diff options
| author | Linus Torvalds <torvalds@linux-foundation.org> | 2017-09-23 11:41:27 -0400 |
|---|---|---|
| committer | Linus Torvalds <torvalds@linux-foundation.org> | 2017-09-23 11:41:27 -0400 |
| commit | 71aa60f67f032dffe58999bd8ae4b2f38a9ea05e (patch) | |
| tree | 4d755f640b3135b14bf482215609b22379b62554 /kernel | |
| parent | 79444df4e7f03843be78e4b9188d095931648842 (diff) | |
| parent | 4e683f499a15cd777d3cb51aaebe48d72334c852 (diff) | |
Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net
Pull networking fixes from David Miller:
1) Fix NAPI poll list corruption in enic driver, from Christian
Lamparter.
2) Fix route use after free, from Eric Dumazet.
3) Fix regression in reuseaddr handling, from Josef Bacik.
4) Assert the size of control messages in compat handling since we copy
it in from userspace twice. From Meng Xu.
5) SMC layer bug fixes (missing RCU locking, bad refcounting, etc.)
from Ursula Braun.
6) Fix races in AF_PACKET fanout handling, from Willem de Bruijn.
7) Don't use ARRAY_SIZE on spinlock array which might have zero
entries, from Geert Uytterhoeven.
8) Fix miscomputation of checksum in ipv6 udp code, from Subash Abhinov
Kasiviswanathan.
9) Push the ipv6 header properly in ipv6 GRE tunnel driver, from Xin
Long.
* git://git.kernel.org/pub/scm/linux/kernel/git/davem/net: (75 commits)
inet: fix improper empty comparison
net: use inet6_rcv_saddr to compare sockets
net: set tb->fast_sk_family
net: orphan frags on stand-alone ptype in dev_queue_xmit_nit
MAINTAINERS: update git tree locations for ieee802154 subsystem
net: prevent dst uses after free
net: phy: Fix truncation of large IRQ numbers in phy_attached_print()
net/smc: no close wait in case of process shut down
net/smc: introduce a delay
net/smc: terminate link group if out-of-sync is received
net/smc: longer delay for client link group removal
net/smc: adapt send request completion notification
net/smc: adjust net_device refcount
net/smc: take RCU read lock for routing cache lookup
net/smc: add receive timeout check
net/smc: add missing dev_put
net: stmmac: Cocci spatch "of_table"
lan78xx: Use default values loaded from EEPROM/OTP after reset
lan78xx: Allow EEPROM write for less than MAX_EEPROM_SIZE
lan78xx: Fix for eeprom read/write when device auto suspend
...
Diffstat (limited to 'kernel')
| -rw-r--r-- | kernel/bpf/devmap.c | 6 | ||||
| -rw-r--r-- | kernel/bpf/syscall.c | 6 | ||||
| -rw-r--r-- | kernel/bpf/verifier.c | 7 | ||||
| -rw-r--r-- | kernel/events/core.c | 3 |
4 files changed, 16 insertions, 6 deletions
diff --git a/kernel/bpf/devmap.c b/kernel/bpf/devmap.c index 959c9a07f318..e093d9a2c4dd 100644 --- a/kernel/bpf/devmap.c +++ b/kernel/bpf/devmap.c | |||
| @@ -75,8 +75,8 @@ static u64 dev_map_bitmap_size(const union bpf_attr *attr) | |||
| 75 | static struct bpf_map *dev_map_alloc(union bpf_attr *attr) | 75 | static struct bpf_map *dev_map_alloc(union bpf_attr *attr) |
| 76 | { | 76 | { |
| 77 | struct bpf_dtab *dtab; | 77 | struct bpf_dtab *dtab; |
| 78 | int err = -EINVAL; | ||
| 78 | u64 cost; | 79 | u64 cost; |
| 79 | int err; | ||
| 80 | 80 | ||
| 81 | /* check sanity of attributes */ | 81 | /* check sanity of attributes */ |
| 82 | if (attr->max_entries == 0 || attr->key_size != 4 || | 82 | if (attr->max_entries == 0 || attr->key_size != 4 || |
| @@ -108,6 +108,8 @@ static struct bpf_map *dev_map_alloc(union bpf_attr *attr) | |||
| 108 | if (err) | 108 | if (err) |
| 109 | goto free_dtab; | 109 | goto free_dtab; |
| 110 | 110 | ||
| 111 | err = -ENOMEM; | ||
| 112 | |||
| 111 | /* A per cpu bitfield with a bit per possible net device */ | 113 | /* A per cpu bitfield with a bit per possible net device */ |
| 112 | dtab->flush_needed = __alloc_percpu(dev_map_bitmap_size(attr), | 114 | dtab->flush_needed = __alloc_percpu(dev_map_bitmap_size(attr), |
| 113 | __alignof__(unsigned long)); | 115 | __alignof__(unsigned long)); |
| @@ -128,7 +130,7 @@ static struct bpf_map *dev_map_alloc(union bpf_attr *attr) | |||
| 128 | free_dtab: | 130 | free_dtab: |
| 129 | free_percpu(dtab->flush_needed); | 131 | free_percpu(dtab->flush_needed); |
| 130 | kfree(dtab); | 132 | kfree(dtab); |
| 131 | return ERR_PTR(-ENOMEM); | 133 | return ERR_PTR(err); |
| 132 | } | 134 | } |
| 133 | 135 | ||
| 134 | static void dev_map_free(struct bpf_map *map) | 136 | static void dev_map_free(struct bpf_map *map) |
diff --git a/kernel/bpf/syscall.c b/kernel/bpf/syscall.c index cb17e1cd1d43..25d074920a00 100644 --- a/kernel/bpf/syscall.c +++ b/kernel/bpf/syscall.c | |||
| @@ -186,15 +186,17 @@ static int bpf_map_alloc_id(struct bpf_map *map) | |||
| 186 | 186 | ||
| 187 | static void bpf_map_free_id(struct bpf_map *map, bool do_idr_lock) | 187 | static void bpf_map_free_id(struct bpf_map *map, bool do_idr_lock) |
| 188 | { | 188 | { |
| 189 | unsigned long flags; | ||
| 190 | |||
| 189 | if (do_idr_lock) | 191 | if (do_idr_lock) |
| 190 | spin_lock_bh(&map_idr_lock); | 192 | spin_lock_irqsave(&map_idr_lock, flags); |
| 191 | else | 193 | else |
| 192 | __acquire(&map_idr_lock); | 194 | __acquire(&map_idr_lock); |
| 193 | 195 | ||
| 194 | idr_remove(&map_idr, map->id); | 196 | idr_remove(&map_idr, map->id); |
| 195 | 197 | ||
| 196 | if (do_idr_lock) | 198 | if (do_idr_lock) |
| 197 | spin_unlock_bh(&map_idr_lock); | 199 | spin_unlock_irqrestore(&map_idr_lock, flags); |
| 198 | else | 200 | else |
| 199 | __release(&map_idr_lock); | 201 | __release(&map_idr_lock); |
| 200 | } | 202 | } |
diff --git a/kernel/bpf/verifier.c b/kernel/bpf/verifier.c index 799b2451ef2d..b914fbe1383e 100644 --- a/kernel/bpf/verifier.c +++ b/kernel/bpf/verifier.c | |||
| @@ -4205,7 +4205,12 @@ static int fixup_bpf_calls(struct bpf_verifier_env *env) | |||
| 4205 | } | 4205 | } |
| 4206 | 4206 | ||
| 4207 | if (insn->imm == BPF_FUNC_redirect_map) { | 4207 | if (insn->imm == BPF_FUNC_redirect_map) { |
| 4208 | u64 addr = (unsigned long)prog; | 4208 | /* Note, we cannot use prog directly as imm as subsequent |
| 4209 | * rewrites would still change the prog pointer. The only | ||
| 4210 | * stable address we can use is aux, which also works with | ||
| 4211 | * prog clones during blinding. | ||
| 4212 | */ | ||
| 4213 | u64 addr = (unsigned long)prog->aux; | ||
| 4209 | struct bpf_insn r4_ld[] = { | 4214 | struct bpf_insn r4_ld[] = { |
| 4210 | BPF_LD_IMM64(BPF_REG_4, addr), | 4215 | BPF_LD_IMM64(BPF_REG_4, addr), |
| 4211 | *insn, | 4216 | *insn, |
diff --git a/kernel/events/core.c b/kernel/events/core.c index 3e691b75b2db..6bc21e202ae4 100644 --- a/kernel/events/core.c +++ b/kernel/events/core.c | |||
| @@ -8171,6 +8171,7 @@ static int perf_event_set_bpf_prog(struct perf_event *event, u32 prog_fd) | |||
| 8171 | } | 8171 | } |
| 8172 | } | 8172 | } |
| 8173 | event->tp_event->prog = prog; | 8173 | event->tp_event->prog = prog; |
| 8174 | event->tp_event->bpf_prog_owner = event; | ||
| 8174 | 8175 | ||
| 8175 | return 0; | 8176 | return 0; |
| 8176 | } | 8177 | } |
| @@ -8185,7 +8186,7 @@ static void perf_event_free_bpf_prog(struct perf_event *event) | |||
| 8185 | return; | 8186 | return; |
| 8186 | 8187 | ||
| 8187 | prog = event->tp_event->prog; | 8188 | prog = event->tp_event->prog; |
| 8188 | if (prog) { | 8189 | if (prog && event->tp_event->bpf_prog_owner == event) { |
| 8189 | event->tp_event->prog = NULL; | 8190 | event->tp_event->prog = NULL; |
| 8190 | bpf_prog_put(prog); | 8191 | bpf_prog_put(prog); |
| 8191 | } | 8192 | } |