This contains key material in crypto_send_aes_gcm_128 and
crypto_recv_aes_gcm_128.
Introduce union tls_crypto_context, and replace the two identical
unions directly embedded in struct tls_context with it. We can then
use this union to clean up the memory in the new tls_ctx_free()
function.
Fixes: 3c4d755915 ("tls: kernel TLS support")
Signed-off-by: Sabrina Dubroca <sd@queasysnail.net>
Signed-off-by: David S. Miller <davem@davemloft.net>
There's no need to copy the key to an on-stack buffer before calling
crypto_aead_setkey().
Fixes: 3c4d755915 ("tls: kernel TLS support")
Signed-off-by: Sabrina Dubroca <sd@queasysnail.net>
Signed-off-by: David S. Miller <davem@davemloft.net>
Update 'confirmed' timestamp when ARP packet is received. It shouldn't
affect locktime logic and anyway entry can be confirmed by any higher-layer
protocol. Thus it makes sense to confirm it when ARP packet is received.
Fixes: 77d7123342 ("neighbour: update neigh timestamps iff update is effective")
Signed-off-by: Vasily Khoruzhick <vasilykh@arista.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
This fix addresses https://bugzilla.kernel.org/show_bug.cgi?id=201071
Commit 5025f7f7d5 wrongly relied on __dev_change_flags to notify users of
dev flag changes in the case when dev->rtnl_link_state = RTNL_LINK_INITIALIZED.
Fix it by indicating flag changes explicitly to __dev_notify_flags.
Fixes: 5025f7f7d5 ("rtnetlink: add rtnl_link_state check in rtnl_configure_link")
Reported-By: Liam mcbirnie <liam.mcbirnie@boeing.com>
Signed-off-by: Roopa Prabhu <roopa@cumulusnetworks.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Fields ->dev and ->next of struct ipddp_route may be copied to
userspace on the SIOCFINDIPDDPRT ioctl. This is only accessible
to CAP_NET_ADMIN though. Let's manually copy the relevant fields
instead of using memcpy().
BugLink: http://blog.infosectcbr.com.au/2018/09/linux-kernel-infoleaks.html
Cc: Jann Horn <jannh@google.com>
Signed-off-by: Willy Tarreau <w@1wt.eu>
Signed-off-by: David S. Miller <davem@davemloft.net>
When we delete a chain of filters, we need to notify
user-space we are deleting each filters in this chain
too.
Fixes: 32a4f5ecd7 ("net: sched: introduce chain object to uapi")
Cc: Jiri Pirko <jiri@mellanox.com>
Signed-off-by: Cong Wang <xiyou.wangcong@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Commit 57f230ab04 ("xen/netfront: raise max number of slots in
xennet_get_responses()") raised the max number of allowed slots by one.
This seems to be problematic in some configurations with netback using
a larger MAX_SKB_FRAGS value (e.g. old Linux kernel with MAX_SKB_FRAGS
defined as 18 instead of nowadays 17).
Instead of BUG_ON() in this case just fall back to retransmission.
Fixes: 57f230ab04 ("xen/netfront: raise max number of slots in xennet_get_responses()")
Cc: stable@vger.kernel.org
Signed-off-by: Juergen Gross <jgross@suse.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
In inet6_rtm_getroute, since Commit 93531c6743 ("net/ipv6: separate
handling of FIB entries from dst based routes"), it has used rt->from
to dump route info instead of rt.
However for some route like cache, some of its information like flags
or gateway is not the same as that of the 'from' one. It caused 'ip
route get' to dump the wrong route information.
In Jianlin's testing, the output information even lost the expiration
time for a pmtu route cache due to the wrong fib6_flags.
So change to use rt6_info members for dst addr, src addr, flags and
gateway when it tries to dump a route entry without fibmatch set.
v1->v2:
- not use rt6i_prefsrc.
- also fix the gw dump issue.
Fixes: 93531c6743 ("net/ipv6: separate handling of FIB entries from dst based routes")
Reported-by: Jianlin Shi <jishi@redhat.com>
Signed-off-by: Xin Long <lucien.xin@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
-----BEGIN PGP SIGNATURE-----
iQIcBAABAgAGBQJbmLg2AAoJEAx081l5xIa+794QAJeBd7XnrQtMS+BWMet0G4Dh
yY1t3LAsP75GiyI73Zbf1mWIdNk1hxli9+9+XVSrK9Yt2oh/AD+Q8BBGW7V3b17S
BvpAhKdQNJut8NskfTKvFE5lz/oMrJCKYFYh/vwigfOXo9ELg9imUcKMQJqHLzPP
SEiS4EgQ00h97FSodqYLj8E8sSIGx61xKkCBgczcpXq6SrxQAIZGW0Ut7cKUebl+
VON1sccI6xKCqVHqv/mqkm/Cugc5c6bj+AUII9NvXljAKptNjb8c813XbjwCCfzC
5OMX084ZXl94jAbqZjJXDYu640tkUpx1+o3eJZOfWz4dM7oTWU59+AHxytQWmF8P
T73o9+r93cQSP0YUb070LkSPr/YSBldb3PFk22mzRX1kHeHPuLzMGGr37Xj/3RI9
Uilddus6n2S7JzLdPl3RNLnDfVwRopc/E7VUbUCMDKrbHjV2tvsyZvBDDgPXCU68
cxG/VXKQsa4yicMbXUCjl+vGwaXZLve1wGGx/ee9Ooaqa7b7L297NWpxqhl3PjhL
G2gySbwa7gItRPw34fhNlzmEoNFk+JyAp3EOYOZQM78+IBKRSwhDVJOrbAjY+H1F
c+sUOdBk+yLQ15MVbhFeq+1puJETnV3ZmJgHjNDUUhRcJamilqfLBNiNUfGm4Pqp
9E8QZTq8BgZqWJE9ep0m
=GbIW
-----END PGP SIGNATURE-----
Merge tag 'drm-fixes-2018-09-12' of git://anongit.freedesktop.org/drm/drm
Pull drm nouveau fixes from Dave Airlie:
"I'm sending this separately as it's a bit larger than I generally like
for one driver, but it does contain a bunch of make my nvidia laptop
not die (runpm) and a bunch to make my docking station and monitor
display stuff (mst) fixes.
Lyude has spent a lot of time on these, and we are putting the fixes
into distro kernels as well asap, as it helps a bunch of standard
Lenovo laptops, so I'm fairly happy things are better than they were
before these patches, but I decided to split them out just for
clarification"
* tag 'drm-fixes-2018-09-12' of git://anongit.freedesktop.org/drm/drm:
drm/nouveau/disp/gm200-: enforce identity-mapped SOR assignment for LVDS/eDP panels
drm/nouveau/disp: fix DP disable race
drm/nouveau/disp: move eDP panel power handling
drm/nouveau/disp: remove unused struct member
drm/nouveau/TBDdevinit: don't fail when PMU/PRE_OS is missing from VBIOS
drm/nouveau/mmu: don't attempt to dereference vmm without valid instance pointer
drm/nouveau: fix oops in client init failure path
drm/nouveau: Fix nouveau_connector_ddc_detect()
drm/nouveau/drm/nouveau: Don't forget to cancel hpd_work on suspend/unload
drm/nouveau/drm/nouveau: Prevent handling ACPI HPD events too early
drm/nouveau: Reset MST branching unit before enabling
drm/nouveau: Only write DP_MSTM_CTRL when needed
drm/nouveau: Remove useless poll_enable() call in drm_load()
drm/nouveau: Remove useless poll_disable() call in switcheroo_set_state()
drm/nouveau: Remove useless poll_enable() call in switcheroo_set_state()
drm/nouveau: Fix deadlocks in nouveau_connector_detect()
drm/nouveau/drm/nouveau: Use pm_runtime_get_noresume() in connector_detect()
drm/nouveau/drm/nouveau: Fix deadlock with fb_helper with async RPM requests
drm/nouveau: Remove duplicate poll_enable() in pmops_runtime_suspend()
drm/nouveau/drm/nouveau: Fix bogus drm_kms_helper_poll_enable() placement
Pull networking fixes from David Miller:
1) Fix up several Kconfig dependencies in netfilter, from Martin Willi
and Florian Westphal.
2) Memory leak in be2net driver, from Petr Oros.
3) Memory leak in E-Switch handling of mlx5 driver, from Raed Salem.
4) mlx5_attach_interface needs to check for errors, from Huy Nguyen.
5) tipc_release() needs to orphan the sock, from Cong Wang.
6) Need to program TxConfig register after TX/RX is enabled in r8169
driver, not beforehand, from Maciej S. Szmigiero.
7) Handle 64K PAGE_SIZE properly in ena driver, from Netanel Belgazal.
8) Fix crash regression in ip_do_fragment(), from Taehee Yoo.
9) syzbot can create conditions where kernel log is flooded with
synflood warnings due to creation of many listening sockets, fix
that. From Willem de Bruijn.
10) Fix RCU issues in rds socket layer, from Cong Wang.
11) Fix vlan matching in nfp driver, from Pieter Jansen van Vuuren.
* git://git.kernel.org/pub/scm/linux/kernel/git/davem/net: (59 commits)
nfp: flower: reject tunnel encap with ipv6 outer headers for offloading
nfp: flower: fix vlan match by checking both vlan id and vlan pcp
tipc: check return value of __tipc_dump_start()
s390/qeth: don't dump past end of unknown HW header
s390/qeth: use vzalloc for QUERY OAT buffer
s390/qeth: switch on SG by default for IQD devices
s390/qeth: indicate error when netdev allocation fails
rds: fix two RCU related problems
r8169: Clear RTL_FLAG_TASK_*_PENDING when clearing RTL_FLAG_TASK_ENABLED
erspan: fix error handling for erspan tunnel
erspan: return PACKET_REJECT when the appropriate tunnel is not found
tcp: rate limit synflood warnings further
MIPS: lantiq: dma: add dev pointer
netfilter: xt_hashlimit: use s->file instead of s->private
netfilter: nfnetlink_queue: Solve the NFQUEUE/conntrack clash for NF_REPEAT
netfilter: cttimeout: ctnl_timeout_find_get() returns incorrect pointer to type
netfilter: conntrack: timeout interface depend on CONFIG_NF_CONNTRACK_TIMEOUT
netfilter: conntrack: reset tcp maxwin on re-register
qmi_wwan: Support dynamic config on Quectel EP06
ethernet: renesas: convert to SPDX identifiers
...
Jakub Kicinski says:
====================
nfp: flower: fixes for flower offload
Two fixes for flower matching and tunnel encap. Pieter fixes
VLAN matching if the entire VLAN id is masked out and match
is only performed on the PCP field. Louis adds validation of
tunnel flags for encap, most importantly we should not offload
actions on IPv6 tunnels if it's not supported.
====================
Signed-off-by: David S. Miller <davem@davemloft.net>
This fixes a bug where ipv6 tunnels would report that it is
getting offloaded to hardware but would actually be rejected
by hardware.
Fixes: b27d6a95a7 ("nfp: compile flower vxlan tunnel set actions")
Signed-off-by: Louis Peens <louis.peens@netronome.com>
Reviewed-by: John Hurley <john.hurley@netronome.com>
Reviewed-by: Simon Horman <simon.horman@netronome.com>
Reviewed-by: Jakub Kicinski <jakub.kicinski@netronome.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Previously we only checked if the vlan id field is present when trying
to match a vlan tag. The vlan id and vlan pcp field should be treated
independently.
Fixes: 5571e8c9f2 ("nfp: extend flower matching capabilities")
Signed-off-by: Pieter Jansen van Vuuren <pieter.jansenvanvuuren@netronome.com>
Reviewed-by: Jakub Kicinski <jakub.kicinski@netronome.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
When __tipc_dump_start() fails with running out of memory,
we have no reason to continue, especially we should avoid
calling tipc_dump_done().
Fixes: 8f5c5fcf35 ("tipc: call start and done ops directly in __tipc_nl_compat_dumpit()")
Reported-and-tested-by: syzbot+3f8324abccfbf8c74a9f@syzkaller.appspotmail.com
Cc: Jon Maloy <jon.maloy@ericsson.com>
Cc: Ying Xue <ying.xue@windriver.com>
Signed-off-by: Cong Wang <xiyou.wangcong@gmail.com>
Acked-by: Ying Xue <ying.xue@windriver.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Julian Wiedmann says:
====================
s390/qeth: fixes 2018-09-12
please apply the following qeth fixes for -net.
Patch 1 resolves a regression in an error path, while patch 2 enables
the SG support by default that was newly introduced with 4.19.
Patch 3 takes care of a longstanding problem with large-order
allocations, and patch 4 fixes a potential out-of-bounds access.
====================
Signed-off-by: David S. Miller <davem@davemloft.net>
For inbound data with an unsupported HW header format, only dump the
actual HW header. We have no idea how much payload follows it, and what
it contains. Worst case, we dump past the end of the Inbound Buffer and
access whatever is located next in memory.
Signed-off-by: Julian Wiedmann <jwi@linux.ibm.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
qeth_query_oat_command() currently allocates the kernel buffer for
the SIOC_QETH_QUERY_OAT ioctl with kzalloc. So on systems with
fragmented memory, large allocations may fail (eg. the qethqoat tool by
default uses 132KB).
Solve this issue by using vzalloc, backing the allocation with
non-contiguous memory.
Signed-off-by: Wenjia Zhang <wenjia@linux.ibm.com>
Reviewed-by: Julian Wiedmann <jwi@linux.ibm.com>
Signed-off-by: Julian Wiedmann <jwi@linux.ibm.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Scatter-gather transmit brings a nice performance boost. Considering the
rather large MTU sizes at play, it's also totally the Right Thing To Do.
Signed-off-by: Julian Wiedmann <jwi@linux.ibm.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Bailing out on allocation error is nice, but we also need to tell the
ccwgroup core that creating the qeth groupdev failed.
Fixes: d3d1b205e8 ("s390/qeth: allocate netdevice early")
Signed-off-by: Julian Wiedmann <jwi@linux.ibm.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
This tag contains what I hope to be the last RISC-V patch for 4.19. It
fixes a bug in our initramfs support by removing some broken and
obselete code.
-----BEGIN PGP SIGNATURE-----
iQJHBAABCAAxFiEEAM520YNJYN/OiG3470yhUCzLq0EFAluPHykTHHBhbG1lckBk
YWJiZWx0LmNvbQAKCRDvTKFQLMurQX7iD/41XF5oXHJeRUfhiHVa/kiqFaCw1aEx
YPp5escHEypGshWQJGd+ite5cEz0nrggsbmXJrQnfpU8fqgpkvguaIbOb9JAtOdj
Y5hjQ5QgiQcsUrLnhy7yK62fpC27WwWPGfT73cLRgir2oDEI3F7CkaA0uX3y2kLF
9TEN2v+DL+89Y/Rq9mzRwwPOryZRNXZkxI6tqTVa7wZZzi7fSUMCG2msjeZRszQe
0IPyBtVR7OECzEaRwSETgC05KTFxCQ2JHMjHz1TatjvJmGU3ToP0uRZ1oYXDXcR3
AM2QfjBQDmBOjRRKBbwaiUzfX209eGrn/JK3j6BZZredX9MCP+qduuQV+7GsvRT2
ryCoWN56AAIMZJvmp57lG9jfDptxnS6zZCqw+mufsD1s3c/78zUv7Q5PPUdcfzuP
qt7iVdUUP5QWDFgM0QumeZ9JuekoA0Kpsmg4Nq6M6YHimW63Y2+CJPqPfh1oY93t
UoabFgz7FZ0WLo1jHtGVteihq78SKxTe4WYEDzjH++qrVPuYnbNH3Hfqwynj6Wsy
fvNxmnjg1AVhD9MPSBJLDbQivxW4pEwuxV99MpwLhVdwGXDTAgt9t9mUP5xAaLna
60jszx1GM8HVMeQ0LNAGRWa8FH0bvn2kpLOBjvdMHl8Y/Oq/IuaINRJCKq59j/4X
Qx963ajYY5QUHg==
=XdJZ
-----END PGP SIGNATURE-----
Merge tag 'riscv-for-linus-4.19-rc3' of git://git.kernel.org/pub/scm/linux/kernel/git/palmer/riscv-linux
Pull RISC-V fix from Palmer Dabbelt:
"This contains what I hope to be the last RISC-V patch for 4.19.
It fixes a bug in our initramfs support by removing some broken and
obselete code"
* tag 'riscv-for-linus-4.19-rc3' of git://git.kernel.org/pub/scm/linux/kernel/git/palmer/riscv-linux:
riscv: Do not overwrite initrd_start and initrd_end
Three fixes, all in drivers (qedi and iscsi target) so no wider impact
even if the code changes are a bit extensive.
Signed-off-by: James E.J. Bottomley <jejb@linux.vnet.ibm.com>
-----BEGIN PGP SIGNATURE-----
iJwEABMIAEQWIQTnYEDbdso9F2cI+arnQslM7pishQUCW5j4lSYcamFtZXMuYm90
dG9tbGV5QGhhbnNlbnBhcnRuZXJzaGlwLmNvbQAKCRDnQslM7pishQu2AP4qUqU8
GllFu4qLkUTuST/lI7/xcXIzMb6JDCwvPviQlgD/bNfkzGG9EtpIF6HPqY9rTqu+
RRbIlmx4xMcLWxSD0jM=
=oOPZ
-----END PGP SIGNATURE-----
Merge tag 'scsi-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/jejb/scsi
Pull SCSI fixes from James Bottomley:
"Three fixes, all in drivers (qedi and iscsi target) so no wider impact
even if the code changes are a bit extensive"
* tag 'scsi-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/jejb/scsi:
scsi: qedi: Add the CRC size within iSCSI NVM image
scsi: iscsi: target: Fix conn_ops double free
scsi: iscsi: target: Set conn->sess to NULL when iscsi_login_set_conn_values fails
When a rds sock is bound, it is inserted into the bind_hash_table
which is protected by RCU. But when releasing rds sock, after it
is removed from this hash table, it is freed immediately without
respecting RCU grace period. This could cause some use-after-free
as reported by syzbot.
Mark the rds sock with SOCK_RCU_FREE before inserting it into the
bind_hash_table, so that it would be always freed after a RCU grace
period.
The other problem is in rds_find_bound(), the rds sock could be
freed in between rhashtable_lookup_fast() and rds_sock_addref(),
so we need to extend RCU read lock protection in rds_find_bound()
to close this race condition.
Reported-and-tested-by: syzbot+8967084bcac563795dc6@syzkaller.appspotmail.com
Reported-by: syzbot+93a5839deb355537440f@syzkaller.appspotmail.com
Cc: Sowmini Varadhan <sowmini.varadhan@oracle.com>
Cc: Santosh Shilimkar <santosh.shilimkar@oracle.com>
Cc: rds-devel@oss.oracle.com
Signed-off-by: Cong Wang <xiyou.wangcong@gmail.com>
Acked-by: Santosh Shilimkar <santosh.shilimkar@oarcle.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
After system suspend, sometimes the r8169 doesn't work when ethernet
cable gets pluggued.
This issue happens because rtl_reset_work() doesn't get called from
rtl8169_runtime_resume(), after system suspend.
In rtl_task(), RTL_FLAG_TASK_* only gets cleared if this condition is
met:
if (!netif_running(dev) ||
!test_bit(RTL_FLAG_TASK_ENABLED, tp->wk.flags))
...
If RTL_FLAG_TASK_ENABLED was cleared during system suspend while
RTL_FLAG_TASK_RESET_PENDING was set, the next rtl_schedule_task() won't
schedule task as the flag is still there.
So in addition to clearing RTL_FLAG_TASK_ENABLED, also clears other
flags.
Cc: Heiner Kallweit <hkallweit1@gmail.com>
Signed-off-by: Kai-Heng Feng <kai.heng.feng@canonical.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
When processing icmp unreachable message for erspan tunnel, tunnel id
should be erspan_net_id instead of ipgre_net_id.
Fixes: 84e54fe0a5 ("gre: introduce native tunnel support for ERSPAN")
Cc: William Tu <u9012063@gmail.com>
Signed-off-by: Haishuang Yan <yanhaishuang@cmss.chinamobile.com>
Acked-by: William Tu <u9012063@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
If erspan tunnel hasn't been established, we'd better send icmp port
unreachable message after receive erspan packets.
Fixes: 84e54fe0a5 ("gre: introduce native tunnel support for ERSPAN")
Cc: William Tu <u9012063@gmail.com>
Signed-off-by: Haishuang Yan <yanhaishuang@cmss.chinamobile.com>
Acked-by: William Tu <u9012063@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Convert pr_info to net_info_ratelimited to limit the total number of
synflood warnings.
Commit 946cedccbd ("tcp: Change possible SYN flooding messages")
rate limits synflood warnings to one per listener.
Workloads that open many listener sockets can still see a high rate of
log messages. Syzkaller is one frequent example.
Signed-off-by: Willem de Bruijn <willemb@google.com>
Signed-off-by: Eric Dumazet <edumazet@google.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
dma_zalloc_coherent() now crashes if no dev pointer is given.
Add a dev pointer to the ltq_dma_channel structure and fill it in the
driver using it.
This fixes a bug introduced in kernel 4.19.
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
Signed-off-by: David S. Miller <davem@davemloft.net>
Pablo Neira Ayuso says:
====================
Netfilter fixes for net
The following patchset contains Netfilter fixes for you net tree:
1) Remove duplicated include at the end of UDP conntrack, from Yue Haibing.
2) Restore conntrack dependency on xt_cluster, from Martin Willi.
3) Fix splat with GSO skbs from the checksum target, from Florian Westphal.
4) Rework ct timeout support, the template strategy to attach custom timeouts
is not correct since it will not work in conjunction with conntrack zones
and we have a possible free after use when removing the rule due to missing
refcounting. To fix these problems, do not use conntrack template at all
and set custom timeout on the already valid conntrack object. This
fix comes with a preparation patch to simplify timeout adjustment by
initializating the first position of the timeout array for all of the
existing trackers. Patchset from Florian Westphal.
5) Fix missing dependency on from IPv4 chain NAT type, from Florian.
6) Release chain reference counter from the flush path, from Taehee Yoo.
7) After flushing an iptables ruleset, conntrack hooks are unregistered
and entries are left stale to be cleaned up by the timeout garbage
collector. No TCP tracking is done on established flows by this time.
If ruleset is reloaded, then hooks are registered again and TCP
tracking is restored, which considers packets to be invalid. Clear
window tracking to exercise TCP flow pickup from the middle given that
history is lost for us. Again from Florian.
8) Fix crash from netlink interface with CONFIG_NF_CONNTRACK_TIMEOUT=y
and CONFIG_NF_CT_NETLINK_TIMEOUT=n.
9) Broken CT target due to returning incorrect type from
ctnl_timeout_find_get().
10) Solve conntrack clash on NF_REPEAT verdicts too, from Michal Vaner.
11) Missing conversion of hashlimit sysctl interface to new API, from
Cong Wang.
====================
Signed-off-by: David S. Miller <davem@davemloft.net>
Pull HID fixes from Jiri Kosina:
- functional regression fix for sensor-hub driver from Hans de Goede
- stop doing device reset for i2c-hid devices, which unbreaks some of
them (and is in line with the specification), from Kai-Heng Feng
- error handling fix for hid-core from Gustavo A. R. Silva
- functional regression fix for some Elan panels from Benjamin
Tissoires
- a few new device ID additions and misc small fixes
* 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/jikos/hid:
HID: i2c-hid: Don't reset device upon system resume
HID: sensor-hub: Restore fixup for Lenovo ThinkPad Helix 2 sensor hub report
HID: core: fix NULL pointer dereference
HID: core: fix grouping by application
HID: multitouch: fix Elan panels with 2 input modes declaration
HID: hid-saitek: Add device ID for RAT 7 Contagion
HID: core: fix memory leak on probe
HID: input: fix leaking custom input node name
HID: add support for Apple Magic Keyboards
HID: i2c-hid: Fix flooded incomplete report after S3 on Rayd touchscreen
HID: intel-ish-hid: Enable Sunrise Point-H ish driver
- Fix possible FD type confusion crash
- Fix a user trigger-able crash in cxgb4
- Fix bad handling of IOMMU resources causing user controlled leaking in
bnxt
- Add missing locking in ipoib to fix a rare 'stuck tx' situation
- Add missing locking in cma
- Add two missing missing uverbs cleanups on failure paths, regressions
from this merge window
- Fix a regression from this merge window that caused RDMA NFS to not work
with the mlx4 driver due to the max_sg changes
-----BEGIN PGP SIGNATURE-----
iQIzBAABCgAdFiEEfB7FMLh+8QxL+6i3OG33FX4gmxoFAluW9yAACgkQOG33FX4g
mxqA7xAAkUb80Q+ssrAFSlGGkPU9ArWD3Bk6bqUHZG2/CbgA45gUuHm7GaYMnBxL
CGULlnL9ejt2LpQUTkWxyVXRwA67wdgfFf+W+bJSJdz1WZNzRZUjC2xNcfjSeVhN
YabxXcZHj4yiEokQpOo+ya2/ygL72Z9f9edIXzg0DjHkjyyGxbNJ+My7gN9odlzl
jcnE3kDTO7YcycwIg5K9a1H9SmioTgXYUioAFUkqB35L5Ye2M/laPJXCEAnKVOgy
HI6VXigphK53y/NbArjO8ou6Lq4gvbunyx1fbXReTwRfYjSRhuWqtvE6z26e4PSs
2BuyGOisLAhWOv9zJRRYXdknZYl9nOfGwraJ76JTbvO58GmORE1yxrIdF0WtuJnH
zDSeBRU5vDMDhrMrLmyfkNe1xugVlcsOur+RDg0ZGxakgXtvxJJiI76qzJpNFu29
T+uLj6j97AgTj/ztQ3Ujse2yaGj0Ldsv98VokBhDSo2oXQrRgvmgHpKzvrBLeAid
28BuER7F5DY6mqSdsBni+LO/Nzn6nSN+82aEy67ltqRLu2Ippu+T4aEo2ArdGyas
cwhJW+5kRL+oVU/X1/PkdlhsXy5w7h746tvklD+hItvMs+PZ4tZrbeEsLlzsMzQh
b15/TQ7RRNOB/NSFh9hW2M0e6ReeSaPuxspNYb1SLUVrft9eCtU=
=33No
-----END PGP SIGNATURE-----
Merge tag 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/rdma/rdma
Pull rdma fixes from Jason Gunthorpe:
"This fixes one major regression with NFS and mlx4 due to the max_sg
rework in this merge window, tidies a few minor error_path
regressions, and various small fixes.
The HFI1 driver is broken this cycle due to a regression caused by a
PCI change, it is looking like Bjorn will merge a fix for this. Also,
the lingering ipoib issue I mentioned earlier still remains unfixed.
Summary:
- Fix possible FD type confusion crash
- Fix a user trigger-able crash in cxgb4
- Fix bad handling of IOMMU resources causing user controlled leaking
in bnxt
- Add missing locking in ipoib to fix a rare 'stuck tx' situation
- Add missing locking in cma
- Add two missing missing uverbs cleanups on failure paths,
regressions from this merge window
- Fix a regression from this merge window that caused RDMA NFS to not
work with the mlx4 driver due to the max_sg changes"
* tag 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/rdma/rdma:
RDMA/mlx4: Ensure that maximal send/receive SGE less than supported by HW
RDMA/cma: Protect cma dev list with lock
RDMA/uverbs: Fix error cleanup path of ib_uverbs_add_one()
bnxt_re: Fix couple of memory leaks that could lead to IOMMU call traces
IB/ipoib: Avoid a race condition between start_xmit and cm_rep_handler
iw_cxgb4: only allow 1 flush on user qps
IB/core: Release object lock if destroy failed
RDMA/ucma: check fd type in ucma_migrate_id()
After switching to the new procfs API, it is supposed to
retrieve the private pointer from PDE_DATA(file_inode(s->file)),
s->private is no longer referred.
Fixes: 1cd6718272 ("netfilter/x_tables: switch to proc_create_seq_private")
Reported-by: Sami Farin <hvtaifwkbgefbaei@gmail.com>
Signed-off-by: Cong Wang <xiyou.wangcong@gmail.com>
Acked-by: Christoph Hellwig <hch@lst.de>
Tested-by: Sami Farin <hvtaifwkbgefbaei@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
NF_REPEAT places the packet at the beginning of the iptables chain
instead of accepting or rejecting it right away. The packet however will
reach the end of the chain and continue to the end of iptables
eventually, so it needs the same handling as NF_ACCEPT and NF_DROP.
Fixes: 368982cd7d ("netfilter: nfnetlink_queue: resolve clash for unconfirmed conntracks")
Signed-off-by: Michal 'vorner' Vaner <michal.vaner@avast.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Compiler did not catch incorrect typing in the rcu hook assignment.
% nfct add timeout test-tcp inet tcp established 100 close 10 close_wait 10
% iptables -I OUTPUT -t raw -p tcp -j CT --timeout test-tcp
dmesg - xt_CT: Timeout policy `test-tcp' can only be used by L3 protocol number 25000
The CT target bails out with incorrect layer 3 protocol number.
Fixes: 6c1fd7dc48 ("netfilter: cttimeout: decouple timeout policy from nfnetlink_cttimeout object")
Reported-by: Harsha Sharma <harshasharmaiitr@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Now that cttimeout support for nft_ct is in place, these should depend
on CONFIG_NF_CONNTRACK_TIMEOUT otherwise we can crash when dumping the
policy if this option is not enabled.
[ 71.600121] BUG: unable to handle kernel NULL pointer dereference at 0000000000000000
[...]
[ 71.600141] CPU: 3 PID: 7612 Comm: nft Not tainted 4.18.0+ #246
[...]
[ 71.600188] Call Trace:
[ 71.600201] ? nft_ct_timeout_obj_dump+0xc6/0xf0 [nft_ct]
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Doug Smythies says:
Sometimes it is desirable to temporarily disable, or clear,
the iptables rule set on a computer being controlled via a
secure shell session (SSH). While unwise on an internet facing
computer, I also do it often on non-internet accessible computers
while testing. Recently, this has become problematic, with the
SSH session being dropped upon re-load of the rule set.
The problem is that when all rules are deleted, conntrack hooks get
unregistered.
In case the rules are re-added later, its possible that tcp window
has moved far enough so that all packets are considered invalid (out of
window) until entry expires (which can take forever, default
established timeout is 5 days).
Fix this by clearing maxwin of existing tcp connections on register.
v2: don't touch entries on hook removal.
v3: remove obsolete expiry check.
Reported-by: Doug Smythies <dsmythies@telus.net>
Fixes: 4d3a57f23d ("netfilter: conntrack: do not enable connection tracking unless needed")
Signed-off-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Quectel EP06 (and EM06/EG06) supports dynamic configuration of USB
interfaces, without the device changing VID/PID or configuration number.
When the configuration is updated and interfaces are added/removed, the
interface numbers change. This means that the current code for matching
EP06 does not work.
This patch removes the current EP06 interface number match, and replaces
it with a match on class, subclass and protocol. Unfortunately, matching
on those three alone is not enough, as the diag interface exports the
same values as QMI. The other serial interfaces + adb export different
values and do not match.
The diag interface only has two endpoints, while the QMI interface has
three. I have therefore added a check for number of interfaces, and we
ignore the interface if the number of endpoints equals two.
Signed-off-by: Kristian Evensen <kristian.evensen@gmail.com>
Acked-by: Bjørn Mork <bjorn@mork.no>
Acked-by: Dan Williams <dcbw@redhat.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
This patch updates license to use SPDX-License-Identifier
instead of verbose license text.
Signed-off-by: Kuninori Morimoto <kuninori.morimoto.gx@renesas.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
tls_sw_sendmsg() allocates plaintext and encrypted SG entries using
function sk_alloc_sg(). In case the number of SG entries hit
MAX_SKB_FRAGS, sk_alloc_sg() returns -ENOSPC and sets the variable for
current SG index to '0'. This leads to calling of function
tls_push_record() with 'sg_encrypted_num_elem = 0' and later causes
kernel crash. To fix this, set the number of SG elements to the number
of elements in plaintext/encrypted SG arrays in case sk_alloc_sg()
returns -ENOSPC.
Fixes: 3c4d755915 ("tls: kernel TLS support")
Signed-off-by: Vakul Garg <vakul.garg@nxp.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Netanel Belgazal says:
====================
bug fixes for ENA Ethernet driver
====================
Signed-off-by: David S. Miller <davem@davemloft.net>
Added memory barriers where they were missing to support multiple
architectures, and removed redundant ones.
As part of removing the redundant memory barriers and improving
performance, we moved to more relaxed versions of memory barriers,
as well as to the more relaxed version of writel - writel_relaxed,
while maintaining correctness.
Signed-off-by: Netanel Belgazal <netanel@amazon.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Add READ_ONCE calls where necessary (for example when iterating
over a memory field that gets updated by the hardware).
Signed-off-by: Netanel Belgazal <netanel@amazon.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
acquire the rtnl_lock during device destruction to avoid
using partially destroyed device.
ena_remove() shares almost the same logic as ena_destroy_device(),
so use ena_destroy_device() and avoid duplications.
Signed-off-by: Netanel Belgazal <netanel@amazon.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
ena_destroy_device() can potentially be called twice.
To avoid this, check that the device is running and
only then proceed destroying it.
Signed-off-by: Netanel Belgazal <netanel@amazon.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
When ena_destroy_device() is called from ena_suspend(), the device is
still reachable from the driver. Therefore, the driver can send a command
to the device to free all resources.
However, in all other cases of calling ena_destroy_device(), the device is
potentially in an error state and unreachable from the driver. In these
cases the driver must not send commands to the device.
The current implementation does not request resource freeing from the
device even when possible. We add the graceful parameter to
ena_destroy_device() to enable resource freeing when possible, and
use it in ena_suspend().
Signed-off-by: Netanel Belgazal <netanel@amazon.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
The buffer length field in the ena rx descriptor is 16 bit, and the
current driver passes a full page in each ena rx descriptor.
When PAGE_SIZE equals 64kB or more, the buffer length field becomes
zero.
To solve this issue, limit the ena Rx descriptor to use 16kB even
when allocating 64kB kernel pages. This change would not impact ena
device functionality, as 16kB is still larger than maximum MTU.
Signed-off-by: Netanel Belgazal <netanel@amazon.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Starting with driver version 1.5.0, in case of a surprise device
unplug, there is a race caused by invoking ena_destroy_device()
from two different places. As a result, the readless register might
be accessed after it was destroyed.
Signed-off-by: Netanel Belgazal <netanel@amazon.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Sabrina Dubroca
Vasily Khoruzhick
Roopa Prabhu
Willy Tarreau
Stephen Hemminger
Cong Wang
Juergen Gross
Xin Long
Linus Torvalds
David S. Miller
Louis Peens
Pieter Jansen van Vuuren
Julian Wiedmann
Wenjia Zhang
Kai-Heng Feng
Haishuang Yan
Willem de Bruijn
Hauke Mehrtens
Dave Airlie
Michal 'vorner' Vaner
Pablo Neira Ayuso
Florian Westphal
Kristian Evensen
Kuninori Morimoto
Taehee Yoo
Vakul Garg
Netanel Belgazal