dump_stack+0x24/0x2c
      [  140.558949] dump_stack+0x8c/0xd0
      [  140.558956] print_address_description+0x74/0x234
      [  140.558960] kasan_report+0x240/0x264
      [  140.558963] __asan_report_load4_noabort+0x2c/0x38
      [  140.558967] xfrm_state_find+0x17e4/0x1cc4
      [  140.558971] xfrm_resolve_and_create_bundle+0x40c/0x1fb8
      [  140.558975] xfrm_lookup+0x238/0x1444
      [  140.558977] xfrm_lookup_route+0x48/0x11c
      [  140.558984] ip_route_output_flow+0x88/0xc4
      [  140.558991] raw_sendmsg+0xa74/0x266c
      [  140.558996] inet_sendmsg+0x258/0x3b0
      [  140.559002] sock_sendmsg+0xbc/0xec
      [  140.559005] SyS_sendto+0x3a8/0x5a8
      [  140.559008] el0_svc_naked+0x34/0x38
      [  140.559009]
      [  140.592245] page dumped because: kasan: bad access detected
      [  140.597981] page_owner info is not active (free page?)
      [  140.603267]
      [  140.653503] ================================================================
      Signed-off-by: default avatarSean Tranchetti <stranche@codeaurora.org>
      Signed-off-by: default avatarSteffen Klassert <steffen.klassert@secunet.com>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      5217bec5
    • Thomas Petazzoni's avatar
      ARM: 8799/1: mm: fix pci_ioremap_io() offset check · f4c24fd3
      Thomas Petazzoni authored
      [ Upstream commit 3a58ac65e2d7969bcdf1b6acb70fa4d12a88e53e ]
      
      IO_SPACE_LIMIT is the ending address of the PCI IO space, i.e
      something like 0xfffff (and not 0x100000).
      
      Therefore, when offset = 0xf0000 is passed as argument, this function
      fails even though the offset + SZ_64K fits below the
      IO_SPACE_LIMIT. This makes the last chunk of 64 KB of the I/O space
      not usable as it cannot be mapped.
      
      This patch fixes that by substracing 1 to offset + SZ_64K, so that we
      compare the addrss of the last byte of the I/O space against
      IO_SPACE_LIMIT instead of the address of the first byte of what is
      after the I/O space.
      
      Fixes: c2794437 ("ARM: Add fixed PCI i/o mapping")
      Signed-off-by: default avatarThomas Petazzoni <thomas.petazzoni@bootlin.com>
      Acked-by: default avatarNicolas Pitre <nico@linaro.org>
      Signed-off-by: default avatarRussell King <rmk+kernel@armlinux.org.uk>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      f4c24fd3
    • Andrei Otcheretianski's avatar
      cfg80211: reg: Init wiphy_idx in regulatory_hint_core() · db420bc4
      Andrei Otcheretianski authored
      [ Upstream commit 24f33e64fcd0d50a4b1a8e5b41bd0257aa66b0e8 ]
      
      Core regulatory hints didn't set wiphy_idx to WIPHY_IDX_INVALID. Since
      the regulatory request is zeroed, wiphy_idx was always implicitly set to
      0. This resulted in updating only phy #0.
      Fix that.
      
      Fixes: 806a9e39 ("cfg80211: make regulatory_request use wiphy_idx instead of wiphy")
      Signed-off-by: default avatarAndrei Otcheretianski <andrei.otcheretianski@intel.com>
      Signed-off-by: default avatarLuca Coelho <luciano.coelho@intel.com>
      [add fixes tag]
      Signed-off-by: default avatarJohannes Berg <johannes.berg@intel.com>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      db420bc4
    • Andrei Otcheretianski's avatar
      mac80211: Always report TX status · 7402bc9c
      Andrei Otcheretianski authored
      [ Upstream commit 8682250b3c1b75a45feb7452bc413d004cfe3778 ]
      
      If a frame is dropped for any reason, mac80211 wouldn't report the TX
      status back to user space.
      
      As the user space may rely on the TX_STATUS to kick its state
      machines, resends etc, it's better to just report this frame as not
      acked instead.
      Signed-off-by: default avatarAndrei Otcheretianski <andrei.otcheretianski@intel.com>
      Signed-off-by: default avatarLuca Coelho <luciano.coelho@intel.com>
      Signed-off-by: default avatarJohannes Berg <johannes.berg@intel.com>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      7402bc9c
    • Thadeu Lima de Souza Cascardo's avatar
      xfrm6: call kfree_skb when skb is toobig · 4e16c61e
      Thadeu Lima de Souza Cascardo authored
      [ Upstream commit 215ab0f021c9fea3c18b75e7d522400ee6a49990 ]
      
      After commit d6990976af7c5d8f55903bfb4289b6fb030bf754 ("vti6: fix PMTU caching
      and reporting on xmit"), some too big skbs might be potentially passed down to
      __xfrm6_output, causing it to fail to transmit but not free the skb, causing a
      leak of skb, and consequentially a leak of dst references.
      
      After running pmtu.sh, that shows as failure to unregister devices in a namespace:
      
      [  311.397671] unregister_netdevice: waiting for veth_b to become free. Usage count = 1
      
      The fix is to call kfree_skb in case of transmit failures.
      
      Fixes: dd767856 ("xfrm6: Don't call icmpv6_send on local error")
      Signed-off-by: default avatarThadeu Lima de Souza Cascardo <cascardo@canonical.com>
      Reviewed-by: default avatarSabrina Dubroca <sd@queasysnail.net>
      Signed-off-by: default avatarSteffen Klassert <steffen.klassert@secunet.com>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      4e16c61e
    • Steffen Klassert's avatar
      xfrm: Validate address prefix lengths in the xfrm selector. · 5ce93bd4
      Steffen Klassert authored
      [ Upstream commit 07bf7908950a8b14e81aa1807e3c667eab39287a ]
      
      We don't validate the address prefix lengths in the xfrm
      selector we got from userspace. This can lead to undefined
      behaviour in the address matching functions if the prefix
      is too big for the given address family. Fix this by checking
      the prefixes and refuse SA/policy insertation when a prefix
      is invalid.
      
      Fixes: 1da177e4 ("Linux-2.6.12-rc2")
      Reported-by: default avatarAir Icy <icytxw@gmail.com>
      Signed-off-by: default avatarSteffen Klassert <steffen.klassert@secunet.com>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      5ce93bd4
  2. 20 Oct, 2018 25 commits
    • Greg Kroah-Hartman's avatar
      Linux 4.4.162 · 24c2342b
      Greg Kroah-Hartman authored
      24c2342b
    • Long Li's avatar
      HV: properly delay KVP packets when negotiation is in progress · e34c69f2
      Long Li authored
      commit a3ade8cc upstream.
      
      The host may send multiple negotiation packets
      (due to timeout) before the KVP user-mode daemon
      is connected. KVP user-mode daemon is connected.
      We need to defer processing those packets
      until the daemon is negotiated and connected.
      It's okay for guest to respond
      to all negotiation packets.
      
      In addition, the host may send multiple staged
      KVP requests as soon as negotiation is done.
      We need to properly process those packets using one
      tasklet for exclusive access to ring buffer.
      
      This patch is based on the work of
      Nick Meier <Nick.Meier@microsoft.com>.
      
      The above is the original changelog of
      a3ade8cc ("HV: properly delay KVP packets when negotiation is in progress"
      
      Here I re-worked the original patch because the mainline version
      can't work for the linux-4.4.y branch, on which channel->callback_event
      doesn't exist yet. In the mainline, channel->callback_event was added by:
      631e63a9 ("vmbus: change to per channel tasklet"). Here we don't want
      to backport it to v4.4, as it requires extra supporting changes and fixes,
      which are unnecessary as to the KVP bug we're trying to resolve.
      
      NOTE: before this patch is used, we should cherry-pick the other related
      3 patches from the mainline first:
      
      The background of this backport request is that: recently Wang Jian reported
      some KVP issues: https://github.com/LIS/lis-next/issues/593:
      e.g. the /var/lib/hyperv/.kvp_pool_* files can not be updated, and sometimes
      if the hv_kvp_daemon doesn't timely start, the host may not be able to query
      the VM's IP address via KVP.
      Reported-by: default avatarWang Jian <jianjian.wang1@gmail.com>
      Tested-by: default avatarWang Jian <jianjian.wang1@gmail.com>
      Signed-off-by: default avatarDexuan Cui <decui@microsoft.com>
      Signed-off-by: default avatarLong Li <longli@microsoft.com>
      Signed-off-by: default avatarK. Y. Srinivasan <kys@microsoft.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      e34c69f2
    • Vitaly Kuznetsov's avatar
      Drivers: hv: kvp: fix IP Failover · 43fea648
      Vitaly Kuznetsov authored
      commit 4dbfc2e6 upstream.
      
      Hyper-V VMs can be replicated to another hosts and there is a feature to
      set different IP for replicas, it is called 'Failover TCP/IP'. When
      such guest starts Hyper-V host sends it KVP_OP_SET_IP_INFO message as soon
      as we finish negotiation procedure. The problem is that it can happen (and
      it actually happens) before userspace daemon connects and we reply with
      HV_E_FAIL to the message. As there are no repetitions we fail to set the
      requested IP.
      
      Solve the issue by postponing our reply to the negotiation message till
      userspace daemon is connected. We can't wait too long as there is a
      host-side timeout (cca. 75 seconds) and if we fail to reply in this time
      frame the whole KVP service will become inactive. The solution is not
      ideal - if it takes userspace daemon more than 60 seconds to connect
      IP Failover will still fail but I don't see a solution with our current
      separation between kernel and userspace parts.
      
      Other two modules (VSS and FCOPY) don't require such delay, leave them
      untouched.
      Signed-off-by: default avatarVitaly Kuznetsov <vkuznets@redhat.com>
      Signed-off-by: default avatarK. Y. Srinivasan <kys@microsoft.com>
      Signed-off-by: default avatarDexuan Cui <decui@microsoft.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      43fea648
    • K. Y. Srinivasan's avatar
      Drivers: hv: util: Pass the channel information during the init call · eaee7976
      K. Y. Srinivasan authored
      commit b9830d12 upstream.
      
      Pass the channel information to the util drivers that need to defer
      reading the channel while they are processing a request. This would address
      the following issue reported by Vitaly:
      
      Commit 3cace4a6 ("Drivers: hv: utils: run polling callback always in
      interrupt context") removed direct *_transaction.state = HVUTIL_READY
      assignments from *_handle_handshake() functions introducing the following
      race: if a userspace daemon connects before we get first non-negotiation
      request from the server hv_poll_channel() won't set transaction state to
      HVUTIL_READY as (!channel) condition will fail, we set it to non-NULL on
      the first real request from the server.
      Signed-off-by: default avatarK. Y. Srinivasan <kys@microsoft.com>
      Reported-by: default avatarVitaly Kuznetsov <vkuznets@redhat.com>
      Signed-off-by: default avatarDexuan Cui <decui@microsoft.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      eaee7976
    • K. Y. Srinivasan's avatar
      Drivers: hv: utils: Invoke the poll function after handshake · f91b8b1f
      K. Y. Srinivasan authored
      commit 2d0c3b5a upstream.
      
      When the handshake with daemon is complete, we should poll the channel since
      during the handshake, we will not be processing any messages. This is a
      potential bug if the host is waiting for a response from the guest.
      I would like to thank Dexuan for pointing this out.
      Signed-off-by: default avatarK. Y. Srinivasan <kys@microsoft.com>
      Signed-off-by: default avatarDexuan Cui <decui@microsoft.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      f91b8b1f
    • Stephen Warren's avatar
      usb: gadget: serial: fix oops when data rx'd after close · 68a31867
      Stephen Warren authored
      commit daa35bd9 upstream.
      
      When the gadget serial device has no associated TTY, do not pass any
      received data into the TTY layer for processing; simply drop it instead.
      This prevents the TTY layer from calling back into the gadget serial
      driver, which will then crash in e.g. gs_write_room() due to lack of
      gadget serial device to TTY association (i.e. a NULL pointer dereference).
      Signed-off-by: Stephen Warren's avatarStephen Warren <swarren@nvidia.com>
      Signed-off-by: default avatarFelipe Balbi <felipe.balbi@linux.intel.com>
      Signed-off-by: default avatarKrzysztof Kozlowski <krzk@kernel.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      68a31867
    • Alexey Brodkin's avatar
      ARC: build: Get rid of toolchain check · 466dda64
      Alexey Brodkin authored
      commit 615f64458ad890ef94abc879a66d8b27236e733a upstream.
      
      This check is very naive: we simply test if GCC invoked without
      "-mcpu=XXX" has ARC700 define set. In that case we think that GCC
      was built with "--with-cpu=arc700" and has libgcc built for ARC700.
      
      Otherwise if ARC700 is not defined we think that everythng was built
      for ARCv2.
      
      But in reality our life is much more interesting.
      
      1. Regardless of GCC configuration (i.e. what we pass in "--with-cpu"
         it may generate code for any ARC core).
      
      2. libgcc might be built with explicitly specified "--mcpu=YYY"
      
      That's exactly what happens in case of multilibbed toolchains:
       - GCC is configured with default settings
       - All the libs built for many different CPU flavors
      
      I.e. that check gets in the way of usage of multilibbed
      toolchains. And even non-multilibbed toolchains are affected.
      OpenEmbedded also builds GCC without "--with-cpu" because
      each and every target component later is compiled with explicitly
      set "-mcpu=ZZZ".
      Acked-by: default avatarRob Herring <robh@kernel.org>
      Signed-off-by: default avatarAlexey Brodkin <abrodkin@synopsys.com>
      Signed-off-by: default avatarVineet Gupta <vgupta@synopsys.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      466dda64
    • Michael Neuling's avatar
      powerpc/tm: Avoid possible userspace r1 corruption on reclaim · 5a51c554
      Michael Neuling authored
      [ Upstream commit 96dc89d526ef77604376f06220e3d2931a0bfd58 ]
      
      Current we store the userspace r1 to PACATMSCRATCH before finally
      saving it to the thread struct.
      
      In theory an exception could be taken here (like a machine check or
      SLB miss) that could write PACATMSCRATCH and hence corrupt the
      userspace r1. The SLB fault currently doesn't touch PACATMSCRATCH, but
      others do.
      
      We've never actually seen this happen but it's theoretically
      possible. Either way, the code is fragile as it is.
      
      This patch saves r1 to the kernel stack (which can't fault) before we
      turn MSR[RI] back on. PACATMSCRATCH is still used but only with
      MSR[RI] off. We then copy r1 from the kernel stack to the thread
      struct once we have MSR[RI] back on.
      Suggested-by: default avatarBreno Leitao <leitao@debian.org>
      Signed-off-by: default avatarMichael Neuling <mikey@neuling.org>
      Signed-off-by: default avatarMichael Ellerman <mpe@ellerman.id.au>
      Signed-off-by: default avatarSasha Levin <alexander.levin@microsoft.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      5a51c554
    • Michael Neuling's avatar
      powerpc/tm: Fix userspace r13 corruption · 6939b3b0
      Michael Neuling authored
      [ Upstream commit cf13435b730a502e814c63c84d93db131e563f5f ]
      
      When we treclaim we store the userspace checkpointed r13 to a scratch
      SPR and then later save the scratch SPR to the user thread struct.
      
      Unfortunately, this doesn't work as accessing the user thread struct
      can take an SLB fault and the SLB fault handler will write the same
      scratch SPRG that now contains the userspace r13.
      
      To fix this, we store r13 to the kernel stack (which can't fault)
      before we access the user thread struct.
      
      Found by running P8 guest + powervm + disable_1tb_segments + TM. Seen
      as a random userspace segfault with r13 looking like a kernel address.
      Signed-off-by: default avatarMichael Neuling <mikey@neuling.org>
      Reviewed-by: default avatarBreno Leitao <leitao@debian.org>
      Signed-off-by: default avatarMichael Ellerman <mpe@ellerman.id.au>
      Signed-off-by: default avatarSasha Levin <alexander.levin@microsoft.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      6939b3b0
    • Nathan Chancellor's avatar
      net/mlx4: Use cpumask_available for eq->affinity_mask · 0d02fdd0
      Nathan Chancellor authored
      [ Upstream commit 8ac1ee6f4d62e781e3b3fd8b9c42b70371427669 ]
      
      Clang warns that the address of a pointer will always evaluated as true
      in a boolean context:
      
      drivers/net/ethernet/mellanox/mlx4/eq.c:243:11: warning: address of
      array 'eq->affinity_mask' will always evaluate to 'true'
      [-Wpointer-bool-conversion]
              if (!eq->affinity_mask || cpumask_empty(eq->affinity_mask))
                  ~~~~~^~~~~~~~~~~~~
      1 warning generated.
      
      Use cpumask_available, introduced in commit f7e30f01 ("cpumask: Add
      helper cpumask_available()"), which does the proper checking and avoids
      this warning.
      
      Link: https://github.com/ClangBuiltLinux/linux/issues/86Signed-off-by: default avatarNathan Chancellor <natechancellor@gmail.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarSasha Levin <alexander.levin@microsoft.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      0d02fdd0
    • Michael Schmitz's avatar
      Input: atakbd - fix Atari CapsLock behaviour · 6df8eb6a
      Michael Schmitz authored
      [ Upstream commit 52d2c7bf7c90217fbe875d2d76f310979c48eb83 ]
      
      The CapsLock key on Atari keyboards is not a toggle, it does send the
      normal make and break scancodes.
      
      Drop the CapsLock toggle handling code, which did cause the CapsLock
      key to merely act as a Shift key.
      Tested-by: default avatarMichael Schmitz <schmitzmic@gmail.com>
      Signed-off-by: default avatarMichael Schmitz <schmitzmic@gmail.com>
      Signed-off-by: default avatarAndreas Schwab <schwab@linux-m68k.org>
      Signed-off-by: default avatarDmitry Torokhov <dmitry.torokhov@gmail.com>
      Signed-off-by: default avatarSasha Levin <alexander.levin@microsoft.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      6df8eb6a
    • Andreas Schwab's avatar
      Input: atakbd - fix Atari keymap · d200ea29
      Andreas Schwab authored
      [ Upstream commit 9e62df51be993035c577371ffee5477697a56aad ]
      
      Fix errors in Atari keymap (mostly in keypad, help and undo keys).
      
      Patch provided on debian-68k ML by Andreas Schwab <schwab@linux-m68k.org>,
      keymap array size and unhandled scancode limit adjusted to 0x73 by me.
      Tested-by: default avatarMichael Schmitz <schmitzmic@gmail.com>
      Signed-off-by: default avatarMichael Schmitz <schmitzmic@gmail.com>
      Signed-off-by: default avatarAndreas Schwab <schwab@linux-m68k.org>
      Signed-off-by: default avatarDmitry Torokhov <dmitry.torokhov@gmail.com>
      Signed-off-by: default avatarSasha Levin <alexander.levin@microsoft.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      d200ea29
    • Keerthy's avatar
      clocksource/drivers/ti-32k: Add CLOCK_SOURCE_SUSPEND_NONSTOP flag for non-am43 SoCs · be7e497b
      Keerthy authored
      [ Upstream commit 3b7d96a0dbb6b630878597a1838fc39f808b761b ]
      
      The 32k clocksource is NONSTOP for non-am43 SoCs. Hence
      add the flag for all the other SoCs.
      Reported-by: default avatarTony Lindgren <tony@atomide.com>
      Signed-off-by: default avatarKeerthy <j-keerthy@ti.com>
      Acked-by: default avatarTony Lindgren <tony@atomide.com>
      Signed-off-by: default avatarDaniel Lezcano <daniel.lezcano@linaro.org>
      Signed-off-by: default avatarSasha Levin <alexander.levin@microsoft.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      be7e497b
    • Jozef Balga's avatar
      media: af9035: prevent buffer overflow on write · 2a585d44
      Jozef Balga authored
      [ Upstream commit 312f73b648626a0526a3aceebb0a3192aaba05ce ]
      
      When less than 3 bytes are written to the device, memcpy is called with
      negative array size which leads to buffer overflow and kernel panic. This
      patch adds a condition and returns -EOPNOTSUPP instead.
      Fixes bugzilla issue 64871
      
      [mchehab+samsung@kernel.org: fix a merge conflict and changed the
       condition to match the patch's comment, e. g. len == 3 could
       also be valid]
      Signed-off-by: default avatarJozef Balga <jozef.balga@gmail.com>
      Signed-off-by: default avatarMauro Carvalho Chehab <mchehab+samsung@kernel.org>
      Signed-off-by: default avatarSasha Levin <alexander.levin@microsoft.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      2a585d44
    • Andy Lutomirski's avatar
      x86/fpu: Finish excising 'eagerfpu' · 4e7ef8fc
      Andy Lutomirski authored
      commit e6365084 upstream.
      
      Now that eagerfpu= is gone, remove it from the docs and some
      comments.  Also sync the changes to tools/.
      Signed-off-by: default avatarAndy Lutomirski <luto@kernel.org>
      Cc: Borislav Petkov <bp@alien8.de>
      Cc: Brian Gerst <brgerst@gmail.com>
      Cc: Dave Hansen <dave.hansen@linux.intel.com>
      Cc: Denys Vlasenko <dvlasenk@redhat.com>
      Cc: Fenghua Yu <fenghua.yu@intel.com>
      Cc: H. Peter Anvin <hpa@zytor.com>
      Cc: Josh Poimboeuf <jpoimboe@redhat.com>
      Cc: Linus Torvalds <torvalds@linux-foundation.org>
      Cc: Oleg Nesterov <oleg@redhat.com>
      Cc: Peter Zijlstra <peterz@infradead.org>
      Cc: Quentin Casasnovas <quentin.casasnovas@oracle.com>
      Cc: Rik van Riel <riel@redhat.com>
      Cc: Thomas Gleixner <tglx@linutronix.de>
      Link: http://lkml.kernel.org/r/cf430dd4481d41280e93ac6cf0def1007a67fc8e.1476740397.git.luto@kernel.orgSigned-off-by: default avatarIngo Molnar <mingo@kernel.org>
      Signed-off-by: default avatarDaniel Sangorrin <daniel.sangorrin@toshiba.co.jp>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      4e7ef8fc
    • Rik van Riel's avatar
      x86/fpu: Remove struct fpu::counter · 6e7d7bea
      Rik van Riel authored
      commit 3913cc35 upstream.
      
      With the lazy FPU code gone, we no longer use the counter field
      in struct fpu for anything. Get rid it.
      Signed-off-by: default avatarRik van Riel <riel@redhat.com>
      Reviewed-by: default avatarAndy Lutomirski <luto@kernel.org>
      Cc: Borislav Petkov <bp@alien8.de>
      Cc: Brian Gerst <brgerst@gmail.com>
      Cc: Dave Hansen <dave.hansen@linux.intel.com>
      Cc: Denys Vlasenko <dvlasenk@redhat.com>
      Cc: Fenghua Yu <fenghua.yu@intel.com>
      Cc: H. Peter Anvin <hpa@zytor.com>
      Cc: Josh Poimboeuf <jpoimboe@redhat.com>
      Cc: Linus Torvalds <torvalds@linux-foundation.org>
      Cc: Oleg Nesterov <oleg@redhat.com>
      Cc: Peter Zijlstra <peterz@infradead.org>
      Cc: Quentin Casasnovas <quentin.casasnovas@oracle.com>
      Cc: Thomas Gleixner <tglx@linutronix.de>
      Cc: pbonzini@redhat.com
      Link: http://lkml.kernel.org/r/1475627678-20788-6-git-send-email-riel@redhat.comSigned-off-by: default avatarIngo Molnar <mingo@kernel.org>
      Signed-off-by: default avatarDaniel Sangorrin <daniel.sangorrin@toshiba.co.jp>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      6e7d7bea
    • Andy Lutomirski's avatar
      x86/fpu: Remove use_eager_fpu() · 8c6b69cf
      Andy Lutomirski authored
      commit c592b573 upstream.
      
      This removes all the obvious code paths that depend on lazy FPU mode.
      It shouldn't change the generated code at all.
      Signed-off-by: default avatarAndy Lutomirski <luto@kernel.org>
      Signed-off-by: default avatarRik van Riel <riel@redhat.com>
      Cc: Borislav Petkov <bp@alien8.de>
      Cc: Brian Gerst <brgerst@gmail.com>
      Cc: Dave Hansen <dave.hansen@linux.intel.com>
      Cc: Denys Vlasenko <dvlasenk@redhat.com>
      Cc: Fenghua Yu <fenghua.yu@intel.com>
      Cc: H. Peter Anvin <hpa@zytor.com>
      Cc: Josh Poimboeuf <jpoimboe@redhat.com>
      Cc: Linus Torvalds <torvalds@linux-foundation.org>
      Cc: Oleg Nesterov <oleg@redhat.com>
      Cc: Peter Zijlstra <peterz@infradead.org>
      Cc: Quentin Casasnovas <quentin.casasnovas@oracle.com>
      Cc: Thomas Gleixner <tglx@linutronix.de>
      Cc: pbonzini@redhat.com
      Link: http://lkml.kernel.org/r/1475627678-20788-5-git-send-email-riel@redhat.comSigned-off-by: default avatarIngo Molnar <mingo@kernel.org>
      Signed-off-by: default avatarDaniel Sangorrin <daniel.sangorrin@toshiba.co.jp>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      8c6b69cf
    • Paolo Bonzini's avatar
      KVM: x86: remove eager_fpu field of struct kvm_vcpu_arch · 84037eeb
      Paolo Bonzini authored
      commit 5a5fbdc0 upstream.
      
      It is now equal to use_eager_fpu(), which simply tests a cpufeature bit.
      Signed-off-by: default avatarPaolo Bonzini <pbonzini@redhat.com>
      Signed-off-by: default avatarDaniel Sangorrin <daniel.sangorrin@toshiba.co.jp>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      84037eeb
    • Eric Dumazet's avatar
      rtnl: limit IFLA_NUM_TX_QUEUES and IFLA_NUM_RX_QUEUES to 4096 · dcea9310
      Eric Dumazet authored
      [ Upstream commit 0e1d6eca5113858ed2caea61a5adc03c595f6096 ]
      
      We have an impressive number of syzkaller bugs that are linked
      to the fact that syzbot was able to create a networking device
      with millions of TX (or RX) queues.
      
      Let's limit the number of RX/TX queues to 4096, this really should
      cover all known cases.
      
      A separate patch will add various cond_resched() in the loops
      handling sysfs entries at device creation and dismantle.
      
      Tested:
      
      lpaa6:~# ip link add gre-4097 numtxqueues 4097 numrxqueues 4097 type ip6gretap
      RTNETLINK answers: Invalid argument
      
      lpaa6:~# time ip link add gre-4096 numtxqueues 4096 numrxqueues 4096 type ip6gretap
      
      real	0m0.180s
      user	0m0.000s
      sys	0m0.107s
      
      Fixes: 76ff5cc9 ("rtnl: allow to specify number of rx and tx queues on device creation")
      Signed-off-by: default avatarEric Dumazet <edumazet@google.com>
      Reported-by: default avatarsyzbot <syzkaller@googlegroups.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      dcea9310
    • Florian Fainelli's avatar
      net: systemport: Fix wake-up interrupt race during resume · 59b6d2e5
      Florian Fainelli authored
      [ Upstream commit 45ec318578c0c22a11f5b9927d064418e1ab1905 ]
      
      The AON_PM_L2 is normally used to trigger and identify the source of a
      wake-up event. Since the RX_SYS clock is no longer turned off, we also
      have an interrupt being sent to the SYSTEMPORT INTRL_2_0 controller, and
      that interrupt remains active up until the magic packet detector is
      disabled which happens much later during the driver resumption.
      
      The race happens if we have a CPU that is entering the SYSTEMPORT
      INTRL2_0 handler during resume, and another CPU has managed to clear the
      wake-up interrupt during bcm_sysport_resume_from_wol(). In that case, we
      have the first CPU stuck in the interrupt handler with an interrupt
      cause that has been cleared under its feet, and so we keep returning
      IRQ_NONE and we never make any progress.
      
      This was not a problem before because we would always turn off the
      RX_SYS clock during WoL, so the SYSTEMPORT INTRL2_0 would also be turned
      off as well, thus not latching the interrupt.
      
      The fix is to make sure we do not enable either the MPD or
      BRCM_TAG_MATCH interrupts since those are redundant with what the
      AON_PM_L2 interrupt controller already processes and they would cause
      such a race to occur.
      
      Fixes: bb9051a2b230 ("net: systemport: Add support for WAKE_FILTER")
      Fixes: 83e82f4c ("net: systemport: add Wake-on-LAN support")
      Signed-off-by: default avatarFlorian Fainelli <f.fainelli@gmail.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      59b6d2e5
    • Maxime Chevallier's avatar
      net: mvpp2: Extract the correct ethtype from the skb for tx csum offload · 2b2c9306
      Maxime Chevallier authored
      [ Upstream commit 35f3625c21852ad839f20c91c7d81c4c1101e207 ]
      
      When offloading the L3 and L4 csum computation on TX, we need to extract
      the l3_proto from the ethtype, independently of the presence of a vlan
      tag.
      
      The actual driver uses skb->protocol as-is, resulting in packets with
      the wrong L4 checksum being sent when there's a vlan tag in the packet
      header and checksum offloading is enabled.
      
      This commit makes use of vlan_protocol_get() to get the correct ethtype
      regardless the presence of a vlan tag.
      
      Fixes: 3f518509 ("ethernet: Add new driver for Marvell Armada 375 network unit")
      Signed-off-by: default avatarMaxime Chevallier <maxime.chevallier@bootlin.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      2b2c9306
    • Ido Schimmel's avatar
      team: Forbid enslaving team device to itself · e0fff899
      Ido Schimmel authored
      [ Upstream commit 471b83bd8bbe4e89743683ef8ecb78f7029d8288 ]
      
      team's ndo_add_slave() acquires 'team->lock' and later tries to open the
      newly enslaved device via dev_open(). This emits a 'NETDEV_UP' event
      that causes the VLAN driver to add VLAN 0 on the team device. team's
      ndo_vlan_rx_add_vid() will also try to acquire 'team->lock' and
      deadlock.
      
      Fix this by checking early at the enslavement function that a team
      device is not being enslaved to itself.
      
      A similar check was added to the bond driver in commit 09a89c21
      ("bonding: disallow enslaving a bond to itself").
      
      WARNING: possible recursive locking detected
      4.18.0-rc7+ #176 Not tainted
      --------------------------------------------
      syz-executor4/6391 is trying to acquire lock:
      (____ptrval____) (&team->lock){+.+.}, at: team_vlan_rx_add_vid+0x3b/0x1e0 drivers/net/team/team.c:1868
      
      but task is already holding lock:
      (____ptrval____) (&team->lock){+.+.}, at: team_add_slave+0xdb/0x1c30 drivers/net/team/team.c:1947
      
      other info that might help us debug this:
       Possible unsafe locking scenario:
      
             CPU0
             ----
        lock(&team->lock);
        lock(&team->lock);
      
       *** DEADLOCK ***
      
       May be due to missing lock nesting notation
      
      2 locks held by syz-executor4/6391:
       #0: (____ptrval____) (rtnl_mutex){+.+.}, at: rtnl_lock net/core/rtnetlink.c:77 [inline]
       #0: (____ptrval____) (rtnl_mutex){+.+.}, at: rtnetlink_rcv_msg+0x412/0xc30 net/core/rtnetlink.c:4662
       #1: (____ptrval____) (&team->lock){+.+.}, at: team_add_slave+0xdb/0x1c30 drivers/net/team/team.c:1947
      
      stack backtrace:
      CPU: 1 PID: 6391 Comm: syz-executor4 Not tainted 4.18.0-rc7+ #176
      Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
      Call Trace:
       __dump_stack lib/dump_stack.c:77 [inline]
       dump_stack+0x1c9/0x2b4 lib/dump_stack.c:113
       print_deadlock_bug kernel/locking/lockdep.c:1765 [inline]
       check_deadlock kernel/locking/lockdep.c:1809 [inline]
       validate_chain kernel/locking/lockdep.c:2405 [inline]
       __lock_acquire.cold.64+0x1fb/0x486 kernel/locking/lockdep.c:3435
       lock_acquire+0x1e4/0x540 kernel/locking/lockdep.c:3924
       __mutex_lock_common kernel/locking/mutex.c:757 [inline]
       __mutex_lock+0x176/0x1820 kernel/locking/mutex.c:894
       mutex_lock_nested+0x16/0x20 kernel/locking/mutex.c:909
       team_vlan_rx_add_vid+0x3b/0x1e0 drivers/net/team/team.c:1868
       vlan_add_rx_filter_info+0x14a/0x1d0 net/8021q/vlan_core.c:210
       __vlan_vid_add net/8021q/vlan_core.c:278 [inline]
       vlan_vid_add+0x63e/0x9d0 net/8021q/vlan_core.c:308
       vlan_device_event.cold.12+0x2a/0x2f net/8021q/vlan.c:381
       notifier_call_chain+0x180/0x390 kernel/notifier.c:93
       __raw_notifier_call_chain kernel/notifier.c:394 [inline]
       raw_notifier_call_chain+0x2d/0x40 kernel/notifier.c:401
       call_netdevice_notifiers_info+0x3f/0x90 net/core/dev.c:1735
       call_netdevice_notifiers net/core/dev.c:1753 [inline]
       dev_open+0x173/0x1b0 net/core/dev.c:1433
       team_port_add drivers/net/team/team.c:1219 [inline]
       team_add_slave+0xa8b/0x1c30 drivers/net/team/team.c:1948
       do_set_master+0x1c9/0x220 net/core/rtnetlink.c:2248
       do_setlink+0xba4/0x3e10 net/core/rtnetlink.c:2382
       rtnl_setlink+0x2a9/0x400 net/core/rtnetlink.c:2636
       rtnetlink_rcv_msg+0x46e/0xc30 net/core/rtnetlink.c:4665
       netlink_rcv_skb+0x172/0x440 net/netlink/af_netlink.c:2455
       rtnetlink_rcv+0x1c/0x20 net/core/rtnetlink.c:4683
       netlink_unicast_kernel net/netlink/af_netlink.c:1317 [inline]
       netlink_unicast+0x5a0/0x760 net/netlink/af_netlink.c:1343
       netlink_sendmsg+0xa18/0xfd0 net/netlink/af_netlink.c:1908
       sock_sendmsg_nosec net/socket.c:642 [inline]
       sock_sendmsg+0xd5/0x120 net/socket.c:652
       ___sys_sendmsg+0x7fd/0x930 net/socket.c:2126
       __sys_sendmsg+0x11d/0x290 net/socket.c:2164
       __do_sys_sendmsg net/socket.c:2173 [inline]
       __se_sys_sendmsg net/socket.c:2171 [inline]
       __x64_sys_sendmsg+0x78/0xb0 net/socket.c:2171
       do_syscall_64+0x1b9/0x820 arch/x86/entry/common.c:290
       entry_SYSCALL_64_after_hwframe+0x49/0xbe
      RIP: 0033:0x456b29
      Code: fd b4 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 cb b4 fb ff c3 66 2e 0f 1f 84 00 00 00 00
      RSP: 002b:00007f9706bf8c78 EFLAGS: 00000246 ORIG_RAX: 000000000000002e
      RAX: ffffffffffffffda RBX: 00007f9706bf96d4 RCX: 0000000000456b29
      RDX: 0000000000000000 RSI: 0000000020000240 RDI: 0000000000000004
      RBP: 00000000009300a0 R08: 0000000000000000 R09: 0000000000000000
      R10: 0000000000000000 R11: 0000000000000246 R12: 00000000ffffffff
      R13: 00000000004d3548 R14: 00000000004c8227 R15: 0000000000000000
      
      Fixes: 87002b03 ("net: introduce vlan_vid_[add/del] and use them instead of direct [add/kill]_vid ndo calls")
      Signed-off-by: default avatarIdo Schimmel <idosch@mellanox.com>
      Reported-and-tested-by: syzbot+bd051aba086537515cdb@syzkaller.appspotmail.com
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      e0fff899
    • Shahed Shaikh's avatar
      qlcnic: fix Tx descriptor corruption on 82xx devices · 2f04cacd
      Shahed Shaikh authored
      [ Upstream commit c333fa0c4f220f8f7ea5acd6b0ebf3bf13fd684d ]
      
      In regular NIC transmission flow, driver always configures MAC using
      Tx queue zero descriptor as a part of MAC learning flow.
      But with multi Tx queue supported NIC, regular transmission can occur on
      any non-zero Tx queue and from that context it uses
      Tx queue zero descriptor to configure MAC, at the same time TX queue
      zero could be used by another CPU for regular transmission
      which could lead to Tx queue zero descriptor corruption and cause FW
      abort.
      
      This patch fixes this in such a way that driver always configures
      learned MAC address from the same Tx queue which is used for
      regular transmission.
      
      Fixes: 7e2cf4fe ("qlcnic: change driver hardware interface mechanism")
      Signed-off-by: default avatarShahed Shaikh <shahed.shaikh@cavium.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      2f04cacd
    • Yu Zhao's avatar
      net/usb: cancel pending work when unbinding smsc75xx · 0aa059ea
      Yu Zhao authored
      [ Upstream commit f7b2a56e1f3dcbdb4cf09b2b63e859ffe0e09df8 ]
      
      Cancel pending work before freeing smsc75xx private data structure
      during binding. This fixes the following crash in the driver:
      
      BUG: unable to handle kernel NULL pointer dereference at 0000000000000050
      IP: mutex_lock+0x2b/0x3f
      <snipped>
      Workqueue: events smsc75xx_deferred_multicast_write [smsc75xx]
      task: ffff8caa83e85700 task.stack: ffff948b80518000
      RIP: 0010:mutex_lock+0x2b/0x3f
      <snipped>
      Call Trace:
       smsc75xx_deferred_multicast_write+0x40/0x1af [smsc75xx]
       process_one_work+0x18d/0x2fc
       worker_thread+0x1a2/0x269
       ? pr_cont_work+0x58/0x58
       kthread+0xfa/0x10a
       ? pr_cont_work+0x58/0x58
       ? rcu_read_unlock_sched_notrace+0x48/0x48
       ret_from_fork+0x22/0x40
      Signed-off-by: default avatarYu Zhao <yuzhao@google.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      0aa059ea
    • Sean Tranchetti's avatar
      netlabel: check for IPV4MASK in addrinfo_get · 1f3a2366
      Sean Tranchetti authored
      [ Upstream commit f88b4c01b97e09535505cf3c327fdbce55c27f00 ]
      
      netlbl_unlabel_addrinfo_get() assumes that if it finds the
      NLBL_UNLABEL_A_IPV4ADDR attribute, it must also have the
      NLBL_UNLABEL_A_IPV4MASK attribute as well. However, this is
      not necessarily the case as the current checks in
      netlbl_unlabel_staticadd() and friends are not sufficent to
      enforce this.
      
      If passed a netlink message with NLBL_UNLABEL_A_IPV4ADDR,
      NLBL_UNLABEL_A_IPV6ADDR, and NLBL_UNLABEL_A_IPV6MASK attributes,
      these functions will all call netlbl_unlabel_addrinfo_get() which
      will then attempt dereference NULL when fetching the non-existent
      NLBL_UNLABEL_A_IPV4MASK attribute:
      
      Unable to handle kernel NULL pointer dereference at virtual address 0
      Process unlab (pid: 31762, stack limit = 0xffffff80502d8000)
      Call trace:
      	netlbl_unlabel_addrinfo_get+0x44/0xd8
      	netlbl_unlabel_staticremovedef+0x98/0xe0
      	genl_rcv_msg+0x354/0x388
      	netlink_rcv_skb+0xac/0x118
      	genl_rcv+0x34/0x48
      	netlink_unicast+0x158/0x1f0
      	netlink_sendmsg+0x32c/0x338
      	sock_sendmsg+0x44/0x60
      	___sys_sendmsg+0x1d0/0x2a8
      	__sys_sendmsg+0x64/0xb4
      	SyS_sendmsg+0x34/0x4c
      	el0_svc_naked+0x34/0x38
      Code: 51001149 7100113f 540000a0 f9401508 (79400108)
      ---[ end trace f6438a488e737143 ]---
      Kernel panic - not syncing: Fatal exception
      Signed-off-by: default avatarSean Tranchetti <stranche@codeaurora.org>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      1f3a2366