1. 10 Jun, 2018 1 commit
    • Cong Wang's avatar
      socket: close race condition between sock_close() and sockfs_setattr() · 6d8c50dc
      Cong Wang authored
      fchownat() doesn't even hold refcnt of fd until it figures out
      fd is really needed (otherwise is ignored) and releases it after
      it resolves the path. This means sock_close() could race with
      sockfs_setattr(), which leads to a NULL pointer dereference
      since typically we set sock->sk to NULL in ->release().
      
      As pointed out by Al, this is unique to sockfs. So we can fix this
      in socket layer by acquiring inode_lock in sock_close() and
      checking against NULL in sockfs_setattr().
      
      sock_release() is called in many places, only the sock_close()
      path matters here. And fortunately, this should not affect normal
      sock_close() as it is only called when the last fd refcnt is gone.
      It only affects sock_close() with a parallel sockfs_setattr() in
      progress, which is not common.
      
      Fixes: 86741ec2
      
       ("net: core: Add a UID field to struct sock.")
      Reported-by: default avatarshankarapailoor <shankarapailoor@gmail.com>
      Cc: Tetsuo Handa <penguin-kernel@i-love.sakura.ne.jp>
      Cc: Lorenzo Colitti <lorenzo@google.com>
      Cc: Al Viro <viro@zeniv.linux.org.uk>
      Signed-off-by: default avatarCong Wang <xiyou.wangcong@gmail.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      6d8c50dc
  2. 08 Jun, 2018 9 commits
    • Petr Machata's avatar
      net: bridge: Fix locking in br_fdb_find_port() · 873aca2e
      Petr Machata authored
      Callers of br_fdb_find() need to hold the hash lock, which
      br_fdb_find_port() doesn't do. However, since br_fdb_find_port() is not
      doing any actual FDB manipulation, the hash lock is not really needed at
      all. So convert to br_fdb_find_rcu(), surrounded by rcu_read_lock() /
      _unlock() pair.
      
      The device pointer copied from inside the FDB entry is then kept alive
      by the RTNL lock, which br_fdb_find_port() asserts.
      
      Fixes: 4d4fd361
      
       ("net: bridge: Publish bridge accessor functions")
      Signed-off-by: default avatarPetr Machata <petrm@mellanox.com>
      Acked-by: default avatarNikolay Aleksandrov <nikolay@cumulusnetworks.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      873aca2e
    • Paolo Abeni's avatar
      udp: fix rx queue len reported by diag and proc interface · 6c206b20
      Paolo Abeni authored
      After commit 6b229cf7 ("udp: add batching to udp_rmem_release()")
      the sk_rmem_alloc field does not measure exactly anymore the
      receive queue length, because we batch the rmem release. The issue
      is really apparent only after commit 0d4a6608 ("udp: do rmem bulk
      free even if the rx sk queue is empty"): the user space can easily
      check for an empty socket with not-0 queue length reported by the 'ss'
      tool or the procfs interface.
      
      We need to use a custom UDP helper to report the correct queue length,
      taking into account the forward allocation deficit.
      
      Reported-by: trevor.francis@46labs.com
      Fixes: 6b229cf7
      
       ("UDP: add batching to udp_rmem_release()")
      Signed-off-by: default avatarPaolo Abeni <pabeni@redhat.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      6c206b20
    • Bjørn Mork's avatar
      cdc_ncm: avoid padding beyond end of skb · 49c2c3f2
      Bjørn Mork authored
      Commit 4a0e3e98 ("cdc_ncm: Add support for moving NDP to end
      of NCM frame") added logic to reserve space for the NDP at the
      end of the NTB/skb.  This reservation did not take the final
      alignment of the NDP into account, causing us to reserve too
      little space. Additionally the padding prior to NDP addition did
      not ensure there was enough space for the NDP.
      
      The NTB/skb with the NDP appended would then exceed the configured
      max size. This caused the final padding of the NTB to use a
      negative count, padding to almost INT_MAX, and resulting in:
      
      [60103.825970] BUG: unable to handle kernel paging request at ffff9641f2004000
      [60103.825998] IP: __memset+0x24/0x30
      [60103.826001] PGD a6a06067 P4D a6a06067 PUD 4f65a063 PMD 72003063 PTE 0
      [60103.826013] Oops: 0002 [#1] SMP NOPTI
      [60103.826018] Modules linked in: (removed(
      [60103.826158] CPU: 0 PID: 5990 Comm: Chrome_DevTools Tainted: G           O 4.14.0-3-amd64 #1 Debian 4.14.17-1
      [60103.826162] Hardware name: LENOVO 20081 BIOS 41CN28WW(V2.04) 05/03/2012
      [60103.826166] task: ffff964193484fc0 task.stack: ffffb2890137c000
      [60103.826171] RIP: 0010:__memset+0x24/0x30
      [60103.826174] RSP: 0000:ffff964316c03b68 EFLAGS: 00010216
      [60103.826178] RAX: 0000000000000000 RBX: 00000000fffffffd RCX: 000000001ffa5000
      [60103.826181] RDX: 0000000000000005 RSI: 0000000000000000 RDI: ffff9641f2003ffc
      [60103.826184] RBP: ffff964192f6c800 R08: 00000000304d434e R09: ffff9641f1d2c004
      [60103.826187] R10: 0000000000000002 R11: 00000000000005ae R12: ffff9642e6957a80
      [60103.826190] R13: ffff964282ff2ee8 R14: 000000000000000d R15: ffff9642e4843900
      [60103.826194] FS:  00007f395aaf6700(0000) GS:ffff964316c00000(0000) knlGS:0000000000000000
      [60103.826197] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
      [60103.826200] CR2: ffff9641f2004000 CR3: 0000000013b0c000 CR4: 00000000000006f0
      [60103.826204] Call Trace:
      [60103.826212]  <IRQ>
      [60103.826225]  cdc_ncm_fill_tx_frame+0x5e3/0x740 [cdc_ncm]
      [60103.826236]  cdc_ncm_tx_fixup+0x57/0x70 [cdc_ncm]
      [60103.826246]  usbnet_start_xmit+0x5d/0x710 [usbnet]
      [60103.826254]  ? netif_skb_features+0x119/0x250
      [60103.826259]  dev_hard_start_xmit+0xa1/0x200
      [60103.826267]  sch_direct_xmit+0xf2/0x1b0
      [60103.826273]  __dev_queue_xmit+0x5e3/0x7c0
      [60103.826280]  ? ip_finish_output2+0x263/0x3c0
      [60103.826284]  ip_finish_output2+0x263/0x3c0
      [60103.826289]  ? ip_output+0x6c/0xe0
      [60103.826293]  ip_output+0x6c/0xe0
      [60103.826298]  ? ip_forward_options+0x1a0/0x1a0
      [60103.826303]  tcp_transmit_skb+0x516/0x9b0
      [60103.826309]  tcp_write_xmit+0x1aa/0xee0
      [60103.826313]  ? sch_direct_xmit+0x71/0x1b0
      [60103.826318]  tcp_tasklet_func+0x177/0x180
      [60103.826325]  tasklet_action+0x5f/0x110
      [60103.826332]  __do_softirq+0xde/0x2b3
      [60103.826337]  irq_exit+0xae/0xb0
      [60103.826342]  do_IRQ+0x81/0xd0
      [60103.826347]  common_interrupt+0x98/0x98
      [60103.826351]  </IRQ>
      [60103.826355] RIP: 0033:0x7f397bdf2282
      [60103.826358] RSP: 002b:00007f395aaf57d8 EFLAGS: 00000206 ORIG_RAX: ffffffffffffff6e
      [60103.826362] RAX: 0000000000000000 RBX: 00002f07bc6d0900 RCX: 00007f39752d7fe7
      [60103.826365] RDX: 0000000000000022 RSI: 0000000000000147 RDI: 00002f07baea02c0
      [60103.826368] RBP: 0000000000000001 R08: 0000000000000000 R09: 0000000000000000
      [60103.826371] R10: 00000000ffffffff R11: 0000000000000000 R12: 00002f07baea02c0
      [60103.826373] R13: 00002f07bba227a0 R14: 00002f07bc6d090c R15: 0000000000000000
      [60103.826377] Code: 90 90 90 90 90 90 90 0f 1f 44 00 00 49 89 f9 48 89 d1 83
      e2 07 48 c1 e9 03 40 0f b6 f6 48 b8 01 01 01 01 01 01 01 01 48 0f af c6 <f3> 48
      ab 89 d1 f3 aa 4c 89 c8 c3 90 49 89 f9 40 88 f0 48 89 d1
      [60103.826442] RIP: __memset+0x24/0x30 RSP: ffff964316c03b68
      [60103.826444] CR2: ffff9641f2004000
      
      Commit e1069bbf ("net: cdc_ncm: Reduce memory use when kernel
      memory low") made this bug much more likely to trigger by reducing
      the NTB size under memory pressure.
      
      Link: https://bugs.debian.org/893393
      
      Reported-by: default avatarГорбешко Богдан <bodqhrohro@gmail.com>
      Reported-and-tested-by: default avatarDennis Wassenberg <dennis.wassenberg@secunet.com>
      Cc: Enrico Mioso <mrkiko.rs@gmail.com>
      Fixes: 4a0e3e98
      
       ("cdc_ncm: Add support for moving NDP to end of NCM frame")
      Signed-off-by: default avatarBjørn Mork <bjorn@mork.no>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      49c2c3f2
    • Davide Caratti's avatar
      net/sched: act_simple: fix parsing of TCA_DEF_DATA · 8d499533
      Davide Caratti authored
      use nla_strlcpy() to avoid copying data beyond the length of TCA_DEF_DATA
      netlink attribute, in case it is less than SIMP_MAX_DATA and it does not
      end with '\0' character.
      
      v2: fix errors in the commit message, thanks Hangbin Liu
      
      Fixes: fa1b1cff
      
       ("net_cls_act: Make act_simple use of netlink policy.")
      Signed-off-by: default avatarDavide Caratti <dcaratti@redhat.com>
      Reviewed-by: default avatarSimon Horman <simon.horman@netronome.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      8d499533
    • YueHaibing's avatar
      net: fddi: fix a possible null-ptr-deref · 6310a882
      YueHaibing authored
      
      
      bp->SharedMemAddr is set to NULL while bp->SharedMemSize lesser-or-equal 0,
      then memset will trigger null-ptr-deref.
      
      fix it by replacing pci_alloc_consistent with dma_zalloc_coherent.
      Signed-off-by: default avatarYueHaibing <yuehaibing@huawei.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      6310a882
    • Colin Ian King's avatar
      net: aquantia: fix unsigned numvecs comparison with less than zero · 58d813af
      Colin Ian King authored
      From: Colin Ian King <colin.king@canonical.com>
      
      This was originally mistakenly submitted to net-next. Resubmitting to net.
      
      The comparison of numvecs < 0 is always false because numvecs is a u32
      and hence the error return from a failed call to pci_alloc_irq_vectores
      is never detected.  Fix this by using the signed int ret to handle the
      error return and assign numvecs to err.
      
      Detected by CoverityScan, CID#1468650 ("Unsigned compared against 0")
      
      Fixes: a09bd81b
      
       ("net: aquantia: Limit number of vectors to actually allocated irqs")
      Signed-off-by: default avatarColin Ian King <colin.king@canonical.com>
      Signed-off-by: default avatarIgor Russkikh <igor.russkikh@aquantia.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      58d813af
    • Corentin Labbe's avatar
      net: stmmac: fix build failure due to missing COMMON_CLK dependency · bde49753
      Corentin Labbe authored
      
      
      This patch fix the build failure on m68k;
      drivers/net/ethernet/stmicro/stmmac/dwmac-ipq806x.o: In function `ipq806x_gmac_probe':
      dwmac-ipq806x.c:(.text+0xda): undefined reference to `clk_set_rate'
      drivers/net/ethernet/stmicro/stmmac/dwmac-rk.o: In function `rk_gmac_probe':
      dwmac-rk.c:(.text+0x1e58): undefined reference to `clk_set_rate'
      drivers/net/ethernet/stmicro/stmmac/dwmac-sti.o: In function `stid127_fix_retime_src':
      dwmac-sti.c:(.text+0xd8): undefined reference to `clk_set_rate'
      dwmac-sti.c:(.text+0x114): undefined reference to `clk_set_rate'
      drivers/net/ethernet/stmicro/stmmac/dwmac-sti.o:dwmac-sti.c:(.text+0x12c): more undefined references to `clk_set_rate' follow
      Lots of stmmac platform drivers need COMMON_CLK in their Kconfig depends.
      Signed-off-by: default avatarCorentin Labbe <clabbe@baylibre.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      bde49753
    • Alexei Starovoitov's avatar
      bpfilter: fix race in pipe access · 66e58e0e
      Alexei Starovoitov authored
      syzbot reported the following crash
      [  338.293946] bpfilter: read fail -512
      [  338.304515] kasan: GPF could be caused by NULL-ptr deref or user memory access
      [  338.311863] general protection fault: 0000 [#1] SMP KASAN
      [  338.344360] RIP: 0010:__vfs_write+0x4a6/0x960
      [  338.426363] Call Trace:
      [  338.456967]  __kernel_write+0x10c/0x380
      [  338.460928]  __bpfilter_process_sockopt+0x1d8/0x35b
      [  338.487103]  bpfilter_mbox_request+0x4d/0xb0
      [  338.491492]  bpfilter_ip_get_sockopt+0x6b/0x90
      
      This can happen when multiple cpus trying to talk to user mode process
      via bpfilter_mbox_request(). One cpu grabs the mutex while another goes to
      sleep on the same mutex. Then former cpu sees that umh pipe is down and
      shuts down the pipes. Later cpu finally acquires the mutex and crashes
      on freed pipe.
      Fix the race by using info.pid as an indicator that umh and pipes are healthy
      and check it after acquiring the mutex.
      
      Fixes: d2ba09c1
      
       ("net: add skeleton of bpfilter kernel module")
      Reported-by: syzbot+7ade6c94abb2774c0fee@syzkaller.appspotmail.com
      Signed-off-by: default avatarAlexei Starovoitov <ast@kernel.org>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      66e58e0e
    • David S. Miller's avatar
      Merge git://git.kernel.org/pub/scm/linux/kernel/git/bpf/bpf · ff267287
      David S. Miller authored
      
      
      Daniel Borkmann says:
      
      ====================
      pull-request: bpf 2018-06-08
      
      The following pull-request contains BPF updates for your *net* tree.
      
      The main changes are:
      
      1) Fix in the BPF verifier to reject modified ctx pointers on helper
         functions, from Daniel.
      
      2) Fix in BPF kselftests for get_cgroup_id_user() helper to only
         record the cgroup id for a provided pid in order to reduce test
         failures from processes interferring with the test, from Yonghong.
      
      3) Fix a crash in AF_XDP's mem accounting when the process owning
         the sock has CAP_IPC_LOCK capabilities set, from Daniel.
      
      4) Fix an issue for AF_XDP on 32 bit machines where XDP_UMEM_PGOFF_*_RING
         defines need ULL suffixes and use loff_t type as they are otherwise
         truncated, from Geert.
      ====================
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      ff267287
  3. 07 Jun, 2018 21 commits
    • Daniel Borkmann's avatar
      bpf, xdp: fix crash in xdp_umem_unaccount_pages · c09290c5
      Daniel Borkmann authored
      syzkaller was able to trigger the following panic for AF_XDP:
      
        BUG: KASAN: null-ptr-deref in atomic64_sub include/asm-generic/atomic-instrumented.h:144 [inline]
        BUG: KASAN: null-ptr-deref in atomic_long_sub include/asm-generic/atomic-long.h:199 [inline]
        BUG: KASAN: null-ptr-deref in xdp_umem_unaccount_pages.isra.4+0x3d/0x80 net/xdp/xdp_umem.c:135
        Write of size 8 at addr 0000000000000060 by task syz-executor246/4527
      
        CPU: 1 PID: 4527 Comm: syz-executor246 Not tainted 4.17.0+ #89
        Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
        Call Trace:
         __dump_stack lib/dump_stack.c:77 [inline]
         dump_stack+0x1b9/0x294 lib/dump_stack.c:113
         kasan_report_error mm/kasan/report.c:352 [inline]
         kasan_report.cold.7+0x6d/0x2fe mm/kasan/report.c:412
         check_memory_region_inline mm/kasan/kasan.c:260 [inline]
         check_memory_region+0x13e/0x1b0 mm/kasan/kasan.c:267
         kasan_check_write+0x14/0x20 mm/kasan/kasan.c:278
         atomic64_sub include/asm-generic/atomic-instrumented.h:144 [inline]
         atomic_long_sub include/asm-generic/atomic-long.h:199 [inline]
         xdp_umem_unaccount_pages.isra.4+0x3d/0x80 net/xdp/xdp_umem.c:135
         xdp_umem_reg net/xdp/xdp_umem.c:334 [inline]
         xdp_umem_create+0xd6c/0x10f0 net/xdp/xdp_umem.c:349
         xsk_setsockopt+0x443/0x550 net/xdp/xsk.c:531
         __sys_setsockopt+0x1bd/0x390 net/socket.c:1935
         __do_sys_setsockopt net/socket.c:1946 [inline]
         __se_sys_setsockopt net/socket.c:1943 [inline]
         __x64_sys_setsockopt+0xbe/0x150 net/socket.c:1943
         do_syscall_64+0x1b1/0x800 arch/x86/entry/common.c:287
         entry_SYSCALL_64_after_hwframe+0x49/0xbe
      
      In xdp_umem_reg() the call to xdp_umem_account_pages() passed
      with CAP_IPC_LOCK where we didn't need to end up charging rlimit
      on memlock for the current user and therefore umem->user continues
      to be NULL. Later on through fault injection syzkaller triggered
      a failure in either umem->pgs or umem->pages allocation such that
      we bail out and undo accounting in xdp_umem_unaccount_pages()
      where we eventually hit the panic since it tries to deref the
      umem->user.
      
      The code is pretty close to mm_account_pinned_pages() and
      mm_unaccount_pinned_pages() pair and potentially could reuse
      it even in a later cleanup, and it appears that the initial
      commit c0c77d8f ("xsk: add user memory registration support
      sockopt") got this right while later follow-up introduced the
      bug via a49049ea ("xsk: simplified umem setup").
      
      Fixes: a49049ea
      
       ("xsk: simplified umem setup")
      Reported-by: syzbot+979217770b09ebf5c407@syzkaller.appspotmail.com
      Signed-off-by: default avatarDaniel Borkmann <daniel@iogearbox.net>
      Signed-off-by: default avatarAlexei Starovoitov <ast@kernel.org>
      c09290c5
    • Geert Uytterhoeven's avatar
      xsk: Fix umem fill/completion queue mmap on 32-bit · a5a16e43
      Geert Uytterhoeven authored
      With gcc-4.1.2 on 32-bit:
      
          net/xdp/xsk.c:663: warning: integer constant is too large for ‘long’ type
          net/xdp/xsk.c:665: warning: integer constant is too large for ‘long’ type
      
      Add the missing "ULL" suffixes to the large XDP_UMEM_PGOFF_*_RING values
      to fix this.
      
          net/xdp/xsk.c:663: warning: comparison is always false due to limited range of data type
          net/xdp/xsk.c:665: warning: comparison is always false due to limited range of data type
      
      "unsigned long" is 32-bit on 32-bit systems, hence the offset is
      truncated, and can never be equal to any of the XDP_UMEM_PGOFF_*_RING
      values.  Use loff_t (and the required cast) to fix this.
      
      Fixes: 423f3832 ("xsk: add umem fill queue support and mmap")
      Fixes: fe230832
      
       ("xsk: add umem completion queue support and mmap")
      Signed-off-by: default avatarGeert Uytterhoeven <geert@linux-m68k.org>
      Acked-by: default avatarBjörn Töpel <bjorn.topel@intel.com>
      Signed-off-by: default avatarDaniel Borkmann <daniel@iogearbox.net>
      a5a16e43
    • Yonghong Song's avatar
      tools/bpf: fix selftest get_cgroup_id_user · 23316a36
      Yonghong Song authored
      Commit f269099a ("tools/bpf: add a selftest for
      bpf_get_current_cgroup_id() helper") added a test
      for bpf_get_current_cgroup_id() helper. The bpf program
      is attached to tracepoint syscalls/sys_enter_nanosleep
      and will record the cgroup id if the tracepoint is hit.
      The test program creates a cgroup and attachs itself to
      this cgroup and expects that the test program process
      cgroup id is the same as the cgroup_id retrieved
      by the bpf program.
      
      In a light system where no other processes called
      nanosleep syscall, the test case can pass.
      In a busy system where many different processes can hit
      syscalls/sys_enter_nanosleep tracepoint, the cgroup id
      recorded by bpf program may not match the test program
      process cgroup_id.
      
      This patch fixed an issue by communicating the test program
      pid to bpf program. The bpf program only records
      cgroup id if the current task pid is the same as
      passed-in pid. This ensures that the recorded cgroup_id
      is for the cgroup within which the test program resides.
      
      Fixes: f269099a
      
       ("tools/bpf: add a selftest for bpf_get_current_cgroup_id() helper")
      Signed-off-by: default avatarYonghong Song <yhs@fb.com>
      Signed-off-by: default avatarDaniel Borkmann <daniel@iogearbox.net>
      23316a36
    • Alexei Starovoitov's avatar
      bpfilter: fix OUTPUT_FORMAT · 8d97ca6b
      Alexei Starovoitov authored
      CONFIG_OUTPUT_FORMAT is x86 only macro.
      Used objdump to extract elf file format.
      
      Fixes: d2ba09c1
      
       ("net: add skeleton of bpfilter kernel module")
      Reported-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarAlexei Starovoitov <ast@kernel.org>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      8d97ca6b
    • Alexei Starovoitov's avatar
      umh: fix race condition · bf956be5
      Alexei Starovoitov authored
      kasan reported use-after-free:
      BUG: KASAN: use-after-free in call_usermodehelper_exec_work+0x2d3/0x310 kernel/umh.c:195
      Write of size 4 at addr ffff8801d9202370 by task kworker/u4:2/50
      Workqueue: events_unbound call_usermodehelper_exec_work
      Call Trace:
       __dump_stack lib/dump_stack.c:77 [inline]
       dump_stack+0x1b9/0x294 lib/dump_stack.c:113
       print_address_description+0x6c/0x20b mm/kasan/report.c:256
       kasan_report_error mm/kasan/report.c:354 [inline]
       kasan_report.cold.7+0x242/0x2fe mm/kasan/report.c:412
       __asan_report_store4_noabort+0x17/0x20 mm/kasan/report.c:437
       call_usermodehelper_exec_work+0x2d3/0x310 kernel/umh.c:195
       process_one_work+0xc1e/0x1b50 kernel/workqueue.c:2145
       worker_thread+0x1cc/0x1440 kernel/workqueue.c:2279
       kthread+0x345/0x410 kernel/kthread.c:240
       ret_from_fork+0x3a/0x50 arch/x86/entry/entry_64.S:412
      
      The reason is that 'sub_info' cannot be accessed out of parent task
      context, since it will be freed by the child.
      Instead remember the pid in the child task.
      
      Fixes: 449325b5
      
       ("umh: introduce fork_usermode_blob() helper")
      Reported-by: syzbot+2c73319c406f1987d156@syzkaller.appspotmail.com
      Signed-off-by: default avatarAlexei Starovoitov <ast@kernel.org>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      bf956be5
    • Geert Uytterhoeven's avatar
      net: mscc: ocelot: Fix uninitialized error in ocelot_netdevice_event() · 2ac0e152
      Geert Uytterhoeven authored
      With gcc-4.1.2:
      
          drivers/net/ethernet/mscc/ocelot.c: In function ‘ocelot_netdevice_event’:
          drivers/net/ethernet/mscc/ocelot.c:1129: warning: ‘ret’ may be used uninitialized in this function
      
      If the list iterated over by netdev_for_each_lower_dev() is empty, ret
      is never initialized, and converted into a notifier return value.
      
      Fix this by preinitializing ret to zero.
      
      Fixes: a556c76a
      
       ("net: mscc: Add initial Ocelot switch support")
      Signed-off-by: default avatarGeert Uytterhoeven <geert@linux-m68k.org>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      2ac0e152
    • Xiangning Yu's avatar
      bonding: re-evaluate force_primary when the primary slave name changes · eb55bbf8
      Xiangning Yu authored
      
      
      There is a timing issue under active-standy mode, when bond_enslave() is
      called, bond->params.primary might not be initialized yet.
      
      Any time the primary slave string changes, bond->force_primary should be
      set to true to make sure the primary becomes the active slave.
      Signed-off-by: default avatarXiangning Yu <yuxiangning@gmail.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      eb55bbf8
    • Sultan Alsawaf's avatar
      ip_tunnel: Fix name string concatenate in __ip_tunnel_create() · 000ade80
      Sultan Alsawaf authored
      
      
      By passing a limit of 2 bytes to strncat, strncat is limited to writing
      fewer bytes than what it's supposed to append to the name here.
      
      Since the bounds are checked on the line above this, just remove the string
      bounds checks entirely since they're unneeded.
      Signed-off-by: default avatarSultan Alsawaf <sultanxda@gmail.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      000ade80
    • Dexuan Cui's avatar
      hv_netvsc: Fix a network regression after ifdown/ifup · 52acf73b
      Dexuan Cui authored
      Recently people reported the NIC stops working after
      "ifdown eth0; ifup eth0". It turns out in this case the TX queues are not
      enabled, after the refactoring of the common detach logic: when the NIC
      has sub-channels, usually we enable all the TX queues after all
      sub-channels are set up: see rndis_set_subchannel() ->
      netif_device_attach(), but in the case of "ifdown eth0; ifup eth0" where
      the number of channels doesn't change, we also must make sure the TX queues
      are enabled. The patch fixes the regression.
      
      Fixes: 7b2ee50c
      
       ("hv_netvsc: common detach logic")
      Signed-off-by: default avatarDexuan Cui <decui@microsoft.com>
      Cc: Stephen Hemminger <sthemmin@microsoft.com>
      Cc: K. Y. Srinivasan <kys@microsoft.com>
      Cc: Haiyang Zhang <haiyangz@microsoft.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      52acf73b
    • Willem de Bruijn's avatar
      net: in virtio_net_hdr only add VLAN_HLEN to csum_start if payload holds vlan · fd3a8862
      Willem de Bruijn authored
      Tun, tap, virtio, packet and uml vector all use struct virtio_net_hdr
      to communicate packet metadata to userspace.
      
      For skbuffs with vlan, the first two return the packet as it may have
      existed on the wire, inserting the VLAN tag in the user buffer.  Then
      virtio_net_hdr.csum_start needs to be adjusted by VLAN_HLEN bytes.
      
      Commit f09e2249 ("macvtap: restore vlan header on user read")
      added this feature to macvtap. Commit 3ce9b20f ("macvtap: Fix
      csum_start when VLAN tags are present") then fixed up csum_start.
      
      Virtio, packet and uml do not insert the vlan header in the user
      buffer.
      
      When introducing virtio_net_hdr_from_skb to deduplicate filling in
      the virtio_net_hdr, the variant from macvtap which adds VLAN_HLEN was
      applied uniformly, breaking csum offset for packets with vlan on
      virtio and packet.
      
      Make insertion of VLAN_HLEN optional. Convert the callers to pass it
      when needed.
      
      Fixes: e858fae2 ("virtio_net: use common code for virtio_net_hdr and skb GSO conversion")
      Fixes: 1276f24e
      
       ("packet: use common code for virtio_net_hdr and skb GSO conversion")
      Signed-off-by: default avatarWillem de Bruijn <willemb@google.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      fd3a8862
    • Pablo Neira Ayuso's avatar
      netfilter: nf_tables: add NFT_LOGLEVEL_* enumeration and use it · 7eced5ab
      Pablo Neira Ayuso authored
      This is internal, not exposed through uapi, and although it maps with
      userspace LOG_*, with the introduction of LOGLEVEL_AUDIT we are
      incurring in namespace pollution.
      
      This patch adds the NFT_LOGLEVEL_ enumeration and use it from nft_log.
      
      Fixes: 1a893b44
      
       ("netfilter: nf_tables: Add audit support to log statement")
      Signed-off-by: default avatarPablo Neira Ayuso <pablo@netfilter.org>
      Acked-by: default avatarPhil Sutter <phil@nwl.cc>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      7eced5ab
    • Daniel Borkmann's avatar
      bpf: reject passing modified ctx to helper functions · 58990d1f
      Daniel Borkmann authored
      As commit 28e33f9d ("bpf: disallow arithmetic operations on
      context pointer") already describes, f1174f77 ("bpf/verifier:
      rework value tracking") removed the specific white-listed cases
      we had previously where we would allow for pointer arithmetic in
      order to further generalize it, and allow e.g. context access via
      modified registers. While the dereferencing of modified context
      pointers had been forbidden through 28e33f9d, syzkaller did
      recently manage to trigger several KASAN splats for slab out of
      bounds access and use after frees by simply passing a modified
      context pointer to a helper function which would then do the bad
      access since verifier allowed it in adjust_ptr_min_max_vals().
      
      Rejecting arithmetic on ctx pointer in adjust_ptr_min_max_vals()
      generally could break existing programs as there's a valid use
      case in tracing in combination with passing the ctx to helpers as
      bpf_probe_read(), where the register then becomes unknown at
      verification time due to adding a non-constant offset to it. An
      access sequence may look like the following:
      
        offset = args->filename;  /* field __data_loc filename */
        bpf_probe_read(&dst, len, (char *)args + offset); // args is ctx
      
      There are two options: i) we could special case the ctx and as
      soon as we add a constant or bounded offset to it (hence ctx type
      wouldn't change) we could turn the ctx into an unknown scalar, or
      ii) we generalize the sanity test for ctx member access into a
      small helper and assert it on the ctx register that was passed
      as a function argument. Fwiw, latter is more obvious and less
      complex at the same time, and one case that may potentially be
      legitimate in future for ctx member access at least would be for
      ctx to carry a const offset. Therefore, fix follows approach
      from ii) and adds test cases to BPF kselftests.
      
      Fixes: f1174f77
      
       ("bpf/verifier: rework value tracking")
      Reported-by: syzbot+3d0b2441dbb71751615e@syzkaller.appspotmail.com
      Reported-by: syzbot+c8504affd4fdd0c1b626@syzkaller.appspotmail.com
      Reported-by: syzbot+e5190cb881d8660fb1a3@syzkaller.appspotmail.com
      Reported-by: syzbot+efae31b384d5badbd620@syzkaller.appspotmail.com
      Signed-off-by: default avatarDaniel Borkmann <daniel@iogearbox.net>
      Acked-by: default avatarAlexei Starovoitov <ast@kernel.org>
      Acked-by: default avatarYonghong Song <yhs@fb.com>
      Acked-by: default avatarEdward Cree <ecree@solarflare.com>
      Signed-off-by: default avatarAlexei Starovoitov <ast@kernel.org>
      58990d1f
    • Linus Torvalds's avatar
      Merge tag 'media/v4.18-2' of git://git.kernel.org/pub/scm/linux/kernel/git/mchehab/linux-media · 3036bc45
      Linus Torvalds authored
      Pull media updates from Mauro Carvalho Chehab:
      
       - remove of atomisp driver from staging, as nobody would have time to
         dedicate huge efforts to fix all the problems there. Also, we have a
         feeling that the driver may not even run the way it is.
      
       - move Zoran driver to staging, in order to be either fixed to use VB2
         and the proper media kAPIs or to be removed
      
       - remove videobuf-dvb driver, with is unused for a while
      
       - some V4L2 documentation fixes/improvements
      
       - new sensor drivers: imx258 and ov7251
      
       - a new driver was added to allow using I2C transparent drivers
      
       - several improvements at the ddbridge driver
      
       - several improvements at the ISDB pt1 driver, making it more coherent
         with the DVB framework
      
       - added a new platform driver for MIPI CSI-2 RX: cadence
      
       - now, all media drivers can be compiled on x86 with COMPILE_TEST
      
       - almost all media drivers now build on non-x86 architectures with
         COMPILE_TEST
      
       - lots of other random stuff: cleanups, support for new board models,
         bug fixes, etc
      
      * tag 'media/v4.18-2' of git://git.kernel.org/pub/scm/linux/kernel/git/mchehab/linux-media: (464 commits)
        media: omap2: fix compile-testing with FB_OMAP2=m
        media: media/radio/Kconfig: add back RADIO_ISA
        media: v4l2-ioctl.c: fix missing unlock in __video_do_ioctl()
        media: pxa_camera: ignore -ENOIOCTLCMD from v4l2_subdev_call for s_power
        media: arch: sh: migor: Fix TW9910 PDN gpio
        media: staging: tegra-vde: Reset VDE regardless of memory client resetting failure
        media: marvel-ccic: mmp: select VIDEOBUF2_VMALLOC/DMA_CONTIG
        media: marvel-ccic: allow ccic and mmp drivers to coexist
        media: uvcvideo: Prevent setting unavailable flags
        media: ddbridge: conditionally enable fast TS for stv0910-equipped bridges
        media: dvb-frontends/stv0910: make TS speed configurable
        media: ddbridge/mci: add identifiers to function definition arguments
        media: ddbridge/mci: protect against out-of-bounds array access in stop()
        media: rc: ensure input/lirc device can be opened after register
        media: rc: nuvoton: Keep device enabled during reg init
        media: rc: nuvoton: Keep track of users on CIR enable/disable
        media: rc: nuvoton: Tweak the interrupt enabling dance
        media: uvcvideo: Support realtek's UVC 1.5 device
        media: uvcvideo: Fix driver reference counting
        media: gspca_zc3xx: Enable short exposure times for OV7648
        ...
      3036bc45
    • Linus Torvalds's avatar
      Merge tag 'powerpc-4.18-1' of git://git.kernel.org/pub/scm/linux/kernel/git/powerpc/linux · c90fca95
      Linus Torvalds authored
      Pull powerpc updates from Michael Ellerman:
       "Notable changes:
      
         - Support for split PMD page table lock on 64-bit Book3S (Power8/9).
      
         - Add support for HAVE_RELIABLE_STACKTRACE, so we properly support
           live patching again.
      
         - Add support for patching barrier_nospec in copy_from_user() and
           syscall entry.
      
         - A couple of fixes for our data breakpoints on Book3S.
      
         - A series from Nick optimising TLB/mm handling with the Radix MMU.
      
         - Numerous small cleanups to squash sparse/gcc warnings from Mathieu
           Malaterre.
      
         - Several series optimising various parts of the 32-bit code from
           Christophe Leroy.
      
         - Removal of support for two old machines, "SBC834xE" and "C2K"
           ("GEFanuc,C2K"), which is why the diffstat has so many deletions.
      
        And many other small improvements & fixes.
      
        There's a few out-of-area changes. Some minor ftrace changes OK'ed by
        Steve, and a fix to our powernv cpuidle driver. Then there's a series
        touching mm, x86 and fs/proc/task_mmu.c, which cleans up some details
        around pkey support. It was ack'ed/reviewed by Ingo & Dave and has
        been in next for several weeks.
      
        Thanks to: Akshay Adiga, Alastair D'Silva, Alexey Kardashevskiy, Al
        Viro, Andrew Donnellan, Aneesh Kumar K.V, Anju T Sudhakar, Arnd
        Bergmann, Balbir Singh, Cédric Le Goater, Christophe Leroy, Christophe
        Lombard, Colin Ian King, Dave Hansen, Fabio Estevam, Finn Thain,
        Frederic Barrat, Gautham R. Shenoy, Haren Myneni, Hari Bathini, Ingo
        Molnar, Jonathan Neuschäfer, Josh Poimboeuf, Kamalesh Babulal,
        Madhavan Srinivasan, Mahesh Salgaonkar, Mark Greer, Mathieu Malaterre,
        Matthew Wilcox, Michael Neuling, Michal Suchanek, Naveen N. Rao,
        Nicholas Piggin, Nicolai Stange, Olof Johansson, Paul Gortmaker, Paul
        Mackerras, Peter Rosin, Pridhiviraj Paidipeddi, Ram Pai, Rashmica
        Gupta, Ravi Bangoria, Russell Currey, Sam Bobroff, Samuel
        Mendoza-Jonas, Segher Boessenkool, Shilpasri G Bhat, Simon Guo,
        Souptick Joarder, Stewart Smith, Thiago Jung Bauermann, Torsten Duwe,
        Vaibhav Jain, Wei Yongjun, Wolfram Sang, Yisheng Xie, YueHaibing"
      
      * tag 'powerpc-4.18-1' of git://git.kernel.org/pub/scm/linux/kernel/git/powerpc/linux: (251 commits)
        powerpc/64s/radix: Fix missing ptesync in flush_cache_vmap
        cpuidle: powernv: Fix promotion from snooze if next state disabled
        powerpc: fix build failure by disabling attribute-alias warning in pci_32
        ocxl: Fix missing unlock on error in afu_ioctl_enable_p9_wait()
        powerpc-opal: fix spelling mistake "Uniterrupted" -> "Uninterrupted"
        powerpc: fix spelling mistake: "Usupported" -> "Unsupported"
        powerpc/pkeys: Detach execute_only key on !PROT_EXEC
        powerpc/powernv: copy/paste - Mask SO bit in CR
        powerpc: Remove core support for Marvell mv64x60 hostbridges
        powerpc/boot: Remove core support for Marvell mv64x60 hostbridges
        powerpc/boot: Remove support for Marvell mv64x60 i2c controller
        powerpc/boot: Remove support for Marvell MPSC serial controller
        powerpc/embedded6xx: Remove C2K board support
        powerpc/lib: optimise PPC32 memcmp
        powerpc/lib: optimise 32 bits __clear_user()
        powerpc/time: inline arch_vtime_task_switch()
        powerpc/Makefile: set -mcpu=860 flag for the 8xx
        powerpc: Implement csum_ipv6_magic in assembly
        powerpc/32: Optimise __csum_partial()
        powerpc/lib: Adjust .balign inside string functions for PPC32
        ...
      c90fca95
    • Linus Torvalds's avatar
      Merge tag 'microblaze-v4.18-rc1' of git://git.monstr.eu/linux-2.6-microblaze · c0ab8526
      Linus Torvalds authored
      Pull microblaze updates from Michal Simek:
      
       - Fix simpleImage format generation
      
       - Remove earlyprintk support and replace it by earlycon
      
      * tag 'microblaze-v4.18-rc1' of git://git.monstr.eu/linux-2.6-microblaze:
        microblaze: dts: replace 'linux,stdout-path' with 'stdout-path'
        microblaze: remove redundant early_printk support
        microblaze: remove unnecessary prom.h includes
        microblaze: Fix simpleImage format generation
      c0ab8526
    • Linus Torvalds's avatar
      Merge tag 'udf_for_v4.18-rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/jack/linux-fs · d987f62c
      Linus Torvalds authored
      Pull udf updates from Jan Kara:
       "UDF support for UTF-16 characters in file names"
      
      * tag 'udf_for_v4.18-rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/jack/linux-fs:
        udf: Add support for decoding UTF-16 characters
        udf: Add support for encoding UTF-16 characters
        udf: Push sb argument to udf_name_[to|from]_CS0()
        udf: Convert ident strings to proper charset
        udf: Use UTF-32 <-> UTF-8 conversion functions from NLS
        udf: Always require NLS support
      d987f62c
    • Linus Torvalds's avatar
      Merge tag 'for-linus-4.18-ofs' of git://git.kernel.org/pub/scm/linux/kernel/git/hubcap/linux · 091a0f27
      Linus Torvalds authored
      Pull orangefs updates from Mike Marshall:
       "Fixes and cleanups:
      
         - fix some sparse warnings
      
         - cleanup some code formatting
      
         - fix up some attribute/meta-data related code"
      
      * tag 'for-linus-4.18-ofs' of git://git.kernel.org/pub/scm/linux/kernel/git/hubcap/linux:
        orangefs: use sparse annotations for holding locks across function calls.
        orangefs: make debug_help_fops static
        orangefs: remove unused function orangefs_get_bufmap_init
        orangefs: specify user pointers when using dev_map_desc and bufmap
        orangefs: formatting cleanups
        orangefs: set i_size on new symlink
        orangefs: report attributes_mask and attributes for statx
        orangefs: make struct orangefs_file_vm_ops static
        orangefs: revamp block sizes
      091a0f27
    • Linus Torvalds's avatar
      Merge tag 'ovl-fixes-4.18' of git://git.kernel.org/pub/scm/linux/kernel/git/mszeredi/vfs · 70f2ae1f
      Linus Torvalds authored
      Pull overlayfs fixes from Miklos Szeredi:
       "This contains a fix for the vfs_mkdir() issue discovered by Al, as
        well as other fixes and cleanups"
      
      * tag 'ovl-fixes-4.18' of git://git.kernel.org/pub/scm/linux/kernel/git/mszeredi/vfs:
        ovl: use inode_insert5() to hash a newly created inode
        ovl: Pass argument to ovl_get_inode() in a structure
        vfs: factor out inode_insert5()
        ovl: clean up copy-up error paths
        ovl: return EIO on internal error
        ovl: make ovl_create_real() cope with vfs_mkdir() safely
        ovl: create helper ovl_create_temp()
        ovl: return dentry from ovl_create_real()
        ovl: struct cattr cleanups
        ovl: strip debug argument from ovl_do_ helpers
        ovl: remove WARN_ON() real inode attributes mismatch
        ovl: Kconfig documentation fixes
        ovl: update documentation for unionmount-testsuite
      70f2ae1f
    • Linus Torvalds's avatar
      Merge tag 'fuse-update-4.18' of git://git.kernel.org/pub/scm/linux/kernel/git/mszeredi/fuse · da315f6e
      Linus Torvalds authored
      Pull fuse updates from Miklos Szeredi:
       "The most interesting part of this update is user namespace support,
        mostly done by Eric Biederman. This enables safe unprivileged fuse
        mounts within a user namespace.
      
        There are also a couple of fixes for bugs found by syzbot and
        miscellaneous fixes and cleanups"
      
      * tag 'fuse-update-4.18' of git://git.kernel.org/pub/scm/linux/kernel/git/mszeredi/fuse:
        fuse: don't keep dead fuse_conn at fuse_fill_super().
        fuse: fix control dir setup and teardown
        fuse: fix congested state leak on aborted connections
        fuse: Allow fully unprivileged mounts
        fuse: Ensure posix acls are translated outside of init_user_ns
        fuse: add writeback documentation
        fuse: honor AT_STATX_FORCE_SYNC
        fuse: honor AT_STATX_DONT_SYNC
        fuse: Restrict allow_other to the superblock's namespace or a descendant
        fuse: Support fuse filesystems outside of init_user_ns
        fuse: Fail all requests with invalid uids or gids
        fuse: Remove the buggy retranslation of pids in fuse_dev_do_read
        fuse: return -ECONNABORTED on /dev/fuse read after abort
        fuse: atomic_o_trunc should truncate pagecache
      da315f6e
    • Linus Torvalds's avatar
      Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net-next · 1c8c5a9d
      Linus Torvalds authored
      Pull networking updates from David Miller:
      
       1) Add Maglev hashing scheduler to IPVS, from Inju Song.
      
       2) Lots of new TC subsystem tests from Roman Mashak.
      
       3) Add TCP zero copy receive and fix delayed acks and autotuning with
          SO_RCVLOWAT, from Eric Dumazet.
      
       4) Add XDP_REDIRECT support to mlx5 driver, from Jesper Dangaard
          Brouer.
      
       5) Add ttl inherit support to vxlan, from Hangbin Liu.
      
       6) Properly separate ipv6 routes into their logically independant
          components. fib6_info for the routing table, and fib6_nh for sets of
          nexthops, which thus can be shared. From David Ahern.
      
       7) Add bpf_xdp_adjust_tail helper, which can be used to generate ICMP
          messages from XDP programs. From Nikita V. Shirokov.
      
       8) Lots of long overdue cleanups to the r8169 driver, from Heiner
          Kallweit.
      
       9) Add BTF ("BPF Type Format"), from Martin KaFai Lau.
      
      10) Add traffic condition monitoring to iwlwifi, from Luca Coelho.
      
      11) Plumb extack down into fib_rules, from Roopa Prabhu.
      
      12) Add Flower classifier offload support to igb, from Vinicius Costa
          Gomes.
      
      13) Add UDP GSO support, from Willem de Bruijn.
      
      14) Add documentation for eBPF helpers, from Quentin Monnet.
      
      15) Add TLS tx offload to mlx5, from Ilya Lesokhin.
      
      16) Allow applications to be given the number of bytes available to read
          on a socket via a control message returned from recvmsg(), from
          Soheil Hassas Yeganeh.
      
      17) Add x86_32 eBPF JIT compiler, from Wang YanQing.
      
      18) Add AF_XDP sockets, with zerocopy support infrastructure as well.
          From Björn Töpel.
      
      19) Remove indirect load support from all of the BPF JITs and handle
          these operations in the verifier by translating them into native BPF
          instead. From Daniel Borkmann.
      
      20) Add GRO support to ipv6 gre tunnels, from Eran Ben Elisha.
      
      21) Allow XDP programs to do lookups in the main kernel routing tables
          for forwarding. From David Ahern.
      
      22) Allow drivers to store hardware state into an ELF section of kernel
          dump vmcore files, and use it in cxgb4. From Rahul Lakkireddy.
      
      23) Various RACK and loss detection improvements in TCP, from Yuchung
          Cheng.
      
      24) Add TCP SACK compression, from Eric Dumazet.
      
      25) Add User Mode Helper support and basic bpfilter infrastructure, from
          Alexei Starovoitov.
      
      26) Support ports and protocol values in RTM_GETROUTE, from Roopa
          Prabhu.
      
      27) Support bulking in ->ndo_xdp_xmit() API, from Jesper Dangaard
          Brouer.
      
      28) Add lots of forwarding selftests, from Petr Machata.
      
      29) Add generic network device failover driver, from Sridhar Samudrala.
      
      * ra.kernel.org:/pub/scm/linux/kernel/git/davem/net-next: (1959 commits)
        strparser: Add __strp_unpause and use it in ktls.
        rxrpc: Fix terminal retransmission connection ID to include the channel
        net: hns3: Optimize PF CMDQ interrupt switching process
        net: hns3: Fix for VF mailbox receiving unknown message
        net: hns3: Fix for VF mailbox cannot receiving PF response
        bnx2x: use the right constant
        Revert "net: sched: cls: Fix offloading when ingress dev is vxlan"
        net: dsa: b53: Fix for brcm tag issue in Cygnus SoC
        enic: fix UDP rss bits
        netdev-FAQ: clarify DaveM's position for stable backports
        rtnetlink: validate attributes in do_setlink()
        mlxsw: Add extack messages for port_{un, }split failures
        netdevsim: Add extack error message for devlink reload
        devlink: Add extack to reload and port_{un, }split operations
        net: metrics: add proper netlink validation
        ipmr: fix error path when ipmr_new_table fails
        ip6mr: only set ip6mr_table from setsockopt when ip6mr_new_table succeeds
        net: hns3: remove unused hclgevf_cfg_func_mta_filter
        netfilter: provide udp*_lib_lookup for nf_tproxy
        qed*: Utilize FW 8.37.2.0
        ...
      1c8c5a9d
    • Linus Torvalds's avatar
      Merge tag 'overflow-v4.18-rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/kees/linux · 28576760
      Linus Torvalds authored
      Pull overflow updates from Kees Cook:
       "This adds the new overflow checking helpers and adds them to the
        2-factor argument allocators. And this adds the saturating size
        helpers and does a treewide replacement for the struct_size() usage.
        Additionally this adds the overflow testing modules to make sure
        everything works.
      
        I'm still working on the treewide replacements for allocators with
        "simple" multiplied arguments:
      
           *alloc(a * b, ...) -> *alloc_array(a, b, ...)
      
        and
      
           *zalloc(a * b, ...) -> *calloc(a, b, ...)
      
        as well as the more complex cases, but that's separable from this
        portion of the series. I expect to have the rest sent before -rc1
        closes; there are a lot of messy cases to clean up.
      
        Summary:
      
         - Introduce arithmetic overflow test helper functions (Rasmus)
      
         - Use overflow helpers in 2-factor allocators (Kees, Rasmus)
      
         - Introduce overflow test module (Rasmus, Kees)
      
         - Introduce saturating size helper functions (Matthew, Kees)
      
         - Treewide use of struct_size() for allocators (Kees)"
      
      * tag 'overflow-v4.18-rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/kees/linux:
        treewide: Use struct_size() for devm_kmalloc() and friends
        treewide: Use struct_size() for vmalloc()-family
        treewide: Use struct_size() for kmalloc()-family
        device: Use overflow helpers for devm_kmalloc()
        mm: Use overflow helpers in kvmalloc()
        mm: Use overflow helpers in kmalloc_array*()
        test_overflow: Add memory allocation overflow tests
        overflow.h: Add allocation size calculation helpers
        test_overflow: Report test failures
        test_overflow: macrofy some more, do more tests for free
        lib: add runtime test of check_*_overflow functions
        compiler.h: enable builtin overflow checkers and add fallback code
      28576760
  4. 06 Jun, 2018 9 commits
    • Linus Torvalds's avatar
      Merge tag 'trace-v4.18' of git://git.kernel.org/pub/scm/linux/kernel/git/rostedt/linux-trace · 5eb6eed7
      Linus Torvalds authored
      Pull tracing updates from Steven Rostedt:
       "One new feature was added to ftrace, which is the trace_marker now
        supports triggers. For example:
      
          # cd /sys/kernel/debug/tracing
          # echo 'snapshot' > events/ftrace/print/trigger
          # echo 'cause snapshot' > trace_marker
      
        The rest of the changes are various clean ups and also one stable fix
        that was added late in the cycle"
      
      * tag 'trace-v4.18' of git://git.kernel.org/pub/scm/linux/kernel/git/rostedt/linux-trace: (21 commits)
        tracing: Use match_string() instead of open coding it in trace_set_options()
        branch-check: fix long->int truncation when profiling branches
        ring-buffer: Fix typo in comment
        ring-buffer: Fix a bunch of typos in comments
        tracing/selftest: Add test to test simple snapshot trigger for trace_marker
        tracing/selftest: Add test to test hist trigger between kernel event and trace_marker
        tracing/selftest: Add selftests to test trace_marker histogram triggers
        ftrace/selftest: Fix reset_trigger() to handle triggers with filters
        ftrace/selftest: Have the reset_trigger code be a bit more careful
        tracing: Document trace_marker triggers
        tracing: Allow histogram triggers to access ftrace internal events
        tracing: Prevent further users of zero size static arrays in trace events
        tracing: Have zero size length in filter logic be full string
        tracing: Add trigger file for trace_markers tracefs/ftrace/print
        tracing: Do not show filter file for ftrace internal events
        tracing: Add brackets in ftrace event dynamic arrays
        tracing: Have event_trace_init() called by trace_init_tracefs()
        tracing: Add __find_event_file() to find event files without restrictions
        tracing: Do not reference event data in post call triggers
        tracepoints: Fix the descriptions of tracepoint_probe_register{_prio}
        ...
      5eb6eed7
    • Linus Torvalds's avatar
      Merge tag 'audit-pr-20180605' of git://git.kernel.org/pub/scm/linux/kernel/git/pcmoore/audit · 8b5c6a3a
      Linus Torvalds authored
      Pull audit updates from Paul Moore:
       "Another reasonable chunk of audit changes for v4.18, thirteen patches
        in total.
      
        The thirteen patches can mostly be broken down into one of four
        categories: general bug fixes, accessor functions for audit state
        stored in the task_struct, negative filter matches on executable
        names, and extending the (relatively) new seccomp logging knobs to the
        audit subsystem.
      
        The main driver for the accessor functions from Richard are the
        changes we're working on to associate audit events with containers,
        but I think they have some standalone value too so I figured it would
        be good to get them in now.
      
        The seccomp/audit patches from Tyler apply the seccomp logging
        improvements from a few releases ago to audit's seccomp logging;
        starting with this patchset the changes in
        /proc/sys/kernel/seccomp/actions_logged should apply to both the
        standard kernel logging and audit.
      
        As usual, everything passes the audit-testsuite and it happens to
        merge cleanly with your tree"
      
      [ Heh, except it had trivial merge conflicts with the SELinux tree that
        also came in from Paul   - Linus ]
      
      * tag 'audit-pr-20180605' of git://git.kernel.org/pub/scm/linux/kernel/git/pcmoore/audit:
        audit: Fix wrong task in comparison of session ID
        audit: use existing session info function
        audit: normalize loginuid read access
        audit: use new audit_context access funciton for seccomp_actions_logged
        audit: use inline function to set audit context
        audit: use inline function to get audit context
        audit: convert sessionid unset to a macro
        seccomp: Don't special case audited processes when logging
        seccomp: Audit attempts to modify the actions_logged sysctl
        seccomp: Configurable separator for the actions_logged string
        seccomp: Separate read and write code for actions_logged sysctl
        audit: allow not equal op for audit by executable
        audit: add syscall information to FEATURE_CHANGE records
      8b5c6a3a
    • Linus Torvalds's avatar
      Merge tag 'selinux-pr-20180605' of git://git.kernel.org/pub/scm/linux/kernel/git/pcmoore/selinux · 8b70543e
      Linus Torvalds authored
      Pull SELinux updates from Paul Moore:
       "SELinux is back with a quiet pull request for v4.18. Three patches,
        all small: two cleanups of the SELinux audit records, and one to
        migrate to a newly defined type (vm_fault_t).
      
        Everything passes our test suite, and as of about five minutes ago it
        merged cleanly with your tree"
      
      * tag 'selinux-pr-20180605' of git://git.kernel.org/pub/scm/linux/kernel/git/pcmoore/selinux:
        audit: normalize MAC_POLICY_LOAD record
        audit: normalize MAC_STATUS record
        security: selinux: Change return type to vm_fault_t
      8b70543e
    • Linus Torvalds's avatar
      Merge branch 'next-general' of git://git.kernel.org/pub/scm/linux/kernel/git/jmorris/linux-security · 10b1eb7d
      Linus Torvalds authored
      Pull security system updates from James Morris:
      
       - incorporate new socketpair() hook into LSM and wire up the SELinux
         and Smack modules. From David Herrmann:
      
           "The idea is to allow SO_PEERSEC to be called on AF_UNIX sockets
            created via socketpair(2), and return the same information as if
            you emulated socketpair(2) via a temporary listener socket.
      
            Right now SO_PEERSEC will return the unlabeled credentials for a
            socketpair, rather than the actual credentials of the creating
            process."
      
       - remove the unused security_settime LSM hook (Sargun Dhillon).
      
       - remove some stack allocated arrays from the keys code (Tycho
         Andersen)
      
      * 'next-general' of git://git.kernel.org/pub/scm/linux/kernel/git/jmorris/linux-security:
        dh key: get rid of stack allocated array for zeroes
        dh key: get rid of stack allocated array
        big key: get rid of stack array allocation
        smack: provide socketpair callback
        selinux: provide socketpair callback
        net: hook socketpair() into LSM
        security: add hook for socketpair()
        security: remove security_settime
      10b1eb7d
    • Linus Torvalds's avatar
      Merge tag 'printk-for-4.18' of git://git.kernel.org/pub/scm/linux/kernel/git/pmladek/printk · d75ae5bd
      Linus Torvalds authored
      Pull printk updates from Petr Mladek:
      
       - Help userspace log daemons to catch up with a flood of messages. They
         will get woken after each message even if the console is far behind
         and handled by another process.
      
       - Flush printk safe buffers safely even when panic() happens in the
         normal context.
      
       - Fix possible va_list reuse when race happened in printk_safe().
      
       - Remove %pCr printf format to prevent sleeping in the atomic context.
      
       - Misc vsprintf code cleanup.
      
      * tag 'printk-for-4.18' of git://git.kernel.org/pub/scm/linux/kernel/git/pmladek/printk:
        printk: drop in_nmi check from printk_safe_flush_on_panic()
        lib/vsprintf: Remove atomic-unsafe support for %pCr
        serial: sh-sci: Stop using printk format %pCr
        thermal: bcm2835: Stop using printk format %pCr
        clk: renesas: cpg-mssr: Stop using printk format %pCr
        printk: fix possible reuse of va_list variable
        printk: wake up klogd in vprintk_emit
        vsprintf: Tweak pF/pf comment
        lib/vsprintf: Mark expected switch fall-through
        lib/vsprintf: Replace space with '_' before crng is ready
        lib/vsprintf: Deduplicate pointer_string()
        lib/vsprintf: Move pointer_string() upper
        lib/vsprintf: Make flag_spec global
        lib/vsprintf: Make strspec global
        lib/vsprintf: Make dec_spec global
        lib/test_printf: Mark big constant with UL
      d75ae5bd
    • Linus Torvalds's avatar
      Merge tag 'for-linus-4.18' of git://github.com/cminyard/linux-ipmi · 0eb00613
      Linus Torvalds authored
      Pull IPMI updates from Corey Minyard:
       "It's been a busy release for the IPMI driver. Some notable changes:
      
         - A user was running into timeout issues doing maintenance commands
           over the IPMB network behind an IPMI controller.
      
           Extend the maintenance mode concept to messages over IPMB and allow
           the timeouts to be tuned.
      
         - Lots of cleanup, style fixing, some bugfixes, and such.
      
         - At least one user was having trouble with the way the IPMI driver
           would lock the i2c driver module it used.
      
           The IPMI driver was not designed for hotplug. However, hotplug is a
           reality now, so the IPMI driver was modified to support hotplug.
      
         - The proc interface code is now completely removed. Long live sysfs!"
      
      * tag 'for-linus-4.18' of git://github.com/cminyard/linux-ipmi: (35 commits)
        ipmi: Properly release srcu locks on error conditions
        ipmi: NPCM7xx KCS BMC: enable interrupt to the host
        ipmi:bt: Set the timeout before doing a capabilities check
        ipmi: Remove the proc interface
        ipmi_ssif: Fix uninitialized variable issue
        ipmi: add an NPCM7xx KCS BMC driver
        ipmi_si: Clean up shutdown a bit
        ipmi_si: Rename intf_num to si_num
        ipmi: Remove smi->intf checks
        ipmi_ssif: Get rid of unused intf_num
        ipmi: Get rid of ipmi_user_t and ipmi_smi_t in include files
        ipmi: ipmi_unregister_smi() cannot fail, have it return void
        ipmi_devintf: Add an error return on invalid ioctls
        ipmi: Remove usecount function from interfaces
        ipmi_ssif: Remove usecount handling
        ipmi: Remove condition on interface shutdown
        ipmi_ssif: Convert over to a shutdown handler
        ipmi_si: Convert over to a shutdown handler
        ipmi: Rework locking and shutdown for hot remove
        ipmi: Fix some counter issues
        ...
      0eb00613
    • Linus Torvalds's avatar
      Merge tag 'edac_for_4.18' of git://git.kernel.org/pub/scm/linux/kernel/git/bp/bp · 84504930
      Linus Torvalds authored
      Pull EDAC updates from Borislav Petkov:
      
       - Stratix10 SDRAM support to altera_edac (Thor Thayer)
      
       - the usual misc fixes all over the place
      
      [ Also, shared branch for socfpga_stratix10.dtsi file changes with the
        socfpga tree ]
      
      * tag 'edac_for_4.18' of git://git.kernel.org/pub/scm/linux/kernel/git/bp/bp:
        EDAC, ghes: Make platform-based whitelisting x86-only
        EDAC, altera: Fix ARM64 build warning
        EDAC, skx: Fix skx_edac build error when ACPI_NFIT=m
        EDAC, ghes: Use BIT() macro
        EDAC, ghes: Add DDR4 and NVDIMM memory types
        EDAC, altera: Handle SDRAM Uncorrectable Errors on Stratix10
        Documentation: dt: edac: Move Altera SOCFPGA EDAC file
        EDAC, altera: Add support for Stratix10 SDRAM EDAC
        Documentation: dt: socfpga: Add Stratix10 ECC Manager binding
        EDAC, ghes: Remove unused argument to ghes_edac_report_mem_error()
        arm64: dts: stratix10: add sdram ecc
        EDAC, i7core: Fix spelling mistake: "redundacy" -> "redundancy"
        EDAC, ghes: Add a null pointer check in ghes_edac_unregister()
        ghes, EDAC: Fix ghes_edac registration
        arm64: dts: stratix10: Change pad skew values for EMAC0 PHY driver
        ARM: dts: consistently use 'atmel' as at24 manufacturer in cyclone5
        arm64: dts: stratix10: Add PL330 DMAC to Stratix10 dts
        arm64: dts: stratix10: enable i2c, add i2c periperals
        arm64: dts: stratix10: use clock bindings for the Stratix10 platform
      84504930
    • Linus Torvalds's avatar
      Merge branch 'for-linus' of git://git.armlinux.org.uk/~rmk/linux-arm · 311da497
      Linus Torvalds authored
      Pull ARM updates from Russell King:
      
       - Initial round of Spectre variant 1 and variant 2 fixes for 32-bit ARM
      
       - Clang support improvements
      
       - nommu updates for v8 MPU
      
       - enable ARM_MODULE_PLTS by default to avoid problems loading modules
         with larger kernels
      
       - vmlinux.lds and dma-mapping cleanups
      
      * 'for-linus' of git://git.armlinux.org.uk/~rmk/linux-arm: (31 commits)
        ARM: spectre-v1: fix syscall entry
        ARM: spectre-v1: add array_index_mask_nospec() implementation
        ARM: spectre-v1: add speculation barrier (csdb) macros
        ARM: KVM: report support for SMCCC_ARCH_WORKAROUND_1
        ARM: KVM: Add SMCCC_ARCH_WORKAROUND_1 fast handling
        ARM: spectre-v2: KVM: invalidate icache on guest exit for Brahma B15
        ARM: KVM: invalidate icache on guest exit for Cortex-A15
        ARM: KVM: invalidate BTB on guest exit for Cortex-A12/A17
        ARM: spectre-v2: warn about incorrect context switching functions
        ARM: spectre-v2: add firmware based hardening...
      311da497
    • Linus Torvalds's avatar
      Merge tag 'linux-kselftest-4.18-rc1' of... · ca95bf62
      Linus Torvalds authored
      Merge tag 'linux-kselftest-4.18-rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/shuah/linux-kselftest
      
      Pull Kselftest update from Shuah Khan:
      
       - Work to restructure timers test suite to move PIE out of rtctest from
         Alexandre Belloni.
      
       - Several minor spelling and bug fixes.
      
       - New cgroup tests from Roman Gushchin and Mike Rapoport.
      
       - Kselftest framework changes to handle and report skipped tests
         correctly.
      
         Prior to these changes, framework treated all non-zero return codes
         from tests as failures. When tests are skipped with non-zero return
         code, due to unmet dependencies and/or unsupported configuration,
         reporting them as failed lead to false negatives on the tests that
         couldn't be run.
      
       - Fixes to test Makefiles to remove unnecessary RUN_TESTS and
         EMIT_TESTS overrides and use common defines from lib.mk.
      
       - Fixes to several tests to return correct Kselftest skip code.
      
       - Changes to improve test output.
      
      * tag 'linux-kselftest-4.18-rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/shuah/linux-kselftest: (55 commits)
        selftests: lib: fix prime_numbers module search and skip logic
        selftests: intel_pstate: notification about privilege required to run intel_pstate testing script
        selftests: cgroup/memcontrol: add basic test for socket accounting
        selftest: intel_pstate: debug support message from aperf.c and return value
        kselftest/cgroup: fix variable dereferenced before check warning
        selftests/intel_pstate: Enhance table printing
        selftests/intel_pstate: Improve test, minor fixes
        selftests: cgroup/memcontrol: add basic test for swap controls
        selftests: cgroup: add memory controller self-tests
        selftests: memfd: split regular and hugetlbfs tests
        selftests: net: return Kselftest Skip code for skipped tests
        selftests: mqueue: return Kselftest Skip code for skipped tests
        selftests: memory-hotplug: return Kselftest Skip code for skipped tests
        selftests: memfd: return Kselftest Skip code for skipped tests
        selftests: membarrier: return Kselftest Skip code for skipped tests
        selftests: media_tests: return Kselftest Skip code for skipped tests
        selftests: locking: return Kselftest Skip code for skipped tests
        selftests: locking: add Makefile for locking test
        selftests: lib: return Kselftest Skip code for skipped tests
        selftests: lib: add prime_numbers.sh test to Makefile
        ...
      ca95bf62